If you have an iPhone, you might think you’re impervious to malware and security breaches, but researchers have identified a vulnerability in iOS that can be exploited to gain access to unwitting victims’ cellphones and steal their emails. And it gets worse.
Earlier this year, FireEye discovered a flaw that lets hackers access apps with malicious code, and raised the issue with Apple back in late July 2014. Having seen “proofs that this issue [has] started to circulate,” the security company has now released the details of the exploit, which they call “Masque Attack.”
Here’s how it works: Every app has its own “bundle identifier”—a string of characters that identifies the app to the operating system. They also have security certificates proving that the app is what it says it is. However, on multiple versions of iOS, it’s possible to circumvent these security checks altogether by simply changing the bundle identifier of your malicious app to that of one already installed on the phone.
In this case, the iPhone makes no attempt to check whether the app is what it says it is. It merely sees the “correct” bundle identifier and installs.
What does this look like in practice?
The example FireEye gives is an iPhone user receiving a text enticing them to download a new version of hit game Flappy Birds. (If you’re still playing Flappy Bird you’ve probably got it coming, but the attack could come in numerous other forms too.) Upon clicking the link, it downloads the malicious file. Once the file is downloaded, it automatically installs—but instead of installing Flappy Birds to the device, it instead updates the user’s Gmail app to a new, compromised version, automatically cloning all emails sent and received.
Default iOS apps—like the phone or Safari—are protected against Masque Attacks, but any third-party app found in the App Store is susceptible to being compromised.
What distinguishes this vulnerability from other malware apps is that while it’s easy to notice a suspicious new third-party app on your device, Masque Attacks will hide behind apps you’re familiar with and trust, with no indication that they’re there.
FireEye has released the information because they believe it’s “urgent to let the public know,” so mitigating measures can be taken to “help iOs users better protect themselves.”
iPhone users running iOS 7.1.1, 7.1.2, 8.0, 8.1 and 8.1.1 beta are all vulnerable—as are both jailbroken and non-jailbroken devices. To avoid being affected, the security company recommends vulnerable users avoid installing any apps from third-party sources other than the official App Store, and not to trust apps with an “Untrusted App Developer label.”
iOS 7 users can check if they’re already affected—but worryingly, the functionality has been removed in iOS 8. Here are their instructions:
To check whether there are apps already installed through Masque Attacks, iOS 7 users can check the enterprise provisioning profiles installed on their iOS devices, which indicate the signing identities of possible malware delivered by Masque Attacks, by checking “Settings > General > Profiles” for “PROVISIONING PROFILES.” iOS 7 users can report suspicious provisioning profiles to their security department. Deleting a provisioning profile will prevent enterprise signed apps which rely on that specific profile from running.
It’s alarming that Masque Attacks were apparently first flagged up with Apple in July and yet still remain an issue—but at least we’re now finding out how to mitigate the issue. In short: Stay vigilant, don’t install any third-party apps, and don’t play Flappy Bird. Ever.
Photo via Matthew Pearce / Flickr (CC BY 2.0) | Remix by Rob Price