Third-party app data at risk from iOS 'Masque' flaw

Unencrypted data from third-party apps on Apple iOS devices could be accessed and stolen through the 'Masque' flaw in the company's iOS mobile operating system, researchers have found.

The Masque bug, revealed earlier this month, allows attackers to replace genuine App Store applications on user devices with malware through enterprise provisioning.

Enterprise provisioning allows businesses to deploy their own apps on Apple devices without needing to have them reviewed them in the App Store.

Once installed, the malware can replace genuine applications - such as banking apps - to steal user credentials and access the legitimate application's local data. The flaw is found in all current versions of iOS.

Apple's failure to enforce matching digital certificates for applications with the same bundle identifier means attackers can replace legitimate downloads with malware.

Enterprise provisioning and mobile device management systems are unable to tell the difference between malware and genuine apps under one bundle ID, making it easy to hide the malware on user devices.

In further testing of the flaw, researchers from IT security firm Trend Micro discovered that malicious apps installed with the Masque attack can access not only data from the apps they replace, but unencrypted data used by other legitimate, third-party applications on the user device.

The researchers tested a number of iOS messaging and communications apps including WhatsApp, which is likely to have addressed the issue through its new end-to-end encryption. 

They found that some did not encrypt the data in their databases, meaning it could be accessed and potentially stolen by malware downloaded through Masque.

"Perhaps what makes Masque Attack more of a real threat is that enterprise provisioning is currently being used by third-party app sites, especially those based in China," the researchers wrote.

"One particular third-party app store in China has even developed offline terminals that provide free installation of apps on Android and iOS devices. The installations on the latter rely on enterprise provisioning.

"The terminals can be found in areas with large traffic such as airports, cinemas, and even KTVs. While it may provide an easier way of installing apps to devices, security could instead be compromised."

Trend Micro found the same issue did not exist in Android versions of the same applications, which did encrypt their databases.

The researchers attributed the additional security measure to the higher rate of attacks against Android compared to iOS, suggesting that developers on the Apple platform might not have seen the need for encryption.

Trend Micro urged iOS app developers not to be complacent about application security, and warned Apple device end users to practice "extreme caution" before downloading any software from outside the App Store and trusted sources.

Apple last week said it was not aware of any customers being affected by the attack, despite IT security firm FireEye claiming to have had found evidence that attackers were starting to deploy apps through Masque.

"We designed OS X and iOS with built-in security safeguards to help protect customers and warn them before installing potentially malicious software," it said in a statement.

"We encourage customers to only download from trusted sources like the App Store and to pay attention to any warnings as they download apps. Enterprise users installing custom apps should install apps from their company’s secure website."