Masque Attacks are back: iPhones and iPads vulnerable to sensitive app data theft

Almost one third of all iPhones and iPads are at risk of attack due to vulnerabilities which could allow cybercriminals to steal sensitive data, hijack VPN connections or even destroy apps completely.

Back in November 2014, Apple responded to reports of a serious security flaw found in its iOS mobile operating system referred to as Masque Attack by saying that it was not aware of any case where the vulnerability was being exploited.

Eight months later the security company which originally uncovered the Masque Attack flaw - FireEye - has revealed that there are two new kinds of Masque Attack targeting iOS and that while Apple has partially patched them in the most recent update, more than one third of iPhone, iPad and iPod Touch users are still at risk.

The original Masque Attacks saw attackers take advantage of the fact that Apple does not enforce matching certificates for apps with the same bundle identifier. This means that a victim could click on a link claiming to be an update to a popular app like Angry Birds or Flappy Bird, while in fact it downloaded a piece of malware which looks like an app such as Gmail or your banking app.

One of the newest flaws revealed on Wednesday, 1 July, by FireEye is called Masque Extension and allows an attacker to access the data container of the target app meaning that information thought to be securely stored by the likes of banking, email and messaging apps is vulnerable.

Masque Extension

The attack takes advantage of the introduction of app extensions in iOS 8 which can be installed only together with an app.

While an app extension can execute code and is restricted to access data within its data container, a malicious extension using the same bundle identifier as the target app could give the attacker full access to the data container of the target app.

"An attacker can lure a victim to install an in-house app using enterprise provisioning from a website and to enable the malicious extension of the in-house app on his/her device," FireEye said.

In the video demonstration below you can see a user's Gmail content being siphoned off to the attackers' server without any indication on the infected device.

Manifest Masque

The second new attack vector is dubbed Manifest Masque and allows an attacker to demolish an existing app on iOS "when a victim installs an in-house iOS app wirelessly using enterprise provisioning from a website".

This means that even core apps such as Health, Watch or Apple Pay are vulnerable to being destroyed by a Manifest Masque attack.

Apple was notified by FireEye of these latest vulnerabilities in August and the security company says they have been "partially patched" with iOS 8.4 which was launched on Tuesday, 30 June.

However, as FireEye points out, over one third of all iOS devices currently in use have yet to upgrade beyond iOS 8.1.3, so there remains a huge number of devices out there which could be subject to attack.

VPN monitoring

A final attack - called Plugin Masque - was also revealed by FireEye, but this was been patched since iOS 8.1.3, according to the company. If exploited however, it could be potentially even more troubling than the other attack vectors as it allows for the replacement of a VPN plugin and potentially gives an attacker the ability to monitor all network traffic.

"We discovered that if an in-house app embeds a malicious VPN Plugin that has the same bundle ID as the legitimate VPN Plugin on the victim's iOS, the malicious VPN Plugin can be successfully installed and replace the legitimate one without any special entitlement," explain the researchers.

FireEye has not revealed if it has observed any of these attacks being exploited in the wild.

In the security advisory published by Apple for iOS 8.4, the company said that it "does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available".

The company patched a total of 30 bugs in iOS in its latest update.