Tuesday, March 3, 2015

iOS Masque Attack Demystified

The Masque Attack, recently discovered by FireEye security researchers, sets a new level of warning for iOS users.
This is a dangerous attack that also threatens non jailbroken Apple iOS devices both on iOS 7.x and 8.x platforms. While some issues were being fixed in iOS 8.1.3, it has been found that the very same version is affected by a variation of the attack.

This attack leverage the easiness to obtain valid enterprise certificates and provisioning profiles from the open Internet in order to deploy a malicious app that substitutes a regularly installed one on the target device.

This malicious app can read all the data belonging to the previous app (the Keychain being an exception) and could also be used to perform a phishing attack by mimicking the UI of the original app in order to steal user credentials.

It is important to note that this attack poses to iOS users a greater risk than the Android counterpart. Because on Android there is an option that forbid users to install applications from sources that are not the official Play Store, while on iOS this choice is not available.

Minded Security has written a white paper to give the reader a deep insight of the attack by illustrating the key concepts behind it and proposing some remediations.


  1. Rubbish

    Only was to install app on iOS is from official Apple AppStore.

    So explain please how the black hats get their malware app past Apple's security checks?

    Can't be done

  2. Since iOS 7 Apple, probably under the pressure of the Android market growing, made possible for enterprises to have their personal inHouse Appstores. inHouse Appstores can be created with a 299 dollars yearly subscription or even more easily (as our whitepaper shows) by using a stolen subscription or a stolen p12 certificate. Of course custom inHouse stores are NOT subjected to Apple Appstore validation. iOS Masque attack is a Blended-Threat (http://en.wikipedia.org/wiki/Blended_threat) where a feature abuse (inhouse Appstore) is blended with the possibility to overwrite an existing app and to display custom messages while this app is going to be installed. Vectors are SMS, Email messages or Websites. This issue may lead to a dramatic increase of Mobile and Mobile Banking Malware for the iOS platform in the next months.

  3. Your Android-centric world view distorts your ability to recognize reality. Apple's implementation of customer AppStores was in response to corporate customer requirements to install their own private apps on iOS devices either owned by them directly or owned by employees and brought to work to use as personal and work devices.

    Apple has implemented powerful controls whereby, for example, corporate data used by a corporate app cannot be passed into non-authorized apps. A number of other restrictions apply. Apple hasn't just stumbled into this without thinking the issues through.

    Corp IT departments aren't dumb either. They are super cautious about BYOD devices compromising existing security protocols.

    Let's revisit your forecast about a claimed 'dramatic' increase in iOS malware in the next months. My forecast is ZERO

    1. Our forecast is supported by the actual rise of brand new malware for the iOS platform, WireLurker variants are not so new (http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/), and targeted attacks that were already using this attack since 2014 and before. Pangu Jailbreak was also abusing this feature at first glance. Before 2014 malware on Non Jailbroken devices was around zero. Now it's already increasing.

      The ability to install applications outside of the official stores was something that Android already supported by design; Apple included this feature in iOS only recently. You can read this from your point of view, from mine this was an important feature missing for competing in the Mobile market. Focusing on the security implications, making it short, this feature helps attackers to bypass Appstore verification and signature checking and attackers are already exploiting it, unfortunately for iOS users they cannot block this feature. They must be careful now were they click.

  4. I really do think your Android bias distorts your views on reality.

    Android's ability to add apps outside Google Play is NOT a feature. It's a CURSE. This is the major design flaw that has guaranteed over 99% of malware to be targeted to Android. Google doesn't care where you get your apps from, all it cares about is the number of eyes available to see the ads which are its major source of revenue.

    It was in RESPONSE to the Avalanche of malware cascading over Android that Google eventually created Google Play, which is its attempt to offer its Android users a way of accessing (supposedly) curated apps, and hence counter a key advantage iOS holds in restricting apps to Apple's curated AppStore. Curation/protection isn't something Apple bolted onto a leaking ship to stop it sinking, it's part of the fundamental architecture.

    Your point is that by allowing corporates to own their own AppStore, this opens up malware opportunities on iOS. Firstly, you would have to concede this means that the ONLY potential victims would be those users provisioning apps from a corporate AppStore. Everyone else is immune. Secondly, you would have to prove corporate curation is less secure than Apple curation: if the black hats can't get malware apps through Apple's curation process, but can get it through a particular corporate process (that.s an IF not a certainty) then Apple should help the corporate IT people implement tougher curation.

    Your point about malware on iOS increasing. Maybe, but by how much. Starting from zero, even 1 successful malware attack is an increase.

    Putting it into perspective, there are hundreds of millions on Android devices in the field vulnerable to the 99.9% of known mobile vectors running wild. There's just no comparison.

    There's no room for complacency by Apple, of course. And Apple is a huge target for black hats. We will never get complete protection from any company, but I bet Apple will continue to offer much better protection than Android ever will. For example, Android can't compete with Apple's integrated hardware/firmware/software architecture because it doesn't make hardware and doesn't write firmware.

    1. The paper points that the security model of iOS codesigning model has been relaxed. The proof is very simple is a feature added in the enterprise mobi provisioning file since 2014 "ProvisionsAllDevices". This works on any device, even devices outside your company, just click OK twice and you will install an App Over the Air . I think that you are referring the previous ad-hoc deployment process with devices UUID. This proces is still working but is not the subject of this blog.