Apple has downplayed the Masque iOS security threat, saying no one has actually been affected by the security vulnerability.
The Masque Attack opened by the security shortcoming creates a way for attackers to replace genuine iOS apps with malicious doppelgängers, as previously reported. Security firm FireEye warned about the iOS app overwrite attack on Monday before US-CERT reiterated the warning with its own advisory on Thursday.
The malicious app has to be signed using an enterprise certificate - technology normally used in enterprise environments to deploy software without having to go through the official App Store - and attackers would have to rely on users clicking through a warning. A would-be hacker would need to obtain an enterprise provisioning profile or steal one, neither of which are readily available.
Apple says the threat is mostly theoretical. Nobody has been affected, it claims, and there's no need to develop a patch.
"We designed OS X and iOS with built-in security safeguards to help protect customers and warn them before installing potentially malicious software," Apple said in a statement, the San Jose Mercury News reports. "We're not aware of any customers that have actually been affected by this attack."
"We encourage customers to only download from trusted sources like the App Store and to pay attention to any warnings as they download apps. Enterprise users installing custom apps should install apps from their company's secure website," it added.
Masque underpins WireLurker
FireEye's release of information about the Masque Attack comes days after the discovery of WireLurker, the first malware capable of spreading onto non-jailbroken Apple iOS devices from infected Mac OS X systems. Masque Attacks can happen completely over a wireless network using something as simple as a booby-trapped email or SMS message and without relying on an infected-computer-to-iThing USB connection used to spread WireLurker.
Deepen Desai, head of security research at cloud security firm Zscaler, explained: "WireLurker has been found using the Masque exploit where it is possible to install a malicious app masquerading as a legitimate app by using the same bundle identifier string. The malicious app will completely replace the legitimate app and will also have access to the cached data as well as cached login tokens."
"The attacker can leverage Masque exploit to directly target the iOS device over the internet and does not require infecting the user systems. A simple SMS message or a pop-up with a link to a malicious app hosting site will prompt the user to install the app," he added.
WireLurker claimed a small number of victims (principally in China), according to Kaspersky Lab, a finding that runs contrary to Apple's assurance to nobody has been hit.
However, it ought to be pointed out that security experts are split about the seriousness of the bug or even whether it's actually new. Stefan Esser of German security outfit SektionEins presented research (PDF) on a very similar vulnerability and the SyScan conference last year.
We've asked FireEye to comment on this earlier research, as well as for a response on what Apple had to say. We'll update this story as and when we hear back.
Vince Arneja, veep of Product Management at application security firm Arxan Technologies, explained one mechanism for exploiting the Masque Attack would involve reverse engineering an app before repackaging it and republished it into a secondary app store.
"The user unknowingly clicks on a link of some sort to go to the secondary app store and downloads the malicious app," Arneja explained. "This is where the flaw in Apple’s iOS operating system allows the malicious app to override the legitimate app on a jailbroken or non-jailbroken device." ®
Updated to add
A spokesperson for FireEye has been in touch to say: "Apple’s statement regarding the Masque Attack is very much in-line with what FireEye and the US-CERT have published regarding there being no currently known exploit of the vulnerability in the wild, as well as in regards to the steps iOS users should take to avoid falling victim to this vulnerability should it be taken advantage of in the future."