Apple Says iOS Is Secure From Masque Attack, If You Follow Best Practices
A recently discovered vulnerability in iOS set off panic alarms due to the nasty nature of it. Security researchers warned that malicious apps installed using enterprise/ad-hoc provisioning would be able to replace legitimate apps on a user's iOS device. Dubbed "Masque Attack," it prompted a warning from the U.S. government, setting off even more alarms. Apple's response? Chill out.
We're paraphrasing, of course. Apple's official response is a bit more lengthy and boils down to advising iOS users to only download apps from trusted sources like the App Store. The Cupertino outfit also advised paying attention to any warnings that pop up rather than automatically dismissing them.
"We designed OS X and iOS with built-in security safeguards to help protect customers and warn them before installing potentially malicious software," an Apple spokesperson told iMore. "We're not aware of any customers that have actually been affected by this attack. We encourage customers to only download from trusted sources like the App Store and to pay attention to any warnings as they download apps. Enterprise users installing custom apps should install apps from their company's secure website."
At present, the only way to fall prey to a Masque Attack is by being duped into installing a malicious program from a third-party source. Attackers use deceptive names to try and trick users -- for example, you might receive a link via text message or email to install "New Flappy Bird" or something similar. If you fall for it, the malicious program will get busy overwriting legitimate apps on your phone, like your banking app. Everything will appear normal when you use it, except that you'll be sharing your sensitive information with the attacker when you fire up the overwritten app.
As Apple suggests, your best defense is yourself. Limiting downloads to Apple's App Store should keep you safe.
We're paraphrasing, of course. Apple's official response is a bit more lengthy and boils down to advising iOS users to only download apps from trusted sources like the App Store. The Cupertino outfit also advised paying attention to any warnings that pop up rather than automatically dismissing them.
"We designed OS X and iOS with built-in security safeguards to help protect customers and warn them before installing potentially malicious software," an Apple spokesperson told iMore. "We're not aware of any customers that have actually been affected by this attack. We encourage customers to only download from trusted sources like the App Store and to pay attention to any warnings as they download apps. Enterprise users installing custom apps should install apps from their company's secure website."
At present, the only way to fall prey to a Masque Attack is by being duped into installing a malicious program from a third-party source. Attackers use deceptive names to try and trick users -- for example, you might receive a link via text message or email to install "New Flappy Bird" or something similar. If you fall for it, the malicious program will get busy overwriting legitimate apps on your phone, like your banking app. Everything will appear normal when you use it, except that you'll be sharing your sensitive information with the attacker when you fire up the overwritten app.
As Apple suggests, your best defense is yourself. Limiting downloads to Apple's App Store should keep you safe.
