One third of enterprise iOS devices vulnerable to app, data hijacking attacks

Researchers from FireEye found five flaws that can be exploited by rogue apps installed through the iOS enterprise provisioning system

Apple released patches for several exploits that could allow maliciously crafted applications to destroy apps that already exist on devices, access their data or hijack their traffic, but a large number of iOS devices are still vulnerable.

The vulnerabilities allow for so-called Masque attacks because they involve the impersonation of existing apps or their components. Three of them were patched in iOS version 8.1.3 that was released in January and two newer ones were patched in iOS 8.4, released Tuesday.

In order to attack iOS devices with these flaws, hackers would have to trick their owners into installing rogue apps through the enterprise provisioning system. Companies use this mechanism to deploy in-house developed apps that are not published on the official App Store.

Using enterprise provisioning and legitimate or stolen enterprise certificates, attackers could convince users to install malicious apps that are hosted on rogue websites.

Security researchers from FireEye first reported the original application Masque attack in November last year, warning that the technique can be used to replace existing apps and access their data.

Since then, they have found and reported additional vulnerabilities that allow similar attacks. One, dubbed the URL Masque, allows hijacking inter-app communications and bypassing user confirmation prompts, while another, called the Plug-in Masque, allows attackers to replace existing VPN plug-ins, hijack device traffic and prevent devices from rebooting.

The URL Masque and Plug-in Masque vulnerabilities were patched together with the original App Masque flaw in iOS 8.1.3. However, the monitoring of Web traffic from several high-profile networks revealed that one third of iOS devices on those networks still run iOS versions older than 8.1.3.

On Tuesday, the company's researchers revealed two more Masque vulnerabilities, dubbed Manifest Masque and Extension Masque, after Apple partially fixed them in iOS 8.4.

The Manifest Masque flaw can be exploited by publishing a rogue manifest file along an in-house app on a provisioning website. Apple fails to check if the bundle identifiers listed in provisioning manifest files match those of the provisioned apps, the FireEye researchers said in a blog post.

"If the XML manifest file on the website has a bundle identifier equivalent to that of another genuine app on the device, and the bundle-version in the manifest is higher than the genuine app's version, the genuine app will be demolished down to a dummy placeholder, whereas the in-house app will still be installed using its built-in bundle id," the researchers explained. "The dummy placeholder will disappear after the victim restarts the device."

Meanwhile, the Extension Masque flaw is located in the app extension feature introduced in iOS 8 and can be exploited to access another app's data or to prevent an existing app from accessing its own data.

Attackers could exploit it by creating a rogue app that registers an extension with the bundle identifier of an existing application. The extension would then gain full access to that other app's data container, according to the FireEye researchers.

While a third of iOS devices continue to be vulnerable to all Masque attacks, there are likely many more that are only vulnerable to the most recently disclosed Manifest and Extension Masque flaws. The FireEye researchers advise users to update their devices as soon as possible and to keep them up to date in the future.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags malwaremobile securityAppleFireEyepatchesExploits / vulnerabilities

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Lucian Constantin

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?