Exploit lets attackers replace your iPhone's apps with malware (update: Apple response)

Apparently, it's the season for novel iOS security exploits. Researchers at FireEye say they've discovered a vulnerability, nicknamed "Masque Attack," that lets malicious websites replace legitimate apps with malware. If ne'er-do-wells have an enterprise developer account or your device's universal device identifier, they can send you a request to install new software outside of the App Store. Since iOS doesn't double-check that the security certificates match when the app bundle IDs are the same, it lets the rogue code overwrite the real deal and swipe data (including from the original app). FireEye says it notified Apple about the exploit in July, but the technique still works the iOS 8.1.1 beta.

We've reached out to Apple for its response to the flaw. Whatever its solution may be, the practical threat to your iOS gear is relatively low. Perpetrators effectively have to hit the jackpot; they not only need the privileges to install an untrusted app over the web, but your explicit permission. Apple can also disable enterprise apps by revoking certificates, so outbreaks are likely to be limited. You'll still want to exercise caution, but you'll likely be fine so long as you stick to downloading from the App Store.

Update: An Apple spokesperson got back to us, and says that both OS X and iOS have a slew of protective measures and prompts to prevent attacks from happening. Also, the company is "not aware" of anyone who actually faced an attack -- if they exist, they haven't piped up. To be on the safe side, Apple also posted a security guide for enterprise apps that tells you what to expect and avoid. You can read the company's full statement below.

Photo by Will Lipman.