iOS security hole allows attackers to poison already installed iPhone apps

Security researchers have warned of a security hole in Apple’s iOS devices that could allow attackers to replace legitimate apps with booby-trapped ones, an exploit that could expose passwords, e-mails, or other sensitive user data.

The “Masque” attack, as described by researchers from security firm FireEye, relies on enterprise provisioning to replace banking, e-mail, or other types of legitimate apps already installed on a targeted phone with a malicious one created by the adversary. From there, the attacker can use the malicious app to access sent e-mails, login credential tokens, or other data that belonged to the legitimate app.

“Masque Attacks can replace authentic apps, such as banking and e-mail apps, using attacker’s malware through the Internet,” FireEye researchers wrote in a blog post published Monday. “That means the attacker can steal user’s banking credentials by replacing an authentic banking app with an malware that has identical UI. Surprisingly, the malware can even access the original app’s local data, which wasn’t removed when the original app was replaced. These data may contain cached e-mails or even login-tokens which the malware can use to log into the user’s account directly.”

The attack works by presenting a targeted phone with a same sort of digital certificate large businesses use to install custom apps on employees’ iPhones and iPads, as long as both the legitimate app and the malicious app use the same bundle identifier. The attack requires some sort of lure to trick a target into installing the malicious app, possibly by billing it as an out-of-band update or a follow-on to an already installed app. Recently, the researchers uncovered evidence the attacks may be circulating online, they said without elaborating. The technique doesn’t work against iOS preinstalled apps such as Mobile Safari. FireEye researchers said they reported the vulnerability to Apple in July.

“By leveraging Masque Attack, an attacker can lure a victim to install an app with a deceiving name crafted by the attacker (like New Angry Bird), and the iOS system will use it to replace a legitimate app with the same bundle identifier,” Monday’s report stated. “Masque Attack couldn’t replace Apple’s own platform apps such as Mobile Safari, but it can replace apps installed from App Store.” From there attackers can:

Mimic the login interface of the replaced app to steal the victims’ login credentials

Access local data caches assigned to the replaced app to steal e-mails, login tokens, or other sensitive data

Install custom programming interfaces not approved by Apple onto victims’ phones

Bypass the normal app sandbox architecture built into iOS and possibly get root access by exploiting known iOS vulnerabilities, such as those recently targeted by the Pangu team.

Read more: iOS security hole allows attackers to poison already installed iPhone apps | Ars Technica.