In the field of July 2014, FireEye cellular phone security researchers take part in naked so as to an iOS app installed using enterprise/ad-hoc provisioning possibly will supplant a different actual app installed through the App amass, since extensive since both apps used the same bundle identifier. This in-house app possibly will put on view an arbitrary title (like “New Flappy Bird”) so as to lures the user to install it, but the app can supplant a different actual app as soon as installation. All apps can take place replaced excepting iOS preinstalled apps, such since cellular phone expedition. This vulnerability exists as iOS doesn't enforce matching certificates in support of apps with the same bundle identifier. We verified this vulnerability on iOS 7.1.1, 7.1.2, 8.0, 8.1 and 8.1.1 beta, in support of both jailbroken and non-jailbroken procedure. An enemy can power this vulnerability both through wireless networks and USB. We named this attack “Masque Attack" .
We take part in notified Apple vis-а-vis this vulnerability on July 26. Recently Claud Xiao naked the “WireLurker” malware. As soon as looking into WireLurker, we found so as to it on track to make use of a partial form of Masque Attacks to attack iOS procedure through USB. Masque Attacks can pose much superior threats than WireLurker. Masque Attacks can supplant authentic apps,such since banking and email apps, using attacker's malware through the Internet. So as to course the enemy can pinch user's banking credentials by replacing an authentic banking app with an malware so as to has identical UI. Surprisingly, the malware can even access the imaginative app's district data, which wasn't uninvolved as soon as the imaginative app was replaced. These data possibly will contain cached emails, before even login-tokens which the malware can bring into play to log into the user's financial credit honestly.
We take part in seen proofs so as to this gush on track to circulate. In the field of this condition, we consider it urgent to accede to the municipal know, since nearby possibly will take place existing attacks so as to haven’t been found by security vendors. We are too sharing improvement measures to help iOS users better shelter themselves.
Security Impacts
By leveraging Masque Attack, an enemy can lure a victim to install an app with a to be regarded with suspicion family name crafted by the enemy (like “New Angry Bird”), and the iOS organism desire bring into play it to supplant a legitimate app with the same bundle identifier. Masque Attack couldn't supplant Apple's own platform apps such since cellular phone expedition, but it can supplant apps installed from app amass. Masque Attack has plain security penalty:
Attackers possibly will mimic the imaginative app’s login interface to pinch the victim’s login credentials. We take part in established this through multiple email and banking apps, anywhere the malware uses a UI identical to the imaginative app to trick the user into entering real login credentials and upload them to a remote head waiter.
We too found so as to data under the imaginative app’s directory, such since district data caches, remained in the field of the malware district directory as soon as the imaginative app was replaced. The malware can pinch these aware data. We take part in established this attack with email apps anywhere the malware can pinch district caches of principal emails and upload them to remote head waiter.
The MDM interface couldn’t distinguish the malware from the imaginative app, as they used the same bundle identifier. At present nearby is nix MDM API to progress the certificate in order in support of every app. Like this, it is tiring in support of MDM to detect such attacks.
Since mentioned in the field of our Virus Bulletin 2014 paper “Apple devoid of a shell - iOS under besieged attack”, apps dispersed using venture provisioning profiles (which we call “EnPublic apps”) aren’t subjected to Apple’s re-examine process. Therefore, the enemy can power iOS secretive APIs in support of powerful attacks such since background monitoring (CVE-2014-1276) and mimic iCloud’s UI to pinch the user’s Apple ID and password.
The enemy can too bring into play Masque Attacks to bypass the typical app sandbox and in that case progress burrow privileges by attacking recognized iOS vulnerabilities, such since the ones used by the Pangu team.
An exemplar
In the field of single of our experiments, we used an in-house app with a bundle identifier “com.Google.Gmail” with a title “New Flappy Bird”. We signed this app using an venture certificate. As soon as we installed this app from a website, it replaced the imaginative Gmail app on the phone.
Think 1 illustrates this process. Think 1(a) (b) parade the actual Gmail app installed on the device with 22 unread emails. Think 1(c) shows so as to the victim was lured to install an in-house app called “New Flappy Bird” from a website. Be aware of so as to “New Flappy Bird” is the title in support of this app and the enemy can arranged it to an arbitrary worth as soon as preparing this app. However, this app has a bundle identifier “com.Google.Gmail”.
As soon as the victim clicks “Install”, think 1(d) shows the in-house app was replacing the imaginative Gmail app for the duration of the installation. Think 1(e) shows so as to the imaginative Gmail app was replaced by the in-house app. As soon as installation, as soon as opening the new-found “Gmail” app, the user desire take place robotically logged in the field of with almost the same UI excepting in support of a insignificant text box by the side of the top saw “yes, you are pwned” which we designed to without problems illustrate the attack. Attackers won’t parade such courtesy in the field of real humanity attacks. Meanwhile, the imaginative authentic Gmail app’s district cached emails, which were stored since clear-text in the field of a sqlite3 catalog since exposed in the field of think 2, are uploaded to a remote head waiter.
Be aware of so as to Masque Attack happens completely concluded the wireless association, devoid of relying on between the device to a laptop.
Mitigations
IOS users can shelter themselves from Masque Attacks by following three steps:
Don’t install apps from third-party sources other than Apple’s administrator App amass before the user’s own organization
Don’t click “Install” on a pop-up from a third-party jungle contact, since exposed in the field of think 1(c), nix question I beg your pardon? The pop-up says vis-а-vis the app. The pop-up can parade beautiful app titles crafted by the enemy
As soon as opening an app, if iOS shows an alert with “Untrusted App Developer”, since exposed in the field of think 3, click on “Don’t Trust” and uninstall the app without more ado
To check whether nearby are apps already installed through Masque Attacks, iOS 7 users can check the venture provisioning profiles installed on their iOS procedure, which indicate the signing identities of viable malware delivered by Masque Attacks, by examination “Settings - > wide-ranging -> Profiles” in support of “PROVISIONING PROFILES”. IOS 7 users can description suspicious provisioning profiles to their security branch. Deleting a provisioning profile desire prevent venture signed apps which rely on so as to certain profile from running. However, iOS 8 procedure don’t parade provisioning profiles already installed on the procedure and we hint at taking spare caution as soon as installing apps.
We disclosed this vulnerability to Apple in the field of July. As all the existing standard protections before interfaces by Apple cannot prevent such an attack, we are asking Apple to provide supplementary powerful interfaces to trained security vendors to shelter venture users from these and other superior attacks.
We thank FireEye team members Noah Johnson and Andrew Osheroff in support of their help in the field of producing the display cartridge. We too yearn for to thank Kyrksen Storer and Lynn Thorne in support of their help humanizing this blog. Special recognition to Zheng Bu in support of his valuable interpretation and response.
Tags : IOS , App
