UPDATED 07:15 EST / NOVEMBER 14 2014

US government warns on iOS bug, Apple says it’s not aware of customers affected

apple securityYesterday the United States Computer Emergency Readiness Team (US-Cert) issued an alert which warns iPhone and iPad users of “Masque Attack” technique aimed at iOS. The vulnerability, first brought to the public’s attention on Tuesday by FireEye Inc., allows an attacker to install fake apps on an iOS device using enterprise provisioning.

FireEye demonstrated the threat by simulating an attack in which a user is tricked into downloading an update for the popular “Flappy Bird” game. They show, in detail, how the update actually installs a fake version of the Gmail app. The attacker can then use the fake app to copy a user’s emails to a remote server. In their blog post FireEye stated that “Masque Attacks can replace authentic apps, such as banking and email apps, using attacker’s malware through the Internet. That means the attacker can steal user’s banking credentials by replacing an authentic banking app with malware that has an identical UI.”

In the alert, US-Cert lists the following vulnerabilities should a user fall victim to Masque Attack:

An app installed on an iOS device using this technique may:

  • Mimic the original app’s login interface to steal the victim’s login credentials.
  • Access sensitive data from local data caches.
  • Perform background monitoring of the user’s device.
  • Gain root privileges to the iOS device.
  • Be indistinguishable from a genuine app.

In a statement issued to iMore, Apple Inc. said the following in response to Masque Attack:

“We designed OS X and iOS with built-in security safeguards to help protect customers and warn them before installing potentially malicious software,” an Apple spokesperson told iMore. “We’re not aware of any customers that have actually been affected by this attack. We encourage customers to only download from trusted sources like the App Store and to pay attention to any warnings as they download apps. Enterprise users installing custom apps should install apps from their company’s secure website.”

The attack is only aimed at users installing and updating apps via enterprise provisioning and Apple has posted a set of security guidelines to follow when installing custom apps created specifically for your organization: iOS: When you install custom enterprise apps.

photo credit: CyberHades via photopin cc

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU