Historically, Apple devices, and more specifically iOS devices (iPhones, iPads) have been thought to be more immune to malicious code or “malware” attacks than, for instance, a stock Android operating system. The reasons for this are multi-faceted, from Apple more tightly controlling their App Store and vetting new apps, to more security features on the device itself as opposed to an “out of the box” phone running a typical Android OS.
That may be changing, however. While Apple devices are by and large still more secure out of the box than their counterparts, some cracks in the armor are starting to emerge. Last week, the “Wirelurker” malware affecting iOS and OS X devices, primarily in China, was publicized in an NY Times blog article.
Apple in fairly short order claimed to have shut down the malware, but it was nonetheless a significant move forward in iOS attacks as it appears to have had significant occurrence “in the wild”, as opposed to just a proof-of-concept developed in a lab somewhere.
Fast forward to this week. Two days ago, FireEye, Inc. (which now owns Mandiant, the security giant that “outed” Chinese state-sponsored cyber attacks on US interests in February 2013) disclosed a vulnerability that permits what it calls a “Masque Attack” on iOS devices.
Scary stuff. Briefly, this would permit a malicious iOS application to pose as a legitimate app previously installed by the user. This could allow for exfiltration of sensitive data or user monitoring. Even scarier, this works on both jailbroken and NON-JAILBROKEN iOS devices, and the vulnerability appears to continue through even the most recent release of iOS 8. It can be effected simply by clicking on a malicious link sent to the device, by text message for instance. Typically most Apple malware affecting the device itself has required the device to be jailbroken first, thus removing some of the stock security features deployed by Apple.
Other Apple experts are saying wait, not so fast, that the Masque Attack only works if the user agrees to “Trust” an iOS app from an untrusted app developer. With the typical user’s propensity to click through to get at the data or app that they want, however, this may be of little comfort and exposes a significant vulnerability to the rank and file user nonetheless.
Is Apple going to attempt to further mitigate against a Masque Attack, and, are the above just indicators of a future prevalence of exploited vulnerabilities on iOS devices? Stay tuned, but until then, look at the “Mitigations” section at the bottom of the FireEye article to learn how to minimize the risks of a Masque Attack now.