The iOS “Masque Attack” Scare: Is it Really Anything to Worry About?

Scott Calonico

Tapple iphonehe media just love scandals related to IT security and privacy these days. They seem to find even more enthusiasm when Apple is involved.

The most recent big story was related to the security of iCloud, following the release of nude celebrity photos from various iCloud accounts. In reality, this story was something of a storm in a teacup, as the hackers who accessed the pictures seem far more likely to have taken advantage of naïve user practices (in the form of poor password security), than inherent flaws in iCloud security.

Even so, Apple took steps to bolster security and, perhaps rather unfairly, plenty of people still refer to iCloud as not being particularly secure.

Now, we have a new Apple security story to dissect, in the form of the “Masque Attack” scare.

Masque Attack exploits a “vulnerability” in the iOS operating system in use on millions of iPhones and iPads. Discovered by FireEye, a network security company, the flaw potentially allows hackers to swap legitimate iOS apps with fake apps containing dangerous malware.

On the face of it, it sounds pretty scary. It certainly sounded scary enough for the US Department of Homeland Security to issue an advisory warning about it. This move obviously gave the press even more to say on the matter. However, when you delve into the detail, it’s not really all as serious as the media would have you believe.

The Reality

In the real world, the only way to exploit Masque Attack is to convince an iOS user to install an app from somewhere other than the Apple App Store. Given that this is the only place the vast majority of users would ever go to install apps, the threat immediately seems less serious than the headlines might suggest.

There ARE other ways to install apps, and one of them is via private app stores on enterprise-managed iDevices. There’s also been talk that malicious links could be exploited in text messages and emails to convince people to install unofficial apps containing malware.

However, as recently as last week, Apple released a statement that said they were “not aware of any customers that have actually been affected by (the) attack.” They did, however, advise users to only use the official App Store or their own company’s secure store, in the case of enterprise users.

Advice

Once again, it does seem like the latest Apple security scare has been somewhat blown out of proportion. However, there are some sensible steps you and your users should take:

  • Only install apps from the App Store.
  • Be wary of any links pertaining to upgrade apps. Legitimate updates are installed automatically or on demand from the App Store, depending on how this is configured in iOS settings.
  • Ensure that private company app stores are well managed, and that malicious apps are not allowed to creep in that way.
  • Appreciate that “jail-breaking” iOS devices absolves Apple of any responsibility for security. There’s every reason to believe that hackers will try to exploit this devices, just as those providing pirate software often hide viruses within.