{"id":6833,"date":"2014-11-12T10:00:48","date_gmt":"2014-11-12T15:00:48","guid":{"rendered":"http:\/\/blog.nccomputertech.com\/?p=6833"},"modified":"2014-11-12T10:00:48","modified_gmt":"2014-11-12T15:00:48","slug":"ios-security-hole-allows-attackers-to-poison-already-installed-iphone-apps","status":"publish","type":"post","link":"https:\/\/nccomputertech.com\/techtalk\/2014\/11\/12\/ios-security-hole-allows-attackers-to-poison-already-installed-iphone-apps\/","title":{"rendered":"iOS security hole allows attackers to poison already installed iPhone apps"},"content":{"rendered":"

\"\"<\/a><\/p>\n

Security researchers have warned of a security hole in Apple’s iOS devices that could allow attackers to replace legitimate apps with booby-trapped ones, an exploit that could expose passwords, e-mails, or other sensitive user data.<\/p>\n

The “Masque” attack, as described by researchers from security firm FireEye, relies on enterprise provisioning to replace banking, e-mail, or other types of legitimate apps already installed on a targeted phone with a malicious one created by the adversary. From there, the attacker can use the malicious app to access sent e-mails, login credential tokens, or other data that belonged to the legitimate app.<\/p>\n

“Masque Attacks can replace authentic apps, such as banking and e-mail apps, using attacker’s malware through the Internet,” FireEye researchers wrote in a blog post published Monday. “That means the attacker can steal user’s banking credentials by replacing an authentic banking app with an malware that has identical UI. Surprisingly, the malware can even access the original app’s local data, which wasn’t removed when the original app was replaced. These data may contain cached e-mails or even login-tokens which the malware can use to log into the user’s account directly.”<\/p>\n

The attack works by presenting a targeted phone with a same sort of digital certificate large businesses use to install custom apps on employees’ iPhones and iPads, as long as both the legitimate app and the malicious app use the same bundle identifier. The attack requires some sort of lure to trick a target into installing the malicious app, possibly by billing it as an out-of-band update or a follow-on to an already installed app. Recently, the researchers uncovered evidence the attacks may be circulating online, they said without elaborating. The technique doesn’t work against iOS preinstalled apps such as Mobile Safari. FireEye researchers said they reported the vulnerability to Apple in July.<\/p>\n

“By leveraging Masque Attack, an attacker can lure a victim to install an app with a deceiving name crafted by the attacker (like New Angry Bird), and the iOS system will use it to replace a legitimate app with the same bundle identifier,” Monday’s report stated. “Masque Attack couldn’t replace Apple’s own platform apps such as Mobile Safari, but it can replace apps installed from App Store.” From there attackers can:<\/p>\n

Mimic the login interface of the replaced app to steal the victims’ login credentials<\/p>\n

Access local data caches assigned to the replaced app to steal e-mails, login tokens, or other sensitive data<\/p>\n

Install custom programming interfaces not approved by Apple onto victims’ phones<\/p>\n

Bypass the normal app sandbox architecture built into iOS and possibly get root access by exploiting known iOS vulnerabilities, such as those recently targeted by the Pangu team.<\/p>\n

Read more: iOS security hole allows attackers to poison already installed iPhone apps | Ars Technica<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

