Apple released patches for several exploits that could allow maliciously crafted applications to destroy apps that already exist on devices, access their data or hijack their traffic, but a large number of iOS devices are still vulnerable.
The vulnerabilities allow for so-called Masque attacks because they involve the impersonation of existing apps or their components. Three of them were patched in iOS version 8.1.3 that was released in January and two newer ones were patched in iOS 8.4, released Tuesday.
In order to attack iOS devices with these flaws, hackers would have to trick their owners into installing rogue apps through the enterprise provisioning system. Companies use this mechanism to deploy in-house developed apps that are not published on the official App Store.
Using enterprise provisioning and legitimate or stolen enterprise certificates, attackers could convince users to install malicious apps that are hosted on rogue websites.
Security researchers from FireEye first reported the original application Masque attack in November last year, warning that the technique can be used to replace existing apps and access their data.
Since then, they have found and reported additional vulnerabilities that allow similar attacks. One, dubbed the URL Masque, allows hijacking inter-app communications and bypassing user confirmation prompts, while another, called the Plug-in Masque, allows attackers to replace existing VPN plug-ins, hijack device traffic and prevent devices from rebooting.
The URL Masque and Plug-in Masque vulnerabilities were patched together with the original App Masque flaw in iOS 8.1.3. However, the monitoring of Web traffic from several high-profile networks revealed that one third of iOS devices on those networks still run iOS versions older than 8.1.3.
On Tuesday, the company’s researchers revealed two more Masque vulnerabilities, dubbed Manifest Masque and Extension Masque, after Apple partially fixed them in iOS 8.4.
The Manifest Masque flaw can be exploited by publishing a rogue manifest file along an in-house app on a provisioning website. Apple fails to check if the bundle identifiers listed in provisioning manifest files match those of the provisioned apps, the FireEye researchers said in a blog post.
“If the XML manifest file on the website has a bundle identifier equivalent to that of another genuine app on the device, and the bundle-version in the manifest is higher than the genuine app’s version, the genuine app will be demolished down to a dummy placeholder, whereas the in-house app will still be installed using its built-in bundle id,” the researchers explained. “The dummy placeholder will disappear after the victim restarts the device.”
Meanwhile, the Extension Masque flaw is located in the app extension feature introduced in iOS 8 and can be exploited to access another app’s data or to prevent an existing app from accessing its own data.
Attackers could exploit it by creating a rogue app that registers an extension with the bundle identifier of an existing application. The extension would then gain full access to that other app’s data container, according to the FireEye researchers.
While a third of iOS devices continue to be vulnerable to all Masque attacks, there are likely many more that are only vulnerable to the most recently disclosed Manifest and Extension Masque flaws. The FireEye researchers advise users to update their devices as soon as possible and to keep them up to date in the future.