{"id":117,"date":"2014-11-13T17:00:23","date_gmt":"2014-11-13T17:00:23","guid":{"rendered":"http:\/\/test.blueshell.im\/Blog\/?p=117"},"modified":"2020-08-16T08:45:40","modified_gmt":"2020-08-16T08:45:40","slug":"ta14-317a-apple-ios-masque-attack-technique","status":"publish","type":"post","link":"http:\/\/www.blueshell.im\/Blog\/?p=117","title":{"rendered":"TA14-317A: Apple iOS &#8220;Masque Attack&#8221; Technique"},"content":{"rendered":"<p><img loading=\"lazy\" src=\"https:\/\/public.govdelivery.com\/system\/images\/37745\/original\/BANNER_NCCIC_USC_01.png\" alt=\"NCCIC \/ US-CERT\" width=\"700\" height=\"100\"><\/p>\n<p>National Cyber Awareness System:<\/p>\n<div class=\"rss_item\">\n<div class=\"rss_title\"><a href=\"https:\/\/www.us-cert.gov\/ncas\/alerts\/TA14-317A\">TA14-317A: Apple iOS &#8220;Masque Attack&#8221; Technique<\/a><\/div>\n<div class=\"rss_pub_date\">11\/13\/2014 09:17 AM EST<\/div>\n<div class=\"rss_description\">Original release date: November 13, 2014<\/p>\n<h3>Systems Affected<\/h3>\n<p>iOS devices running iOS 7.1.1, 7.1.2, 8.0, 8.1, and 8.1.1 beta.<\/p>\n<h3>Overview<\/h3>\n<p>A technique labeled \u201cMasque Attack\u201d allows an attacker to substitute malware for a legitimate iOS app under a limited set of circumstances.<\/p>\n<h3>Description<\/h3>\n<p>Masque Attack was discovered and described by FireEye mobile security researchers.<a href=\"http:\/\/www.fireeye.com\/blog\/technical\/cyber-exploits\/2014\/11\/masque-attack-all-your-ios-apps-belong-to-us.html\">[1]<\/a> This attack works by luring users to install an app from a source other than the iOS App Store or their organizations\u2019 provisioning system. In order for the attack to succeed, a user must install an untrusted app, such as one delivered through a phishing link.<\/p>\n<p>This technique takes advantage of a security weakness that allows an untrusted app\u2014with the same \u201cbundle identifier\u201d as that of a legitimate app\u2014to replace the legitimate app on an affected device, while keeping all of the user\u2019s data. This vulnerability exists because iOS does not enforce matching certificates for apps with the same bundle identifier. Apple\u2019s own iOS platform apps, such as Mobile Safari, are not vulnerable.<\/p>\n<h3>Impact<\/h3>\n<p>An app installed on an iOS device using this technique may:<\/p>\n<ul>\n<li>Mimic the original app\u2019s login interface to steal the victim\u2019s login credentials.<\/li>\n<li>Access sensitive data from local data caches.<\/li>\n<li>Perform background monitoring of the user\u2019s device.<\/li>\n<li>Gain root privileges to the iOS device.<\/li>\n<li>Be indistinguishable from a genuine app.<\/li>\n<\/ul>\n<h3>Solution<\/h3>\n<p>iOS users can protect themselves from Masque Attacks by following three steps:<\/p>\n<ol>\n<li>Don\u2019t install apps from sources other than Apple\u2019s official App Store or your own organization.<\/li>\n<li>Don\u2019t click \u201cInstall\u201d from a third-party pop-up when viewing a web page.<\/li>\n<li>When opening an app, if iOS shows an \u201cUntrusted App Developer\u201d alert, click on \u201cDon\u2019t Trust\u201d and uninstall the app immediately.<\/li>\n<\/ol>\n<p>Further details on Masque Attack and mitigation guidance can be found on FireEye\u2019s blog <a href=\"http:\/\/www.fireeye.com\/blog\/technical\/cyber-exploits\/2014\/11\/masque-attack-all-your-ios-apps-belong-to-us.html\">[1]<\/a>. US-CERT does not endorse or support any particular product or vendor.<\/p>\n<h3>References<\/h3>\n<ul>\n<li><a href=\"http:\/\/www.fireeye.com\/blog\/technical\/cyber-exploits\/2014\/11\/masque-attack-all-your-ios-apps-belong-to-us.html\">[1] FireEye<\/a><\/li>\n<\/ul>\n<h3>Revision History<\/h3>\n<ul>\n<li>November 13, 2014: Initial Release<\/li>\n<\/ul>\n<hr>\n<p>This product is provided subject to this <a href=\"http:\/\/www.us-cert.gov\/privacy\/notification\">Notification<\/a> and this <a href=\"http:\/\/www.us-cert.gov\/privacy\/\">Privacy &amp; Use<\/a> policy.<\/p>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>National Cyber Awareness System: TA14-317A: Apple iOS &#8220;Masque Attack&#8221; Technique 11\/13\/2014 09:17 AM EST Original release date: November 13, 2014 Systems Affected iOS devices running iOS 7.1.1, 7.1.2, 8.0, 8.1, and 8.1.1 beta. Overview A technique labeled \u201cMasque Attack\u201d allows &hellip; <a href=\"http:\/\/www.blueshell.im\/Blog\/?p=117\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":3,"featured_media":47,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[4],"tags":[],"_links":{"self":[{"href":"http:\/\/www.blueshell.im\/Blog\/index.php?rest_route=\/wp\/v2\/posts\/117"}],"collection":[{"href":"http:\/\/www.blueshell.im\/Blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.blueshell.im\/Blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.blueshell.im\/Blog\/index.php?rest_route=\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"http:\/\/www.blueshell.im\/Blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=117"}],"version-history":[{"count":2,"href":"http:\/\/www.blueshell.im\/Blog\/index.php?rest_route=\/wp\/v2\/posts\/117\/revisions"}],"predecessor-version":[{"id":526,"href":"http:\/\/www.blueshell.im\/Blog\/index.php?rest_route=\/wp\/v2\/posts\/117\/revisions\/526"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/www.blueshell.im\/Blog\/index.php?rest_route=\/wp\/v2\/media\/47"}],"wp:attachment":[{"href":"http:\/\/www.blueshell.im\/Blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=117"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.blueshell.im\/Blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=117"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.blueshell.im\/Blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=117"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}