Hi Chris, You do not have to be jailbroken to be infected with malware using the Mask Attack flaw. The malicious app is actually installed using iOS’ enterprise provisioning features which would normally allow you to, say, install an app from your company’s secure server, or else beta test an app. The issue seems to be that iOS does not cryptographically verify an application to make sure it has not been tampered with. So, for example, once the user gives the go-ahead for one of these apps to be installed (e.g. they respond to a prompt promising a new game), the Gmail app might be replaced with a malicious application that gathers your personal data and sends it to a server, and iOS will allow the app to run unimpeded.
There is certainly no need for us to panic as we can simply not install apps from untrusted websites or messages, but the major security issue here seems to be the lack of cryptographic verification that would prevent legitimate apps already installed on the device from being tampered with. That’s probably a pretty rough explanation of the flaw, but you can read more about it here: http://www.thesafemac.com/major-ios-insecurity/ <http://www.thesafemac.com/major-ios-insecurity/> Grant Sent from mobile On Nov 14, 2014, at 9:18 AM, 'Chris Blouch' via MacVisionaries <macvisionaries@googlegroups.com <mailto:macvisionaries@googlegroups.com>> wrote: The attack assume jumping one fairly substantial hurdle and that is you must jailbreak your phone to install apps that don't come from the Apple app store. I don't know what percent of people actually do this but I suspect it's small, which makes the attack surface small and the injury somewhat self-inflicted. Part of the reason the Android ecosystem is so full of spyware and such is you can install apps from anywhere you please without vetting by anybody. Sooner or later something gets in that way. For me, while there are some interesting non-approved iOS apps out there that even seem legit, who is to say that somebody else didn't mess with it and add a payload of viruses? No thanks. I'll stick to the legit store and avoid all that. CB On 11/14/14, 12:18 AM, Sabahattin Gucukoglu wrote: > An attack on iOS app validation means that it's possible to be tricked into > replacing a legitimate app with an illegitimate one which looks legitimate. > Furthermore, the illegitimate app has access to data of the app it replaced. > Full details here: > http://www.fireeye.com/blog/technical/cyber-exploits/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html > > <http://www.fireeye.com/blog/technical/cyber-exploits/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html> > > Don't install iOS apps from anywhere other than the App Store, and never > respond to a prompt requesting installation from a web page or somewhere > else. If you are warned that an app is untrusted when you launch it, delete > it immediately. > -- ¯\_(ツ)_/¯ -- You received this message because you are subscribed to the Google Groups "MacVisionaries" group. To unsubscribe from this group and stop receiving emails from it, send an email to macvisionaries+unsubscr...@googlegroups.com <mailto:macvisionaries+unsubscr...@googlegroups.com>. To post to this group, send email to macvisionaries@googlegroups.com <mailto:macvisionaries@googlegroups.com>. Visit this group at http://groups.google.com/group/macvisionaries <http://groups.google.com/group/macvisionaries>. For more options, visit https://groups.google.com/d/optout <https://groups.google.com/d/optout>. -- You received this message because you are subscribed to the Google Groups "MacVisionaries" group. To unsubscribe from this group and stop receiving emails from it, send an email to macvisionaries+unsubscr...@googlegroups.com. To post to this group, send email to macvisionaries@googlegroups.com. Visit this group at http://groups.google.com/group/macvisionaries. For more options, visit https://groups.google.com/d/optout.
