iOS Masque Attack: A Worrisome Attack Targeting iOS 7+ Devices

Back in July 2014, FireEye’s mobile security researchers have discovered a new form of attack on Apple’s mobile devices running an iOS version 7.1.1 and higher (7.1.2, 8.0, 8.1, 8.1.1 beta, both jailbroken and non-jailbroken). The attack was nicknamed “Masque Attack” after it’s method of attack. Malicious “impostor” apps can be installed using the enterprise/ad-hoc provisioning, while replacing an app you trust.

This can be accomplished by using the same bundle identifier as the official app that it’s replacing. According to FireEye, the problem is with Apple not enforcing matching certificates for apps with the same bundle identifier. All applications can be replaced, excluding the iOS preinstalled apps such as Safari or Newsstand. The impostor app can look identical to the original app, it will even inherit all the user cache files. These might include cache of emails, credentials, and others.

FireEye warns that this attack can pose “much bigger threats than WireLurker.” Imagine, for example, that your banking app gets replaced by an app with an identical user interface. You would never know the difference and would willingly enter your banking credentials.

To see a live demonstration, watch the video below:

You can protect yourself by following these steps:

  • Don’t install apps from third-party sources other than Apple’s official App Store or the user’s own organization
  • Don’t click “Install” on a pop-up from a third-party web page, as shown in Figure 1(c), no matter what the pop-up says about the app. The pop-up can show attractive app titles crafted by the attacker
  • When opening an app, if iOS shows an alert with “Untrusted App Developer”, as shown in Figure 3, click on “Don’t Trust” and uninstall the app immediately