Security researchers have warned of a security hole in Apple’s iOS devices that could allow attackers to replace legitimate apps […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"jetpack_post_was_ever_published":false},"categories":[2,7],"tags":[342,549,1177],"class_list":["post-6833","post","type-post","status-publish","format-standard","hentry","category-apple","category-security","tag-exploits","tag-ios","tag-vulnerabilities"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/papNkV-1Md","jetpack-related-posts":[{"id":8751,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/11\/16\/state-sponsored-cyberspies-inject-victim-profiling-and-tracking-scripts-in-strategic-websites\/","url_meta":{"origin":6833,"position":0},"title":"State-sponsored cyberspies inject victim profiling and tracking scripts in strategic websites","author":"NCCT","date":"November 16, 2015","format":false,"excerpt":"By Lucian Constantin | PCWorld Web analytics and tracking cookies play a vital role in online advertising, but they can also help attackers discover potential targets and their weaknesses, a new report shows. Security researchers from FireEye have discovered an attack campaign that has injected computer profiling and tracking scripts\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":8465,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/07\/13\/hacking-teams-arsenal-included-at-least-three-unpatched-exploits-for-flash-player\/","url_meta":{"origin":6833,"position":1},"title":"Hacking Team’s arsenal included at least three unpatched exploits for Flash Player","author":"NCCT","date":"July 13, 2015","format":false,"excerpt":"Recently breached surveillance software maker, Hacking Team, had access to three different exploits for previously unknown vulnerabilities in Flash Player. All of them are now out in the open, putting Internet users at risk. Milan-based Hacking Team develops and sells surveillance software to government agencies from around the world. On\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":3106,"url":"https:\/\/nccomputertech.com\/techtalk\/2013\/08\/05\/attackers-reported-seeding-cloud-services-with-malware\/","url_meta":{"origin":6833,"position":2},"title":"Attackers reported seeding cloud services with malware","author":"NCCT","date":"August 5, 2013","format":false,"excerpt":"LAS VEGAS -- Malware writers are ramping up their use of commercial file hosting sites and cloud services to distribute malware programs, security researchers said at this week's Black Hat conference here. Traditionally, malware writers had distributed their malicious code from their own sites. But as security vendors get better\u2026","rel":"","context":"In "Networking"","block_context":{"text":"Networking","link":"https:\/\/nccomputertech.com\/techtalk\/category\/networking\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":2971,"url":"https:\/\/nccomputertech.com\/techtalk\/2013\/07\/17\/tumblr-tells-users-to-change-passwords-patches-security-hole-in-ios-apps\/","url_meta":{"origin":6833,"position":3},"title":"Tumblr tells users to change passwords, patches security hole in iOS apps","author":"NCCT","date":"July 17, 2013","format":false,"excerpt":"Tumblr, the blogging site recently acquired by Yahoo, has released a security update for its iPhone and iPad apps that it said addresses an issue that allowed passwords to be compromised in certain circumstances. Users of the apps have been advised to update their passwords on Tumblr as there is\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":3213,"url":"https:\/\/nccomputertech.com\/techtalk\/2013\/08\/20\/researchers-manage-to-get-malware-published-in-apples-ios-app-store\/","url_meta":{"origin":6833,"position":4},"title":"Researchers manage to get malware published in Apple's iOS App Store","author":"NCCT","date":"August 20, 2013","format":false,"excerpt":"While the posting of malware remains a rare occurrence on Apple's iOS App Store, a team of security researchers figured out a way to get a malicious piece of software past Apple's certification team. The team from Georgia Tech said that the app was approved and published by Apple in\u2026","rel":"","context":"In "Apple"","block_context":{"text":"Apple","link":"https:\/\/nccomputertech.com\/techtalk\/category\/apple\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":3197,"url":"https:\/\/nccomputertech.com\/techtalk\/2013\/08\/19\/malware-hijacks-mobile-ad-networks-to-siphon-money\/","url_meta":{"origin":6833,"position":5},"title":"Malware hijacks mobile ad networks to siphon money","author":"NCCT","date":"August 19, 2013","format":false,"excerpt":"Asian cybercriminals have figured out an unusual way to use the architecture of a mobile ad network to siphon money from their victims. The new method represents another step in the evolution of mobile malware, which is booming with more smartphones shipping than PCs. Mobile ad networks open up the\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/6833","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/comments?post=6833"}],"version-history":[{"count":0,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/6833\/revisions"}],"wp:attachment":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/media?parent=6833"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/categories?post=6833"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/tags?post=6833"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}