Auteur Sujet: [FireEye]iOS Masque Attack Revived: Bypassing Prompt for Trust and App URL Scheme Hijacking  (Lu 171 fois)

0 Membres et 1 Invité sur ce sujet

Hors ligne igor51

  • Admin
  • Mega Power Members
  • *****
  • Messages: 10351
iOS Masque Attack Revived: Bypassing Prompt for Trust and App URL Scheme Hijacking

In November of last year, we uncovered a major flaw in iOS we dubbed
    “    href="">Masque
  Attack” that allowed for malicious apps to replace existing,
  legitimate ones on an iOS device via SMS, email, or web browsing. In
  total, we have notified Apple of five security issues related to four
  kinds of Masque Attacks. Today, we are sharing Masque Attack II in the
  series – part of which has been fixed in the recent iOS 8.1.3 security
  content update [2].


Masque Attack II includes bypassing iOS prompt for trust and iOS URL
  scheme hijacking. iOS 8.1.3 fixed the first part whereas the iOS URL
  scheme hijacking is still present.


iOS app URL scheme “lets you communicate with other apps through a
  protocol that you define.” [1] By deliberately defining the same URL
  schemes used by other apps, a malicious app can still hijack the
  communications towards those apps and mount phishing attacks to steal
  login credentials. Even worse than the first Masque Attack [3],
  attackers might be able to conduct Masque Attack II through an app in
  the App Store. We describe these two parts of Masque Attack II in the
  following sections.


  Bypassing Prompt for Trust


When the user clicks to open an enterprise-signed app for the first
  time, iOS asks whether the user trusts the signing party. The app
  won’t launch unless the user chooses “Trust”.  Apple suggested
  defending against Masque Attack by the aid of this “Don’t Trust”
  prompt [8]. We notified Apple that this was inadequate.


We find that when calling an iOS URL scheme, iOS launches the
  enterprise-signed app registered to handle the URL scheme without
  prompting for trust. It doesn’t matter whether the user has launched
  that enterprise-signed app before. Even if the user has always clicked
  “Don’t Trust”, iOS still launches that enterprise-signed app directly
  upon calling its URL scheme. In other words, when the user clicks on a
  link in SMS, iOS Mail or Google Inbox, iOS launches the target
  enterprise-signed app without asking for user’s “Trust” or even
  ignores user’s “Don’t Trust”. An attacker can leverage this issue to
  launch an app containing a Masque Attack.


By crafting and distributing an enterprise-signed malware that
  registers app URL schemes identical to the ones used by legitimate
  popular apps, an attacker may hijack legitimate apps’ URL schemes and
  mimic their UI to carry out phishing attacks, e.g. stealing the login
  credentials. iOS doesn’t protect users from this attack because it
  doesn’t prompt for trust to the user when launching such an
  enterprise-signed malware for the first time through app URL scheme.
  In Demo Video 1, we explain this issue with concrete examples.


We’ve also found other approaches to bypass “Don’t Trust” protection
  through iOS springboard. We confirmed these problems on iOS 7.1.2,
  8.1.1, 8.1.2 and 8.2 beta. Recently Apple fixed these issues and
  acknowledged our findings in CVE-2014-4494 in the iOS 8.1.3 security
  content [2]. As measured by the App Store on 2 Feb 2015 [4], however,
  28% devices use iOS version 7 or lower, which are still vulnerable. Of
  the 72% iOS 8 devices, some are also vulnerable given that iOS 8.1.3
  came out in late January 2015. We encourage users to upgrade their iOS
  devices to the latest version as soon as possible.

Source: iOS Masque Attack Revived: Bypassing Prompt for Trust and App URL Scheme Hijacking