There’s a lot of discussion happening right now about a newly-disclosed iOS vulnerability called Masque Attack, and everyone seems to be talking about it like it’s the end of the world. Here’s the good news: it isn’t the end of the world, and the only thing anyone needs to protect themselves from it is a little common sense.
At its core, the attack, most recently discussed by researcher Jonathan Zdziarski, works like this: someone malicious convinces an iOS user to download an application that has the same name and bundle identifier as something that’s already on their phone. (Say, Flappy Bird.) Because the operating system doesn’t check to make sure that the security certificate that signs the malicious app is the same as the one signing the “real” version, it will replace the clean app with a fresh piece of malicious software.
According to Apple, there’s no evidence that this attack has been used in the wild. There’s a good reason for that: actually pulling this attack off is costly and time-consuming. An attacker would need one of two things for the app to even install on a target user’s device: the phone or tablet’s Universal Device ID (UDID for short) or an enterprise-grade iOS developer account, which costs $299 a year.
After all that, the attacker would then need to convince a user to install the app on their iPhone or iPad, and run it. At any time during that process, Apple could choose to revoke the app’s security certificate remotely, which would prevent it from running on any iOS device. In other words, it requires attackers to spend time and money on something that might not even work.
What that means is that the best way to protect yourself from a Masque Attack is to only install apps from the App Store, and if you must side-load an app, verify it comes from someone that you trust. This probably isn’t the sort of thing people will see on the open web. Folks with normal browsing habits most likely will never encounter an instance when they would even be asked to install an app from outside the App Store.
Instead, this attack seems like it would most likely be deployed as a part of a spear-phishing attack against a particular target. The juiciest and most open to attack would be companies that rely on software developed in-house that has to be side-loaded onto a device. Even so, this attack can be defeated by using common sense: if you didn’t ask for an update, and if it hasn’t been announced by someone you trust, don’t update.
