Apple has released a statement and support document that outlines the potential security issue behind Masque Attack while also making it very clear that so long as people stay within its walled garden, they’ll be perfectly fine.
Apple’s iOS mobile platform has long been regarded as one of the more secure out there, and while Android has had more than its fair share of security scares over the years, Apple has survived largely unscathed.
That hasn’t stopped some nefarious entities from having a go at sneaking onto the iPhones and iPads of the unsuspecting masses though, and when a security research firm announced that it had discovered a potential security threat that allowed the installation of malware that could mimic real apps so well that users would enter their credentials without realizing, everyone sat up and took notice.
Discovered by research firm FireEye, Masque Attack is made possible by the way iOS doesn’t verify code signing certs for apps that use the same bundle identifiers. This means that people could take advantage of the way people install apps in the enterprise to get malware onto phones and tablets.
Apple though is quick to point out that there are plenty of safeguards in place to prevent such attacks, including the App Store itself. In a statement to iMore, Apple said that:
We designed OS X and iOS with built-in security safeguards to help protect customers and warn them before installing potentially malicious software. We’re not aware of any customers that have actually been affected by this attack. We encourage customers to only download from trusted sources like the App Store and to pay attention to any warnings as they download apps. Enterprise users installing custom apps should install apps from their company’s secure website.
It’s important to remember that Masque Attack isn’t viral and cannot be used to install anything without a user first initiating the process. That means clicking links in emails or websites for example, and even then iOS will warn the user about potential risks by seeking confirmation of the installation. If you see a message that you don’t understand or simply were not expecting, don’t click the ‘Trust’ button.
It really is as simple as that.
It was just yesterday when the U.S. Government issued a warning against this dreaded vulnerability to iOS users. But seeing how Apple is well aware of the whole situation, it’s safe to say that we’re in good hands, for now.