[SECURITY-L] TA14-317A: Apple iOS "Masque Attack" Technique
CSIRT - UNICAMP
security em unicamp.br
Sex Nov 14 09:11:20 -02 2014
-------- Forwarded Message --------
Subject: TA14-317A: Apple iOS "Masque Attack" Technique
Date: Thu, 13 Nov 2014 10:18:31 -0600
From: US-CERT <US-CERT em ncas.us-cert.gov>
Reply-To: US-CERT em ncas.us-cert.gov
To: daniela em ccuec.unicamp.br
TA14-317A: Apple iOS "Masque Attack" Technique
NCCIC / US-CERT
National Cyber Awareness System:
TA14-317A: Apple iOS "Masque Attack" Technique
<https://www.us-cert.gov/ncas/alerts/TA14-317A>
11/13/2014 09:17 AM EST
Original release date: November 13, 2014
Systems Affected
iOS devices running iOS 7.1.1, 7.1.2, 8.0, 8.1, and 8.1.1 beta.
Overview
A technique labeled “Masque Attack” allows an attacker to substitute
malware for a legitimate iOS app under a limited set of circumstances.
Description
Masque Attack was discovered and described by FireEye mobile security
researchers.[1]
<http://www.fireeye.com/blog/technical/cyber-exploits/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html>
This attack works by luring users to install an app from a source other
than the iOS App Store or their organizations’ provisioning system. In
order for the attack to succeed, a user must install an untrusted app,
such as one delivered through a phishing link.
This technique takes advantage of a security weakness that allows an
untrusted app—with the same “bundle identifier” as that of a legitimate
app—to replace the legitimate app on an affected device, while keeping
all of the user’s data. This vulnerability exists because iOS does not
enforce matching certificates for apps with the same bundle identifier.
Apple’s own iOS platform apps, such as Mobile Safari, are not vulnerable.
Impact
An app installed on an iOS device using this technique may:
* Mimic the original app’s login interface to steal the victim’s login
credentials.
* Access sensitive data from local data caches.
* Perform background monitoring of the user’s device.
* Gain root privileges to the iOS device.
* Be indistinguishable from a genuine app.
Solution
iOS users can protect themselves from Masque Attacks by following three
steps:
1. Don’t install apps from sources other than Apple’s official App
Store or your own organization.
2. Don’t click “Install” from a third-party pop-up when viewing a web page.
3. When opening an app, if iOS shows an “Untrusted App Developer”
alert, click on “Don’t Trust” and uninstall the app immediately.
Further details on Masque Attack and mitigation guidance can be found on
FireEye’s blog [1]
<http://www.fireeye.com/blog/technical/cyber-exploits/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html>.
US-CERT does not endorse or support any particular product or vendor.
References
* [1] FireEye
<http://www.fireeye.com/blog/technical/cyber-exploits/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html>
Revision History
* November 13, 2014: Initial Release
------------------------------------------------------------------------
This product is provided subject to this Notification
<http://www.us-cert.gov/privacy/notification> and this Privacy & Use
<http://www.us-cert.gov/privacy/> policy.
------------------------------------------------------------------------
OTHER RESOURCES:
Contact Us <http://www.us-cert.gov/contact-us/> | Security Publications
<http://www.us-cert.gov/security-publications> | Alerts and Tips
<http://www.us-cert.gov/ncas> | Related Resources
<http://www.us-cert.gov/related-resources>
STAY CONNECTED:
Sign up for email updates
<http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new>
SUBSCRIBER SERVICES:
Manage Preferences
<http://public.govdelivery.com/accounts/USDHSUSCERT/subscribers/new?preferences=true> | Unsubscribe
<https://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/one_click_unsubscribe?verification=5.7c8ce4d3117305e79fd4ab8b330b9e90&destination=daniela@ccuec.unicamp.br> | Help
<https://subscriberhelp.govdelivery.com/>
------------------------------------------------------------------------
----- End forwarded message -----
Mais detalhes sobre a lista de discussão SECURITY-L