Menu
One third of enterprise iOS devices vulnerable to app, data hijacking attacks

One third of enterprise iOS devices vulnerable to app, data hijacking attacks

Researchers from FireEye found five flaws that can be exploited by rogue apps installed through the iOS enterprise provisioning system

Apple released patches for several exploits that could allow maliciously crafted applications to destroy apps that already exist on devices, access their data or hijack their traffic, but a large number of iOS devices are still vulnerable.

The vulnerabilities allow for so-called Masque attacks because they involve the impersonation of existing apps or their components. Three of them were patched in iOS version 8.1.3 that was released in January and two newer ones were patched in iOS 8.4, released Tuesday.

In order to attack iOS devices with these flaws, hackers would have to trick their owners into installing rogue apps through the enterprise provisioning system. Companies use this mechanism to deploy in-house developed apps that are not published on the official App Store.

Using enterprise provisioning and legitimate or stolen enterprise certificates, attackers could convince users to install malicious apps that are hosted on rogue websites.

Security researchers from FireEye first reported the original application Masque attack in November last year, warning that the technique can be used to replace existing apps and access their data.

Since then, they have found and reported additional vulnerabilities that allow similar attacks. One, dubbed the URL Masque, allows hijacking inter-app communications and bypassing user confirmation prompts, while another, called the Plug-in Masque, allows attackers to replace existing VPN plug-ins, hijack device traffic and prevent devices from rebooting.

The URL Masque and Plug-in Masque vulnerabilities were patched together with the original App Masque flaw in iOS 8.1.3. However, the monitoring of Web traffic from several high-profile networks revealed that one third of iOS devices on those networks still run iOS versions older than 8.1.3.

On Tuesday, the company's researchers revealed two more Masque vulnerabilities, dubbed Manifest Masque and Extension Masque, after Apple partially fixed them in iOS 8.4.

The Manifest Masque flaw can be exploited by publishing a rogue manifest file along an in-house app on a provisioning website. Apple fails to check if the bundle identifiers listed in provisioning manifest files match those of the provisioned apps, the FireEye researchers said in a blog post.

"If the XML manifest file on the website has a bundle identifier equivalent to that of another genuine app on the device, and the bundle-version in the manifest is higher than the genuine app's version, the genuine app will be demolished down to a dummy placeholder, whereas the in-house app will still be installed using its built-in bundle id," the researchers explained. "The dummy placeholder will disappear after the victim restarts the device."

Meanwhile, the Extension Masque flaw is located in the app extension feature introduced in iOS 8 and can be exploited to access another app's data or to prevent an existing app from accessing its own data.

Attackers could exploit it by creating a rogue app that registers an extension with the bundle identifier of an existing application. The extension would then gain full access to that other app's data container, according to the FireEye researchers.

While a third of iOS devices continue to be vulnerable to all Masque attacks, there are likely many more that are only vulnerable to the most recently disclosed Manifest and Extension Masque flaws. The FireEye researchers advise users to update their devices as soon as possible and to keep them up to date in the future.


Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags patchesApplesecuritymobile securityFireEyeExploits / vulnerabilitiesmalware

Featured

Slideshows

Tight lines as Hooked on Lenovo catches up at Great Barrier Island

Tight lines as Hooked on Lenovo catches up at Great Barrier Island

​Ingram Micro’s Hooked on Lenovo incentive programme recently rewarded 28 of New Zealand's top performing resellers with a full-on fishing trip at Great Barrier Island for the third year​ in a row.

Tight lines as Hooked on Lenovo catches up at Great Barrier Island
Inside the AWS Summit in Sydney

Inside the AWS Summit in Sydney

As the dust settles on the 2017 AWS Summit in Sydney, ARN looks back an action packed two-day event, covering global keynote presentations, 80 breakout sessions on the latest technology solutions, and channel focused tracks involving local cloud stories and insights.

Inside the AWS Summit in Sydney
Channel tees off on the North Shore as Ingram Micro hosts annual Cure Kids Charity golf day

Channel tees off on the North Shore as Ingram Micro hosts annual Cure Kids Charity golf day

Ingram Micro hosted its third annual Cure Kids Charity Golf Tournament at the North Shore Golf Club in Auckland. In total, 131 resellers, vendors and Ingram Micro suppliers enjoyed a round of golf consisting of challenges on each of the 18 sponsored holes, with Team Philips taking out the top honours.

Channel tees off on the North Shore as Ingram Micro hosts annual Cure Kids Charity golf day
Show Comments