Security research firm FireEye has warned iOS users about a vulnerability dubbed “Masque Attack” which allows infected copies of apps to overwrite (replace) legitimate iOS apps. The firm notes that the vulnerability occurs when using Apple’s enterprise/ad-hoc provisioning system. Apple offers this functionality to developers and enterprises so that they can install apps outside of the App Store for their users. Also Read - How to download Instagram videos on Android, iOS, PC
A person is required to provide a provisioning profile to be able to use the service. After which, an app can be downloaded and installed on a non-jailbroken iOS device from an external source. The problem is that Apple doesn’t authenticate apps as long as the bundle identifier for the apps is the same. The problem can be resolved if Apple starts matching certificates for applications that have the same bundle identifier. A hacker can use this vulnerability to make a user install an infected app, and it will replace its corresponding legitimate copy. Also Read - Apple co-founder Steve Jobs' job application sold for over Rs 2.5 crore
The other concerning area is the data. The malicious app is able to access the cached data. For those who aren’t aware about it, cached data is the log of files as well as the temporary files an app creates. This could include emails you had sent and received, and conversations you had among other sensitive information. Also Read - Apple iOS 15, iPadOS 15 beta 4 released: What’s new, how to download
FireEye says that it alerted Apple about this vulnerability on July 26, however the company is yet to patch it. A malware named WireLurker which affected many devices last month was also using ‘Masque Attack’ over USB.
While the vulnerability can possibly affect lots of users, as it is able to install malware on a non-jailbroken iOS device, the good news is that odds of that happening is pretty low at the moment. The reason is because a hacker would require the device to initiate the non-App Store installation. The attack would require an advanced form of phishing and social engineering.