One of the most recent vulnerabilities facing cyber systems today is called the Masque Attack. This vulnerability, which affects Apple iOS systems, was identified by the United States Computer Emergency Response Team (CERT), which is part of the U.S. Department of Homeland Security. CERT released a formal alert for the Masque Attack vulnerability on November 13, 2014.
The Masque Attack vulnerability allows an attacker to replace a legitimate iOS app with substitute malicious software. The Masque Attack mainly relies on users to be lax or uninformed, and as a result the user installs an app from an un-trusted source or by clicking on a phishing link.
This vulnerability works because iOS does not enforce matching certificates for apps with the same bundle identifier. In this manner, a malicious app with the same bundle identifier of a legitimate app is installed on a user’s device.
If you are a victim of the Masque Attack you are facing some significant vulnerabilities. By replacing and remaining indistinguishable from a legitimate app, the malicious app can steal your login credentials and access sensitive data from your device’s cache. The malicious app can also be granted root privileges to your iOS device and perform actions in the background, including monitoring your device and its status.
There are three simple steps to prevent yourself from becoming a victim of a Masque Attack on your iOS device.
First, never install apps from an un-trusted source. Always download apps from Apple’s app store or from your own organization’s system.dontclickit_Banner
Second, never click “Install” or select a link from a third-party app when you are browsing the Internet. Along the same lines, never click a link in an email if you aren’t absolutely certain you can trust the source of the email.
Lastly, if you open an app and your iOS device displays an alert stating “Untrusted App Developer”, immediately select “Don’t Trust”, uninstall the app, and review the first two steps described above!
The Masque Attack is a significant threat to iOS users, however, practicing sound, proven cyber security techniques will prevent you from becoming a victim and potentially having your sensitive and private data stolen.