Paulista - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Unmasking the Masque attack: Inside the iOS security flaw

The Masque attack is a malicious threat, yet Apple has downplayed the risk. Expert Nick Lewis explains how to keep employees from being tricked into installing malware.

No mobile application platform is immune to attack, even the once-perceived "most secure platform" that is Apple's iOS. And while users can believe what they're doing is not harmful, even the most diligent users can be deceived.

Last fall, security firm FireEye Inc. disclosed a flaw in the iOS platform that enabled legitimate downloaded apps to be replaced by malicious software -- one of the first samples of iOS malware the world has seen that does this.

The iOS security flaw exploited in the Masque attack uncovered and described by FireEye could be one of those vulnerabilities that can deceive diligent users and pose a major security risk to enterprise systems.

In this tip, I will discuss the Masque attack and how enterprises can defend against it.

Breakdown of the Masque attack

The vulnerability exploited in the Masque attack allows an attacker to pose as a legitimate iOS application. Because iOS did not verify if the bundle identifier used to identify the app matches the certificate used to sign the app, it is not flagged as suspicious or flawed in the iOS App Store. App developers sign apps to help users and the app store know they came from that developer. With this flaw, a malicious developer could use the bundle identifier for a legitimate application as part of an attack to trick users into installing the malware.

It is important to note that the Apple App Store isn't compromised as part of this attack; so instead, users are duped through social engineering.

Apple commented that it designed iOS "to help protect customers and warn them before installing potentially malicious software" -- which is exactly what iOS does when users are presented with the Masque attack. The store requires one button press on the "Trust" option for the attack to be successful. So while yes, users are warned, it is still far too easy for them to accidently make the wrong decision to install the malware.

Apple said that no customers have currently reported being affected by this attack. Apple didn’t vet apps published through the app store and didn't have controls in place to verify certificate details (including bundle identifier, name and other app details).

Defending against the Masque attack

US-CERT and FireEye have offered some relatively simple recommendations to help enterprises protect against the Masque attack. Top advice includes:

  • Keep up to date with iOS updates (as the vulnerability was patched by Apple);
  • Only install apps from the iOS App Store or an enterprise app store;
  • Don't click "install" when viewing a webpage pop-up; and
  • Uninstall any app that gives an error message about an untrusted developer.
With this flaw, a malicious developer could use the bundle identifier for an application as part of an attack to trick users into installing the malware.

In the workplace, enterprises should add to their security awareness program about the dangers of installing apps by clicking on links in email, social media, among others.

Enterprises with a mobile device management tool that manages iOS devices could scan for new provisioning profiles that indicate devices compromised by malware; they may even be able to uninstall the malicious app using the MDM. This brings up the constant question of whether the mobile device needs to be rebuilt or if the malware can just be removed. Since many mobile devices are automatically backed up (or should be) and have legitimate apps installed from app stores, the apprehension around losing data and reinstalling applications should not be as big of a concern.

Software developers and organizations creating mobile apps should never use direct links in emails to websites or pop-ups as part of app distribution. Using the Apple App Store for iOS and directing customers to download apps from it will help train users to not make risky app installation decisions. Developers with apps that are preinstalled could be protected from this type of attack since preinstalled apps can't be replaced. Developers could also set up an automated system to download their app from the app store and compare it to their legitimate app to verify app store publishing wasn't compromised.


Mobile security threats are constantly maturing in the ecosystem of malware. As mobile and other devices proliferate, their value to an attacker increases and they will inevitably face intense scrutiny to identify vulnerabilities attackers can profit from.

Balancing the openness to install any software while maintaining security is a difficult task for many organizations. The difficulty is magnified when it comes to closed ecosystems like the Apple App Store. Until better protection mechanisms are widely used on mobile devices, like an MDM or mobile antimalware tool, it is still the lowest risk to only download from the Apple app store.

About the author:
Nick Lewis, CISSP, is a program manager for the Trust and Identity in Education and Research initiative at Internet2, and previously was an information security officer at Saint Louis University. Nick received Master of Science degrees in information assurance from Norwich University in 2005 and in telecommunications from Michigan State University in 2002.

Next Steps

Learn about the updated security features in Apple iOS 8

Check out SearchConsumerization's guide to enterprise iOS management

This was last published in April 2015

Dig Deeper on Mobile security threats and prevention