iOS devices still at risk from app-hijacking Masque attacks
Wed 1 Jul 2015

Researchers have released details of new iOS attacks which switch users’ legitimate apps for malicious replicas.
Security firm FireEye has warned that although Apple has patched a number of flaws in the recent iOS 8.4, those users who have not updated their devices are still vulnerable to these ‘Masque’ attacks.
The new identified Masque campaigns are being dubbed Manifest Masque and Extension Masque and typically target users via text message, email phishing or across web browsers.
The Manifest Masque flaw can be exploited “if the XML manifest file on the website has a bundle identifier equivalent to that of another genuine app on the device, and the bundle-version in the manifest is higher than the genuine app’s version,” the researchers explained. “The genuine app will be demolished down to a dummy placeholder, whereas the in-house app will still be installed using its built-in bundle id […] The dummy placeholder will disappear after the victim restarts the device.”
Alternatively, the Extension Masque bug can be found in the app extension feature in iOS 8 and can be used to gain access to an app’s data container.
The report posted yesterday by FireEye also described a previous masque flaw including Plugin Masque, which allowed attackers to cut out iOS entitlement enforcement and take control of VPN traffic. Another patched vector URL Masque facilitated the hijacking of inter-app communications.
FireEye suggested that as many as one third of iOS users had yet to update their devices and therefore remained exposed to Masque attacks.
The FireEye blog warned that: “Although Apple has fixed or partially fixed the original Masque Attack on iOS 8.1.3, there are still other attack surfaces to exploit vulnerabilities in the installation process on iOS.
“Moreover, around one third of iOS devices that we monitored are still vulnerable to all the Masque Attacks because they have not been upgraded. We suggest that all iOS users keep their devices up-to-date.”