Security researchers have warned of a security hole in Apple's iOS devices that could allow attackers to replace legitimate apps with booby-trapped ones, an exploit that could expose passwords, e-mails, or other sensitive user data.
The "Masque" attack, as described by researchers from security firm FireEye, relies on enterprise provisioning to replace banking, e-mail, or other types of legitimate apps already installed on a targeted phone with a malicious one created by the adversary. From there, the attacker can use the malicious app to access sent e-mails, login credential tokens, or other data that belonged to the legitimate app.
"Masque Attacks can replace authentic apps, such as banking and e-mail apps, using attacker's malware through the Internet," FireEye researchers wrote in a blog post published Monday. "That means the attacker can steal user's banking credentials by replacing an authentic banking app with an malware that has identical UI. Surprisingly, the malware can even access the original app's local data, which wasn't removed when the original app was replaced. These data may contain cached e-mails or even login-tokens which the malware can use to log into the user's account directly."
The attack works by presenting a targeted phone with a same sort of digital certificate large businesses use to install custom apps on employees' iPhones and iPads, as long as both the legitimate app and the malicious app use the same bundle identifier. The attack requires some sort of lure to trick a target into installing the malicious app, possibly by billing it as an out-of-band update or a follow-on to an already installed app. Recently, the researchers uncovered evidence the attacks may be circulating online, they said without elaborating. The technique doesn't work against iOS preinstalled apps such as Mobile Safari. FireEye researchers said they reported the vulnerability to Apple in July.
"By leveraging Masque Attack, an attacker can lure a victim to install an app with a deceiving name crafted by the attacker (like New Angry Bird), and the iOS system will use it to replace a legitimate app with the same bundle identifier," Monday's report stated. "Masque Attack couldn't replace Apple's own platform apps such as Mobile Safari, but it can replace apps installed from App Store." From there attackers can:
Mimic the login interface of the replaced app to steal the victims' login credentials
Access local data caches assigned to the replaced app to steal e-mails, login tokens, or other sensitive data
Install custom programming interfaces not approved by Apple onto victims' phones
Bypass the normal app sandbox architecture built into iOS and possibly get root access by exploiting known iOS vulnerabilities, such as those recently targeted by the Pangu team.
FireEye researchers documented the following proof-of-concept example attack:
In one of our experiments, we used an in-house app with a bundle identifier “com.google.Gmail” with a title “New Flappy Bird.” We signed this app using an enterprise certificate. When we installed this app from a website, it replaced the original Gmail app on the phone.
Figure 1 illustrates this process. Figure 1(a) (b) show the genuine Gmail app installed on the device with 22 unread e-mails. Figure 1(c) shows that the victim was lured to install an in-house app called “New Flappy Bird” from a website. Note that “New Flappy Bird” is the title for this app and the attacker can set it to an arbitrary value when preparing this app. However, this app has a bundle identifier “com.google.Gmail”.
After the victim clicks “Install”, Figure 1(d) shows the in-house app was replacing the original Gmail app during the installation. Figure 1(e) shows that the original Gmail app was replaced by the in-house app. After installation, when opening the new “Gmail” app, the user will be automatically logged in with almost the same UI except for a small text box at the top saying “yes, you are pwned” which we designed to easily illustrate the attack. Attackers won’t show such courtesy in real world attacks. Meanwhile, the original authentic Gmail app’s local cached e-mails, which were stored as clear-text in a sqlite3 database as shown in Figure 2, are uploaded to a remote server.
Note that Masque Attack happens completely over the wireless network, without relying on connecting the device to a computer.
The attacks can be prevented by installing only apps that come from Apple's official App Store. Users who encounter dialogue boxes from third-party websites asking for permission to update existing apps or install new ones should be especially suspicious. Users should immediately uninstall any apps that return an alert saying "Untrusted App Developer."
In order to make a Masque attack work, an attacker has to:
1. Have an iOS Developer Enterprise Program account or the universal device identifier (UDID) for the device they want to target. 2. Make a malicious app that looks like a popular, existing app. (A fake Gmail app that simply loads the Gmail website in FireEye's example.) 3. Get you to download their fake app from outside the App Store. (For example, by sending you an email with a link in it.) 4. Get you to agree to the iOS popup that warns you the app you're trying to install is from an untrusted source.
Getting a device's UDID is non-trivial and this approach would limit how many devices could be targeted. For this reason, attackers try to get iOS Developer Enterprise Program accounts instead. Enterprise-signed apps can be installed on any device, making enterprise-signed malware easier to distribute and spread. However, Apple has the ability to revoke enterprise certificates at any time, preventing any apps signed by that certificate from ever launching again. That's why this type of attack is much more likely to be used in a targeted manner against a specific individual or group of individuals, than to be exploited in the wild targeting a large group of users.
Looks like all you have to do is have an enterprise signed app that has the same identifier. The user does not have to setup any enterprise trust relationship. It also appears there is not cert matching for individual apps so iOS does not care if an app gets replaced with another app with a completely different cert.
In order to make a Masque attack work, an attacker has to:
1. Have an iOS Developer Enterprise Program account or the universal device identifier (UDID) for the device they want to target. 2. Make a malicious app that looks like a popular, existing app. (A fake Gmail app that simply loads the Gmail website in FireEye's example.) 3. Get you to download their fake app from outside the App Store. (For example, by sending you an email with a link in it.) 4. Get you to agree to the iOS popup that warns you the app you're trying to install is from an untrusted source.
Getting a device's UDID is non-trivial and this approach would limit how many devices could be targeted. For this reason, attackers try to get iOS Developer Enterprise Program accounts instead. Enterprise-signed apps can be installed on any device, making enterprise-signed malware easier to distribute and spread. However, Apple has the ability to revoke enterprise certificates at any time, preventing any apps signed by that certificate from ever launching again. That's why this type of attack is much more likely to be used in a targeted manner against a specific individual or group of individuals, than to be exploited in the wild targeting a large group of users.
Looks like all you have to do is have an enterprise signed app that has the same identifier. The user does not have to setup any enterprise trust relationship. It also appears there is not cert matching for individual apps so iOS does not care if an app gets replaced with another app with a completely different cert.
Dan Goodin
Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene.
reader comments
66