back to article Apple: Want a PATCH for iOS Masque attack? TOUGH LUCK, FANBOI

Apple has downplayed the Masque iOS security threat, saying no one has actually been affected by the security vulnerability. The Masque Attack opened by the security shortcoming creates a way for attackers to replace genuine iOS apps with malicious doppelgängers, as previously reported. Security firm FireEye warned about the …

  1. Anonymous Coward
    Anonymous Coward

    You'd think all those celeb photo leaks would have them on the defensive, but they're complacent as ever.

    As long as sales are good they'll not worry too much.

  2. JassMan Silver badge

    Just because the man on the street

    doesn't know how to find out if he has picked up malicious software, it doesn't mean that no fruity machines have been taken over by this dastardly piece of evilness. 90% of the population, having had their bank accounts, email accounts, their facebooks etc. taken over, wouldn't know wheter it was the result of dodgy software on their phone, the result of a phishing attack on their desktop or the wife's dog having messed around with the bitch on heat 3 doors away.

    How can Apple continue to be so complacent about their security after so many fails in the past couple of years?

  3. MD Rackham

    "We've never had an undetected error"

    ...and other classics.

  4. Anonymous Coward
    Anonymous Coward

    Apple has downplayed the Masque iOS security threat, saying no one has actually been affected by the security vulnerability.

    Nobody has been affected yet? Oh well that's alright then... Stupid statements like that will just spur someone somewhere to prove him wrong

    1. VinceH

      "Nobody has been affected yet? Oh well that's alright then..."

      Yeah, but don't forget:

      > We designed OS X and iOS with built-in security safeguards to help protect customers and warn them before installing potentially malicious software

      Users are warned.

      So that's definitely alright, then.

  5. Velv
    Facepalm

    Why do I have a feeling of déjà vu?

    "It's theoretical, it'll never happen". And then it did.

  6. Hud Dunlap
    Mushroom

    Cook strikes again

    It is your fault you didn't go through the app store.

  7. Vector
    Facepalm

    The sword of Damacles Hangs over our heads...

    ...but it hasn't fallen yet, so there's nothing to worry about.

  8. Alan Denman

    Apple say 'it is cosy and warm in here'...

    Keeping the door closed they see no evil and speak no evil.

    The cold winter fall is only outside.

  9. Anonymous Coward
    Anonymous Coward

    It is pretty easy to close quickly by pulling the enterprise certificate

    Which they did in this case, quite quickly. They could further close the loop in two ways:

    1) when the enterprise certificate is pulled, ALL software signed by it is deactivated on ALL iOS devices (pain in the ass if a corp's legitimate certificate is stolen, but that would provide strong incentive to take very good care of it!)

    2) have a certificate associated with each app (if there isn't already one) that iOS can check when it is updated - that way there's no way to fake the bundle ID of a legitimate app and get access to that app's private data

  10. Anonymous Coward
    Anonymous Coward

    no iOS8 fanboi here

    FireEye's guide to prevention in the meantime..

    'iOS users can protect themselves from Masque Attacks by following three steps:

    Don’t install apps from third-party sources other than Apple’s official App Store or the user’s own organization.

    Don’t click “Install” on a pop-up from a third-party web page, no matter what the pop-up says about the app. The pop-up can show attractive app titles crafted by the attacker.

    When opening an app, if iOS shows an alert with “Untrusted App Developer”, click on “Don’t Trust” and uninstall the app immediately.'

    As it stands, I would not want a jailbroken device in my hands..potential minefield approaching

  11. raving angry loony

    Apple marketing.

    You have to admit, they're consistent:

    we went from "you're holding it wrong" when the reception sucked,

    to "you're storing it wrong" when it bent while in people's pockets,

    and now "your security expectations are wrong" from people who actually expect a minimum of security.

    I can only wonder what their next attempt to blame everyone but themselves will be.

  12. Henry Wertz 1 Gold badge

    Historically, what Apple would do to make sure their products are free from flaws, is scour their forums for any mention of a defect, remove those posts, then remove the posts wondering why the first posts were removed. Problem solved, then they can say there's no mention of a problem, so it probably doesn't exist.

    "WireLurker claimed a small number of victims (principally in China), according to Kaspersky Lab, a finding that runs contrary to Apple's assurance to nobody has been hit."

    Well, I suppose the IPhones in China are black market, the owners are therefore unpersons and do not count.

    Seriously, Apple, if you want people to take your products seriously, you must take security seriously.

    1. Anonymous Coward
      Anonymous Coward

      "WireLurker claimed a small number of victims (principally in China), according to Kaspersky Lab, a finding that runs contrary to Apple's assurance to nobody has been hit."

