Masque Attack – All Your iOS Apps Belong to Us

FireEye , a security research firm, recently disclosed an interesting attack against iOS devices.  Apparently, iOS allows a rogue iPhone app to replace a genuine iPhone app.  Once that rogue app is now installed, it can do anything the real app could do – PLUS send a copy of your banking credentials Moscow or Kiev or someplace.

The reason this works is that Apple relies on something called a bundle identifier, but iOS does not verify that the new app is signed with the same certificate as the old app.

Another problem is that the way the attack works, it can tell you that it is installing an update to Angry Birds (does anyone play that any more?) but under the covers it is replacing the genuine version of the GMail app with a rogue version.  You have no reason to be suspicious of the behavior of the GMail app, so you are not likely to notice minor differences that the rogue GMail app might introduce.

Interestingly, Microsoft has a similar but different problem their code signing certificates – not verifying things to a sufficient degree.  You would think people would learn.  Sometimes not.

In Apple’s defense, this only works if you load apps from a source other than the Apple store – say by way of clicking on a link in a spear phishing attack and then saying that it is okay to install the new app.  But the bad guys are clever, so if the attack is done right, it will be very convincing.

The US Department Of Homeland Security’s CERT issued an alert today that confirms the details of FireEye’s press release.

Read the article in the link above for more details, but it is a very interesting situation and being wary is a REALLY good idea.  This is not a “The World Is Ending” attack, but it certainly could do some damage.

Mitch Tanenbaum