Masque Attacks—the abuse of Apple's iOS developer certificates to try and trick people into installing malware apps on their iPhones or iPads—is once again making headlines because the recently hacked Hacking Team was using them in its toolkit. So, what does that mean for us?
What's the story?
CNBC ran with the story as "Hackers stealing data on iOS via major security flaw" and attributed it to security vendor FireEye. (I had to search for the actual source material, however, because CNBC chose to link their own stock page for FireEye instead of FireEye's blog post...)
Here's what FireEye's post had to say:
FireEye has recently uncovered 11 iOS apps within the Hacking Team's arsenals that utilize Masque Attacks, marking the first instance of targeted iOS malware being used against non-jailbroken iOS devices.
These apps are reverse engineered and weaponized versions of popular social networking and messaging apps, including: WhatsApp, Twitter, Facebook, Facebook Messenger, WeChat, Google Chrome, Viber, Blackberry Messenger, Skype, Telegram, and VK. Unlike the normal versions of these apps, they come with an extra binary designed to exfiltrate sensitive data and communicate with a remote server. Because all the bundle identifiers are the same as the genuine apps on App Store, they can directly replace the genuine apps on iOS devices prior 8.1.3.
So the new here is that Hacking Team made use of Masque Attack apps in the real world.
But iOS 8.1.3 and later are safe from Masque Attack?
It's my understanding Apple has fixed things to the extent that no one is vulnerable to app replacement attacks any more, not even devices running software prior to iOS 8.1.3.
What about non-app replacement attacks?
Because of Apple's fixes, in order to install a Masque Attack or similar fake malware app, you'd now have to be tricked into downloading it and would have to ignore the built-in warnings iOS fires when it encounters untrusted apps. That, or someone with unfettered physical access to you device would have to do it without the owners knowledge.
Being at risk to either of those things likely means you have a lot more than Masque Attack to worry about.
What about corporate users?
CNBC chose to run this quote:
"For a corporate user, it could be catastrophic if hackers get insight into internal negotiations and corporate crown jewels at risk."
Hacking Team wasn't hacked via iOS. Sony wasn't hacked via iOS. Apple, like other vendors, provides powerful tools for corporate IT departments that let them control what can and can't be run on a company device. What's more, competent IT departments know that real security requires real education of the work force so that employees know, among other things, not to download fake apps from sketchy links and then ignore security warnings that try to prevent them from being installed. Same way they know not to give out their email passwords to fake IT workers who call them on the phone, or install malware on their PCs by clicking on similarly sketchy links.
Will iOS 9 offer additional protections?
Yes. iOS 9, scheduled for release this fall, includes new and improved security technologies and trust enforcement. That means users will have to go even further out of their way to install malware apps.
So, should I be worried about Masque Attack?
The vast majority of people aren't at risk from Masque Attack. That said, there are still things you can and should do to protect yourself:
- Make sure you've updated your iPhone, iPad, or iPod touch to the latest version of iOS (currently iOS 8.4).
- Don't download iOS apps from anywhere besides Apple's official App Store and, in the case of Enterprise, your company's official distribution mechanism.
- Don't download stolen copies of apps from illegal app stores. They're often stuffed with malware.
- If iOS pops up a warning about an app, take the warning and stop any and all installation unless and until you can absolutely verify what's going on.
- Tell vendors and new outlets that you and your less tech savvy family and friends aren't there to be fear-mongered or exploited, and that you expect better from them.
- If you read a sensationalized story about security issues, go to a source you trust and find out what's really going on. (Even if it isn't us).
As the comments to the CNBC story show, the real masque attack here is scareware disguised as journalism. Vendors and media outlets want business and attention and aren't ashamed to get it by scaring readers instead of informing them and helping them stay safe.
And readers are increasingly refusing to put up with it.