Sponsored Links

Exploit lets attackers replace your iPhone's apps with malware (update: Apple response)

Exploit lets attackers replace your iPhone's apps with malware (update: Apple response)
Jon Fingas
Jon Fingas|@jonfingas|November 11, 2014 2:17 PM

Apparently, it's the season for novel iOS security exploits. Researchers at FireEye say they've discovered a vulnerability, nicknamed "Masque Attack," that lets malicious websites replace legitimate apps with malware. If ne'er-do-wells have an enterprise developer account or your device's universal device identifier, they can send you a request to install new software outside of the App Store. Since iOS doesn't double-check that the security certificates match when the app bundle IDs are the same, it lets the rogue code overwrite the real deal and swipe data (including from the original app). FireEye says it notified Apple about the exploit in July, but the technique still works the iOS 8.1.1 beta.

We've reached out to Apple for its response to the flaw. Whatever its solution may be, the practical threat to your iOS gear is relatively low. Perpetrators effectively have to hit the jackpot; they not only need the privileges to install an untrusted app over the web, but your explicit permission. Apple can also disable enterprise apps by revoking certificates, so outbreaks are likely to be limited. You'll still want to exercise caution, but you'll likely be fine so long as you stick to downloading from the App Store.

Update: An Apple spokesperson got back to us, and says that both OS X and iOS have a slew of protective measures and prompts to prevent attacks from happening. Also, the company is "not aware" of anyone who actually faced an attack -- if they exist, they haven't piped up. To be on the safe side, Apple also posted a security guide for enterprise apps that tells you what to expect and avoid. You can read the company's full statement below.

We designed OS X and iOS with built-in security safeguards to help protect customers and warn them before installing potentially malicious software. We're not aware of any customers that have actually been affected by this attack. We encourage customers to only download from trusted sources like the App Store and to pay attention to any warnings as they download apps. Enterprise users installing custom apps should install apps from their company's secure website.

Photo by Will Lipman.

Exploit lets attackers replace your iPhone's apps with malware (update: Apple response)