Apple has responded to revelations that iPhones and iPads are vulnerable to an exploit known as Masque Attack, saying it is not aware of any users being affected.

Earlier this week US security firm FireEye revealed details about a vulnerability it had discovered in iOS which allowed legitimately downloaded apps to be compromised by malicious software downloaded after the initial app install.

Dubbed Masque Attack, FireEye said the threat was greater than that posed by WireLurker, a piece of malware targeting users in China which was uncovered last week.

On Thursday evening, Apple issued an official response to the Masque Attack threat, and unsurprisingly it claims there is little to be worried about, telling iMore:

We designed OS X and iOS with built-in security safeguards to help protect customers and warn them before installing potentially malicious software. We're not aware of any customers that have actually been affected by this attack. We encourage customers to only download from trusted sources like the App Store and to pay attention to any warnings as they download apps. Enterprise users installing custom apps should install apps from their company's secure website.

CERT warning

While Apple is clearly trying to play down the threat from Masque Attack, the simple fact it has been moved to respond is an indication that this is a viable threat.

Another reason for Apple's response was the issuing of a warning by the United Stated Computer Emergency Readiness Team (US-CERT) about the potential dangers of Masque Attack.

It said that the vulnerability "allows an attacker to substitute malware for a legitimate iOS app under a limited set of circumstances."

Apple has updated it knowledge base article about installs custom enterprise apps telling users: "Never install apps from third-party websites or links you don't recognise and trust, even if the app name seems familiar."

Business risk

This exploit takes advantage of a security weakness that allows an untrusted app — with the same "bundle identifier" as that of a legitimate app — to replace the legitimate app on an affected device, while keeping all of the user's data.

This vulnerability exists because iOS does not enforce matching certificates for apps with the same bundle identifier. While most apps are at risk, those pre-installed on iPhones and iPads, such as Safari and Apple Maps.

While there are potential pitfalls for the general public, businesses are likely to be at greatest risk most from this threat, as they typically update their enterprise apps from their own websites, and so employees would be used to seeing popups on their phones and tablets telling them an update was available.

The US-CERT issues this advice to make sure your iPhone or iPad isn't at risk:

  • Don't install apps from sources other than Apple's official App Store or your own organisation
  • Don't click "Install" from a third-party pop-up when viewing a web page
  • When opening an app, if iOS shows an "Untrusted App Developer" alert, click on "Don't Trust" and uninstall the app immediately