'Masque attack': Don't panic but do pay attention

"Masque Attack" is the new name—given by security firm FireEye—to an old trick intended to fool you into installing malicious apps on your iPhone or iPad. Most recently detailed by security researcher Jonathan Zdziarski, tricks like Masque Attack won't affect most people, but it's worth understanding how it works and, in the event you are targeted, how to avoid it.

Apple has a lot of safeguards built into iOS. A Masque attack tries to get you to circumvent those safeguards and install malicious apps anyway. In order to make a Masque attack work, an attacker has to:

  1. Have an iOS Developer Enterprise Program account or the universal device identifier (UDID) for the device they want to target.
  2. Make a malicious app that looks like a popular, existing app. (A fake Gmail app that simply loads the Gmail website in FireEye's example.)
  3. Get you to download their fake app from outside the App Store. (For example, by sending you an email with a link in it.)
  4. Get you to agree to the iOS popup that warns you the app you're trying to install is from an untrusted source.

Getting a device's UDID is non-trivial and this approach would limit how many devices could be targeted. For this reason, attackers try to get iOS Developer Enterprise Program accounts instead. Enterprise-signed apps can be installed on any device, making enterprise-signed malware easier to distribute and spread. However, Apple has the ability to revoke enterprise certificates at any time, preventing any apps signed by that certificate from ever launching again. That's why this type of attack is much more likely to be used in a targeted manner against a specific individual or group of individuals, than to be exploited in the wild targeting a large group of users.

A Masque attack app is one that overwrites and potentially imitates an existing App Store app (built-in Apple apps can't be overwritten). It does this by using the same bundle ID as the legitimate app. Bundle IDs are identifiers that must be unique between apps on a device. Installing a new app that has the same bundle ID as an existing app will result in the original app being overwritten by the new one.

Apple requires App Store bundle IDs to be unique, which is why this type of attack can't be performed with apps downloaded from the App Store.

A Masque Attack takes advantage of this behavior by intentionally overwriting an existing app and then attempting to look and behave the same as the original app. Once installed, if the developer of the original app hasn't encrypted their locally stored data, the Masque Attack app could access that data. The fake app could also try and trick you into entering account information by, for example, showing you a fake login page that sends your credentials to a server owned by the attacker.

It's important to note that this isn't a recent change and isn't a bug—this is how things are designed to work. In fact, this very functionality is used by many developers for legitimate purposes. It works because bundle IDs are not necessarily tied to specific certificates or developer accounts. Apple may change this in the future to address security issues like this, but it will be difficult to do without having some negative impact on developers.

To avoid Masque and similar attacks, all that's required is to avoid downloading any apps from outside Apple's official App Store, and denying permission for any untrusted app to install.

If you think you've already fallen victim to such an attack, you can check in iOS 7 by navigate to Settings > General > Profiles. Any profiles used to install a non-App Store app will be shown here and can be deleted.

Unfortunately Apple removed the ability to see these profiles on the device in iOS 8, and a tool such as iPhone Configuration Utility or Xcode needs to be used to view and delete installed profiles.

If you suspect you have already installed a Masque app, it can be removed by deleted the affected app and re-installing it cleanly from App Store. Of course, if you do think an app you have was subjected to an attack, you should change all passwords for any associated accounts.

Source: FireEye

Rene Ritchie contributed to this article.

Nick Arnott