      Wirelurker is looking to sell its products. Wirelurker "claims".... FUD

  13. Destroy All Monsters Silver badge
    Paris Hilton

    Is misread this as "ISIS Mosque" attack

    Am I being unduly influence by Amurrican reporting?

  14. Anonymous Coward
    Anonymous Coward

    Can somebody tell me why this is actually bad?

    Okay, let's say I click through all the necessary links and dialogs to allow a "malicious" app to be installed, then I run it.

    Apps are still sandboxed. So what is this "malicious" app going to do to me?

    Maybe it can get my GPS coordinates, or my contact list. After I agree to more dialog boxes. (Unlikely.) It's not the end of the world.

    1. Anonymous Coward
      Anonymous Coward

      Re: Can somebody tell me why this is actually bad?

      It'll have to ask your permission to get your location, or access your contacts, so the danger there really isn't any more than with any other app.

      It sounds like the main danger is accessing private app data by masquerading as another app. i.e. if it uses the same ID as Facebook, it could get access to your Facebook password and cached data. If it uses the same ID as your email app, it can get your email password and cached email (and of course login as you to get ALL your email)

      So it is really more of a targeted attack that could go after say a popular banking app that stores a bit too much private data on the phone. So if you are able to access your bank account with a "convenient" app that has saved your login/password, that info isn't quite as safe you as might have thought (though you still have to approve installation of an app using some weird enterprise certificate, so it requires a certain level naivete on the part of the target)

      Apple may be ignoring it a bit too much, but the fandroids are acting like the sky is falling when this is nothing compared to some of the real malware Android has faced even from the Play store, let alone from third party app stores like this attack relies upon.

      1. Anonymous Coward
        Anonymous Coward

        Re: Can somebody tell me why this is actually bad?

        "It sounds like the main danger is accessing private app data by masquerading as another app. i.e. if it uses the same ID as Facebook, it could get access to your Facebook password and cached data."

        Not sure what you mean by "using the same ID."

        I guess somebody could make an app that *looks* like the Facebook app, with a similar login prompt, and thus try to trick you into typing in your user name/password...

        1. Anonymous Coward
          Anonymous Coward

          @AC - "using the same ID"

          My understanding is that each app has a unique ID associated with it. If someone can trick an iOS user to installing an app from an untrusted app developer, it can be called whatever it likes, but if it uses Facebook's ID it gets access to Facebook's private data. It doesn't have to fool you into thinking it is Facebook, if you start the app it could get access to the Facebook app's private data and immediately upload it all.

          Of course most of us say "who cares" about Facebook, this would be more of a problem with an app like Mail+, which I use to make a OWA connection to read business email (I use it instead of Apple's Mail app because I do NOT want my phone to be "managed" by someone else who can change security measures like making my lock screen timeout 2 minutes, and be able to remotely wipe my device!)

          Maybe I'm wrong and it has to claim to BE Facebook, which raises the bar, but the basic attack mechanism remains the same.

    2. Anonymous Coward
      Anonymous Coward

      Re: Can somebody tell me why this is actually bad?

      I love how my post is attracting a bunch of downvotes but no explanation of how a "malicious" iOS app is going to harm me.

      I can only imagine how many people were overwhelmed with schadenfreude to hear about a security flaw with Apple's stuff, and then crushed to realize that it's not really that big a deal because of Apple's other security measures. Sorry guys, Apple's software really is quite good. I know it's a big disappointment.

      1. Simon Taylor 1

        Re: Can somebody tell me why this is actually bad?

        It's so good, that for over a year, iOS accepted any certificate, whether the common name matched or not, during an SSL negotiation.

      2. Simon Taylor 1

        Re: Can somebody tell me why this is actually bad?

        Are you serious?

        You install your favourite, legitimate app to backup your contacts to cloud storage. It therefore has permissions to read your contacts and to access the internet. Of course, it does exactly what you want.

        Mr Nasty now replaces that app with one that looks exactly the same. It has the same permissions as the app it replaced so it now slurps up all of your contacts and copies them to www.badstuff.com.

        The continued arrogant, complacency of Apple apologists is sickening.

  15. Not That Andrew

    Apple are probably stalling to let their chums at the TLA's rewrite their "security" tools.

  16. ElsmarMarc

    This site being what it is, I'm seriously concerned. I expect more academic replies. From getting the cert on - It's a non-issue. Sure are a lot of Apple haters here. This is little more than a proof of concept. The issue is FUD.

    1. Simon Taylor 1

      There are a lot of Apple haters everywhere. Hard not to be whilst they continue to lie and treat their customers with such contempt. In a recent hackathon, iOS vs Android vs Windows, guess which one fell first? Yep, iOS, as usual, and as usual ,via Safari. If they were humble and honest, it might be different but they are arrogant, complacent, dishonest and sneering - actually, sums up a sizable portion of their user base too.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022