November 15, 2014 at 00:43Apple commented on Masque iOS vulnerability
This week, FireEye released information related to so-called "Masque" vulnerabilities in iOS. The vulnerability allows you to install a malicious application on top of an existing one, and this new application will gain access to all the files of the previous one. This is assuming that the installed application will have the same identifier «bundle identifier», which iOS & OS X is used to identify applications on the OS level, for example, when delivering them to update. Vulnerabilities are affected by all versions of iOS starting with 7.1.1, including the latest iOS 8.1.1 beta.
In an attack scenario using this vulnerability, the user receives a link in the message to install a malicious application that masquerades as legitimate. As with malwareThe iOS / Wirelurker , which we wrote about here , to install the application (IPA container) on iOS without jailbreak, the malicious program must use the “enterprise provisioning” method and the installed file must be signed with a digital certificate issued by Apple. This new application should have a “bundle identifier” for an already installed application (but not one that is “native” for iOS), which will allow it to get access to all the files of the old installation and send them to the attacker’s server during installation.
The new application does not have the ability to overwrite the natively built-in iOS application, for example, the Safari browser or Mail, however, using the well-known “bundle identifier” of other applications, it can access all its confidential data. This can be online banking data, private messages and any other information that is of interest to attackers.
The advantage of the “enterprise provisioning” method is that the application delivered under this scheme can not be sent to confirm its security to Apple, as is the case with the App Store. In addition, for devices without jailbreak, this is almost the only way to install the application on iOS bypassing the App Store. It is understood that the application will be signed by a certificate issued by Apple, and this is sufficient to confirm its legitimacy.
Apple
Apple also updated the information on the “enterprise provisioning” scheme in its support article .
In an attack scenario using this vulnerability, the user receives a link in the message to install a malicious application that masquerades as legitimate. As with malwareThe iOS / Wirelurker , which we wrote about here , to install the application (IPA container) on iOS without jailbreak, the malicious program must use the “enterprise provisioning” method and the installed file must be signed with a digital certificate issued by Apple. This new application should have a “bundle identifier” for an already installed application (but not one that is “native” for iOS), which will allow it to get access to all the files of the old installation and send them to the attacker’s server during installation.
The new application does not have the ability to overwrite the natively built-in iOS application, for example, the Safari browser or Mail, however, using the well-known “bundle identifier” of other applications, it can access all its confidential data. This can be online banking data, private messages and any other information that is of interest to attackers.
The advantage of the “enterprise provisioning” method is that the application delivered under this scheme can not be sent to confirm its security to Apple, as is the case with the App Store. In addition, for devices without jailbreak, this is almost the only way to install the application on iOS bypassing the App Store. It is understood that the application will be signed by a certificate issued by Apple, and this is sufficient to confirm its legitimacy.
We designed OS X and iOS with built-in security safeguards to help protect customers and warn them before installing potentially malicious software. We're not aware of any customers that have actually been affected by this attack. We encourage customers to only download from trusted sources like the App Store and to pay attention to any warnings as they download apps. Enterprise users installing custom apps should install apps from their company secure website.
Apple
Apple also updated the information on the “enterprise provisioning” scheme in its support article .