One third of enterprise iOS devices vulnerable to app, data hijacking attacks

Researchers from FireEye found five flaws that can be exploited by rogue apps installed through the iOS enterprise provisioning system

Apple released patches for several exploits that could allow maliciously crafted applications to destroy apps that already exist on devices, access their data or hijack their traffic, but a large number of iOS devices are still vulnerable.

The vulnerabilities allow for so-called Masque attacks because they involve the impersonation of existing apps or their components. Three of them were patched in iOS version 8.1.3 that was released in January and two newer ones were patched in iOS 8.4, released Tuesday.

In order to attack iOS devices with these flaws, hackers would have to trick their owners into installing rogue apps through the enterprise provisioning system. Companies use this mechanism to deploy in-house developed apps that are not published on the official App Store.

Using enterprise provisioning and legitimate or stolen enterprise certificates, attackers could convince users to install malicious apps that are hosted on rogue websites.

Security researchers from FireEye first reported the original application Masque attack in November last year, warning that the technique can be used to replace existing apps and access their data.

Since then, they have found and reported additional vulnerabilities that allow similar attacks. One, dubbed the URL Masque, allows hijacking inter-app communications and bypassing user confirmation prompts, while another, called the Plug-in Masque, allows attackers to replace existing VPN plug-ins, hijack device traffic and prevent devices from rebooting.

The URL Masque and Plug-in Masque vulnerabilities were patched together with the original App Masque flaw in iOS 8.1.3. However, the monitoring of Web traffic from several high-profile networks revealed that one third of iOS devices on those networks still run iOS versions older than 8.1.3.

On Tuesday, the company's researchers revealed two more Masque vulnerabilities, dubbed Manifest Masque and Extension Masque, after Apple partially fixed them in iOS 8.4.

The Manifest Masque flaw can be exploited by publishing a rogue manifest file along an in-house app on a provisioning website. Apple fails to check if the bundle identifiers listed in provisioning manifest files match those of the provisioned apps, the FireEye researchers said in a blog post.

"If the XML manifest file on the website has a bundle identifier equivalent to that of another genuine app on the device, and the bundle-version in the manifest is higher than the genuine app's version, the genuine app will be demolished down to a dummy placeholder, whereas the in-house app will still be installed using its built-in bundle id," the researchers explained. "The dummy placeholder will disappear after the victim restarts the device."

Meanwhile, the Extension Masque flaw is located in the app extension feature introduced in iOS 8 and can be exploited to access another app's data or to prevent an existing app from accessing its own data.

Attackers could exploit it by creating a rogue app that registers an extension with the bundle identifier of an existing application. The extension would then gain full access to that other app's data container, according to the FireEye researchers.

While a third of iOS devices continue to be vulnerable to all Masque attacks, there are likely many more that are only vulnerable to the most recently disclosed Manifest and Extension Masque flaws. The FireEye researchers advise users to update their devices as soon as possible and to keep them up to date in the future.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags patchesApplesecuritymobile securityFireEyeExploits / vulnerabilitiesmalware

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Crucial Ballistix Elite 32GB Kit (4 x 8GB) DDR4-3000 UDIMM

Learn more >

Gadgets & Things

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Family Friendly

Lexar® JumpDrive® S57 USB 3.0 flash drive 

Learn more >

Stocking Stuffer

Plox Star Wars Death Star Levitating Bluetooth Speaker

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?