The newly discovered "Masque Attack" on iOS devices revealed Nov. 10 by security firm FireEye isn't exactly new, and is rather easy to avoid. But it reaffirms long-standing questions about Apple security.
In a blog posting, Milpitas, California-based FireEye described how a corrupted iOS app could be installed on a non-jailbroken iOS device through the misuse of enterprise or developer certificates. Such corrupted apps could spy on the user and, possibly, take over the device.
However, this has been known for quite some time. It's based on a fundamental flaw in the iOS security model, one that contributed to the success of the WireLurker malware discovered last week, which was the first "in the wild" malware to ever affect non-jailbroken iOS devices.
Normally, iOS devices accept apps only from the iTunes App Store, over which Apple maintains rigid control. The iOS device checks each app for Apple's certificate, a sort of digital signature that verifies the software came from Apple.
But Apple also gives out certificates to software developers and large enterprises. Developers need to install unfinished apps on iPhones to test their software; each developer certificate can be used up to 100 times. Enterprises need to install in-house apps on employee iPhones and iPads; each enterprise certificate can be used for an unlimited number of app installations.
The problem is that enterprise and developer certificates are not limited to those devices belonging to whomever they were issued. Instead, any iOS device will accept apps "signed" with those certificates.
Independent security researcher Jonathan Zdziarski detailed the procedure in a blog posting last month, as he pointed out today in a tweet directed at FireEye's researchers.
Stefan Esser, a German security researcher who teaches courses on hacking iOS devices, noted in his own tweet that "it is known for YEARS that enterprise certificates can replace iOS apps on the fly."
In FireEye's example, a user is lured to a website that hosts a corrupted app entitled "New Flappy Bird." The app is actually a malcious Gmail app that replaces the official Gmail app — and has access to all the user's Gmail.
Such attacks are easy to avoid as long as you don't install any apps from outside the iTunes App Store. You should know something's fishy when a random website tries to install an app on your iOS device.
Of course, common sense has never stopped people who think they can get something for nothing. Nor would it help people who were lured to a well-done facsimile of the Apple website.
As Zdziarski said in a separate blog posting about WireLurker, this vulnerability will exist until Apple restricts developer and, especially, enterprise certificates to those devices that actually need to install apps from outside the App Store.
Until then, iPhone and iPad users will need to develop the same sensibilities that Android users have long had: Don't install any apps from outside the official app store, and if something's too good to be true, it probably isn't.