Security firm FireEye has documented what it claims is a serious vulnerability in iOS, dubbed Masque, following the discovery of active attacks - but Apple is downplaying the company's concerns.
Apple's iOS platform shares the same underlying kernel as OS X, but is tailored specifically for the company's mobile and embedded devices: the iPhone, iPad, iPod Touch and Apple TV. Part of this tailoring includes a heavier focus on security through the provision of a locked-down ecosystem which prevents installation of third-party software not obtained through the company's own App Store. It's possible to circumvent this restriction - a process known as 'jailbreaking' - but the vast majority of users do not do so.
While locking users to its own App Store provides Apple with an obvious financial benefit, it also serves to protect the users themselves: software listed on the App Store has, at least in theory, gone through a vetting procedure which checks to see if the app is in any way malicious or misleading.
Sadly, security researchers at FireEye have detailed an attack on the closed ecosystem which exposes iOS users to the threat of malicious software even without jailbreaking their devices. Dubbed Masque, the company claims to have first spotted the vulnerability in July, but has now gone public with its findings after finding the flaw under active attack. In its announcement
, the company claims that a new malware dubbed WireLurker is using a modified Masque attack to gain illicit access to personal data on iOS devices over USB but that 'Masque Attacks can pose much bigger threats than WireLurker.
'Masque Attacks can replace authentic apps,such as banking and email apps, using attacker's malware through the Internet. That means the attacker can steal user's banking credentials by replacing an authentic banking app with an malware that has identical UI. Surprisingly, the malware can even access the original app's local data, which wasn't removed when the original app was replaced. These data may contain cached emails, or even login-tokens which the malware can use to log into the user's account directly.
Apple has now responded to the company's claims, but while it isn't denying that the Masque vulnerability is real it has said that it has no evidence it is under exploitation. 'We're not aware of any customers that have actually been affected by this attack,
' a statement from Apple to press claimed. 'We encourage customers to only download from trusted sources like the App Store and to pay attention to any warnings as they download apps. Enterprise users installing custom apps should install apps from their company's secure website.
Apple has not yet indicated when a fix for the Masque vulnerability will be made available. FireEye also has no workaround or mitigation for the latest iOS 8 builds, simply suggesting 'taking extra caution when installing apps.