FireEye roasts Apple crumble over revived iOS Masque attack

News by Adrian Bridgwater

Researchers at network threat prevention company FireEye have uncovered a revived iOS Masque Attack, a vulnerability that originally surfaced in November 2014.

Masque Attack is term coined by FireEye to describe malware that encourages users to install Apple iOS software on iPads or iPhones using the same software ‘bundle identifier' as an existing legitimate application.

FireEye surmises that Apple's iOS ecosystem has what it calls out as a ‘fundamental flaw' in the way it handles the URL schemes that call specific apps to launch when a user clicks on them -- and this is the root of the problem.

Dubbed Masque Attack II, part of the current set of flaws has already been fixed in the recent iOS 8.1.3 security content update from Apple. FireEye claims that iOS 8.1.3 fixed the first issue, whereas the iOS URL scheme hijacking is still present at the time of writing.

Wolf in sheep's clothing

Yulong Zhang, senior research engineer at FireEye, has told that malicious third-party app developers can register the same URLs as popular app developers - and then force the iOS device to launch their malicious app instead of the intended one.

“Masque Attack II has the ability to bypass the iOS system level prompt for trust and the iOS URL scheme hijacking control protocol. Attackers can then mimic the UI of the popular app to steal login credentials or intercept data intended to only be transmitted between the two legitimate apps,” said Zhang.

“[The] iOS app URL scheme lets you communicate with other apps through a protocol that you define. By deliberately defining the same URL schemes used by other apps, a malicious app can still hijack the communications towards those apps and mount phishing attacks to steal login credentials. Even worse than the first Masque Attack, attackers might be able to conduct Masque Attack II through an app in the App Store,” wrote Zhang, on his own company blog.

Apple: no customers affected

Apple has insisted from the start that it designed OS X and iOS with ‘built-in security safeguards' to help warn users before they mistakenly install potentially malicious software. The firm also insisted back in November that it was, “not aware of any customers that have actually been affected by this attack.”

FireEye says that it works to inform Apple about the so-called Masque vulnerabilities some time before going public with this information. The firm communicated with Apple back in July 2014 before the news became public in November. Subsequently the United States Computer Emergency Readiness Team (US-CERT) released Alert bulletin TA14-317A, regarding the Masque Attack on November 13, 2014. US-CERT, part of the Department of Homeland Security, has not issued a further alert for Masque Attack II as yet.

When the user clicks to open an enterprise-signed app for the first time, iOS asks whether the user trusts the signing party. The app won't launch unless the user chooses ‘Trust'.  Apple suggested that users can defend against Masque Attack using this ‘Don't Trust' prompt. FireEye says it notified Apple that this was inadequate.

Zhang claims that even if the user has always clicked ‘Don't Trust', iOS still launches that enterprise-signed app directly upon calling its URL scheme. In other words, when the user clicks on a link in SMS, iOS Mail or Google Inbox, iOS launches the target enterprise-signed app without asking for user's ‘Trust' or even ignores user's ‘Don't Trust'. An attacker can leverage this issue to launch an app containing a Masque Attack.

Why iOS URL scheme hijacking matters

Tim Erlin, director of IT security at Tripwire told “App stores, whether from Apple, Google, or Amazon, are quickly becoming platforms unto themselves, and that makes them viable targets for attack. This attack leverages a point of trusted interaction that Apple seems to have missed, or assessed incorrectly. It's nearly guaranteed that there are more of these points to exploit. We should expect to see follow-on efforts from attackers and researchers against Apple and others.”

Kevin Epstein, VP of advanced security and governance at Proofpoint, insists that any attack that requires the potential victim to consciously ignore one or more warnings and actively choose to install malware that's detectible by signature-based antivirus isn't exactly a ‘stealthy' attack, so to speak.

“That said, like most current targeted threats, the attack technique shown starts with the user or app visiting a web link – thus, the need for enterprises to deploy modern cloud-based targeted attack protection and threat response systems, independent of any software or operating system on mobile devices,” added Epstein.

Deeper analysis of Apple's own iOS Developer Library is arguably much needed here if both malicious and genuine application developers can get both the App Store and iOS treat to allow different apps to bear the same URL schemes. Fixing URL scheme hijacking may not be easy for Apple says FireEye - in a world of streaming and downloads; this architecture-level issue is one to keep front of mind.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews