A Masque Attack — the abuse of Apple's iOS developer certificates to try and trick people into installing malware apps on their iPhones or iPads — has reportedly entered a second phase which, turns out, is much like it's first phase. According to FireEye:
Masque Attack II includes bypassing iOS prompt for trust and iOS URL scheme hijacking. iOS 8.1.3 fixed the first part whereas the iOS URL scheme hijacking is still present.
My understanding is that iOS 8.1.3 prevents URL schemes from being used to bypass trust status.
An issue existed in determining when to prompt for trust when first opening an enterprise-signed application. This issue was addressed through improved code signature validation.
Basically, Apple has made sure that the trust requester is presented no matter how an app attempts to launch.
Previously an attacker could get you to install their malicious app, then try to lure you into tapping on a link that would launch the app without presenting an alert asking if you wanted to launch the app from the untrusted developer. With the fix in iOS 8.1.3, that trust prompt will be presented even in cases where the app is launched via a URL scheme.
So, if you choose not to trust the app, the iOS Springboard system simply won't let the app open.
That second part — choosing not to trust untrusted apps — is what's critical here. If you tap to trust an app, that app can hijack URL schemes and potentially engage in other forms of malicious behavior.
iOS has phenomenal security and protections built in and Apple is improving them all the time. That's their job. Our job is to make sure we don't download apps from outside the App Store, especially from pirated app sites, and don't trust apps from untrusted sources.
That way Masque Attack, and similar attacks, have no practical chance of working.
Aside: For URL schemes in general, it would be great if Apple could tie them to bundle IDs. Developers could register their unique URL schemes through the Apple Developer Portal and the schemes could be included in an app's entitlements. iOS would then locally enforce only allowing an app whose entitlements prove that it is the owner of that URL scheme to use that URL scheme. That way even unintentional collisions could be avoided.
Nick Arnott contributed to this article.