FireEye warns Masque Attack flaw in iOS leaves iPads, iPhones vulnerable to hackers
A MAJOR flaw that puts nearly all iPhones and iPads at risk of being hacked has been identified. Here’s what you need to do to avoid the threat.
COMPUTER security firm FireEye has warned of a flaw in Apple’s iOS mobile operating system that puts iPhones and iPads at risk of being hacked by apps that can disguise themselves as the genuine article.
In a blog post, FireEye warned of the “Masque Attack” flaw in iOS 7 and iOS 8 that is on about 95 per cent of all iPhones and iPads, which means data-pilfering malicious apps can disguise themselves as legitimate programs.
In an example of how an attack would work, FireEye sent a link to a test case user inviting them to download a new Flappy Bird update.
HACK ALERT: iPhone and iPad get first serious virus
When the person clicked the link, they unknowingly downloaded a hacked update to the legitimate Gmail app.
The hacked Gmail app could look identical to the real thing but be sending a copy of all email to a third party.
FireEye says the same technique could be used to dupe people into uploading malicious versions of banking apps, that forward financial details including passwords to the hacker.
The security firm warns that the Masque Attack “can pose much bigger threats than WireLurker”, another potential security flaw in iOS that was revealed last week.
The FireEye blog warns Masque Attack works because hackers could disguise a malicious app by using the “bundle identifier”, a digital certificate used by legitimate apps that identifies updates.
“We disclosed this vulnerability to Apple in July,” the FireEye blog says.
“Because all the existing standard protections or interfaces by Apple cannot prevent such an attack, we are asking Apple to provide more powerful interfaces to professional security vendors to protect enterprise users from these and other advanced attacks.”
Apple has not made a statement about the potential security threat.
To avoid the threat, FireEye says there are three rules every iPhone and iPad users should follow:
1. Don’t install apps from third-party sources other than Apple’s official App Store or the user’s own organisation.
2. Don’t click “Install” on a pop-up from a third-party web page.
3. When opening an app, if iOS shows an alert with “Untrusted App Developer”, click on “Don’t Trust” and uninstall the app immediately.