'Masque attack': Don't panic but do pay attention

"Masque Attack" is the new name—given by security firm FireEye—to an old trick intended to fool you into installing malicious apps on your iPhone or iPad. Most recently detailed by security researcher Jonathan Zdziarski, tricks like Masque Attack won't affect most people, but it's worth understanding how it works and, in the event you are targeted, how to avoid it.

Apple has a lot of safeguards built into iOS. A Masque attack tries to get you to circumvent those safeguards and install malicious apps anyway. In order to make a Masque attack work, an attacker has to:

  1. Have an iOS Developer Enterprise Program account or the universal device identifier (UDID) for the device they want to target.
  2. Make a malicious app that looks like a popular, existing app. (A fake Gmail app that simply loads the Gmail website in FireEye's example.)
  3. Get you to download their fake app from outside the App Store. (For example, by sending you an email with a link in it.)
  4. Get you to agree to the iOS popup that warns you the app you're trying to install is from an untrusted source.

Getting a device's UDID is non-trivial and this approach would limit how many devices could be targeted. For this reason, attackers try to get iOS Developer Enterprise Program accounts instead. Enterprise-signed apps can be installed on any device, making enterprise-signed malware easier to distribute and spread. However, Apple has the ability to revoke enterprise certificates at any time, preventing any apps signed by that certificate from ever launching again. That's why this type of attack is much more likely to be used in a targeted manner against a specific individual or group of individuals, than to be exploited in the wild targeting a large group of users.

A Masque attack app is one that overwrites and potentially imitates an existing App Store app (built-in Apple apps can't be overwritten). It does this by using the same bundle ID as the legitimate app. Bundle IDs are identifiers that must be unique between apps on a device. Installing a new app that has the same bundle ID as an existing app will result in the original app being overwritten by the new one.

Apple requires App Store bundle IDs to be unique, which is why this type of attack can't be performed with apps downloaded from the App Store.

A Masque Attack takes advantage of this behavior by intentionally overwriting an existing app and then attempting to look and behave the same as the original app. Once installed, if the developer of the original app hasn't encrypted their locally stored data, the Masque Attack app could access that data. The fake app could also try and trick you into entering account information by, for example, showing you a fake login page that sends your credentials to a server owned by the attacker.

It's important to note that this isn't a recent change and isn't a bug—this is how things are designed to work. In fact, this very functionality is used by many developers for legitimate purposes. It works because bundle IDs are not necessarily tied to specific certificates or developer accounts. Apple may change this in the future to address security issues like this, but it will be difficult to do without having some negative impact on developers.

To avoid Masque and similar attacks, all that's required is to avoid downloading any apps from outside Apple's official App Store, and denying permission for any untrusted app to install.

If you think you've already fallen victim to such an attack, you can check in iOS 7 by navigate to Settings > General > Profiles. Any profiles used to install a non-App Store app will be shown here and can be deleted.

Unfortunately Apple removed the ability to see these profiles on the device in iOS 8, and a tool such as iPhone Configuration Utility (opens in new tab) or Xcode (opens in new tab) needs to be used to view and delete installed profiles.

If you suspect you have already installed a Masque app, it can be removed by deleted the affected app and re-installing it cleanly from App Store. Of course, if you do think an app you have was subjected to an attack, you should change all passwords for any associated accounts.

Source: FireEye

Rene Ritchie contributed to this article.

12 Comments
  • This iMore post needs to be broadcast everywhere to counter the incomplete and unfactual info news media and everyone else is spreading.
  • iMore is one of the websites I can count on to give facts and not clickbait or sensationalise a story and to give facts when something like this is coming around Sent from the iMore App
  • I cannot agree more, I'm so glad I found this site, which provides me with facts to be able to reply to people who just heard something on the news.
  • The only time I've ever installed profiles is bug related in the iOS dev program. I just can't see why regular everyday people would need to do it?
  • I trusted ver much iMore in all aspects, thanks to iMore your really updated. Sent from the iMore App
  • I have no idea how an app from outside the App Store could be installed on my iPhone. I don't jailbreak. It would be edifying to see exactly how this can be done. I would love to see a blow-by-blow of how to find and install any app that is not from the App Store onto my non-jailbroken iPhone.
  • Installing an adhoc or enterprise signed app can be done through a link. The link could come through SMS, email, be on a webpage, etc. When you tap the link, iOS would pop an alert saying something like "www.whateverwebsite.com would like to install AppNameHere". You would then need to tap "Install". Once installed, tapping on an app from this developer for the first time would present you with another alert asking if you want to trust the untrusted developer, which you would need to accept before the app would actually launch.
  • Thanks for the info. Come to think of it, I have been a beta tester of Comic Zeal for years, and that is another way to install an app outside of the App Store.
  • I read something very similar to this elsewhere on the internet. It was being pushed as a big security flaw in iOS. I think it was more a flaw of the author, and ignorance of the media. At some point, the user has bear some responsibility, it is not like this malware is in the Apple app store. Third party app, on Mac, then connect a device, then click yes to a warning, then you have to open the worthless app on the device. Microsoft is doing a constant face roll everyday, with a never ending string of data breaches as a result, and who cares? The slightest hint Apple might be vulnerable and the internet lights up like a Christmas tree. Which actually says a lot about Apple I think.
  • I found myself thinking about this the other day. It would seem to indicate that Apple, in general, is held to a higher standard for security. The severity of an attack like this isn't compared to the security of other platforms, it's looked at in the context of how Apple's approach to security is supposed to work. Apple's closed system and App Store review process is intended to prevent vectors of attack like this. If you look at any other platform, including OS X, nobody would be shocked to find out that if you replaced an application with a malicious version that you'd be in for bad times. The difference is iOS' approach is intended to prevent this. User ignorance is not supposed to be able to be able to endanger iOS security like this. So on the one hand you have the acknowledge that this does seem to be a weakness in iOS' approach to security. But on the other hand, you have to remember how big of a threat this actually represents in the bigger picture of mobile. I think you're exactly right. More than anything, the hype over security issues like this says a lot about Apple and the security standard they set for themselves that people will hold them to.
  • I think that's mostly true with the exception the media and many people in general want to bash Apple at any opportunity. This is just one example. While I am by no means an Apple fanboy, I try to be objective. But, being objective doesn't bring extra clicks and reader or viewership ;)
  • Here is an even more detailed explaination: http://appleinsider.com/articles/14/11/10/wirelurker-masque-attack-malwa...