A new security vulnerability within Apple’s iOS software could allow for apps containing malware to be loaded over the top of legitimate apps, according to new research.
Security researchers at FireEye have identified the ‘Masque Attack’ as a way for attackers to sideload apps onto iPhones from links to items outside of the App Store.
The vulnerability, according to the research, comes through Apple’s enterprise/ad-hoc provisioning system, which enables users to install applications from links within texts or emails instead of going through the official portal.
The iOS provision profiles are used to allow developers to share beta versions with users or by companies to distribute applications to their employees. Users must have a provisioning profile installed on their phone in order to be vulnerable to the attack.
As explained in the video below, users may receive an SMS asking them to download a ‘New Flappy Bird’ version, asking users to follow a link to download the app.
Instead of giving versions a new version of Flappy Bird, the link could secretly dub over an app like the official Gmail app. The researchers claim users would be none-the-wiser.
The flaw comes as Apple does not “enforce matching certificates for apps with the same bundle identifier” according to FireEye.
“In one of our experiments, we used an in-house app with a bundle identifier “com.google.Gmail” with a title “New Flappy Bird”. We signed this app using an enterprise certificate. When we installed this app from a website, it replaced the original Gmail app on the phone,” the post read.
In theory, if the app replaces the legitimate version cyber-criminals could steal log in credentials by accessing the original app’s local data. This could be especially damaging if the app was for banking.
“Surprisingly, the malware can even access the original app's local data, which wasn't removed when the original app was replaced. These data may contain cached emails, or even login-tokens which the malware can use to log into the user's account directly,’ the post read.
“We have seen proofs that this issue started to circulate. In this situation, we consider it urgent to let the public know, since there could be existing attacks that haven’t been found by security vendors. We are also sharing mitigation measures to help iOS users better protect themselves.”
Those mitigation measures involve iOS users checking their settings to see if they have any provisioning profiles installed on their device by going to Settings > General > Profiles, although iOS 8 does not show the provisioning profiles.
Read more: iOS 8 review
Via: MacRumors