In November of last year, we uncovered a major flaw in iOS we dubbed
“ href="https://www.fireeye.com/blog/threat-research/2014/11/masque-attack-all-your-ios-apps-belong-to-us.html">Masque
Attack” that allowed for malicious apps to replace existing,
legitimate ones on an iOS device via SMS, email, or web browsing. In
total, we have notified Apple of five security issues related to four
kinds of Masque Attacks. Today, we are sharing Masque Attack II in the
series – part of which has been fixed in the recent iOS 8.1.3 security
content update [2].
Masque Attack II includes bypassing iOS prompt for trust and iOS URL
scheme hijacking. iOS 8.1.3 fixed the first part whereas the iOS URL
scheme hijacking is still present.
iOS app URL scheme “lets you communicate with other apps through a
protocol that you define.” [1] By deliberately defining the same URL
schemes used by other apps, a malicious app can still hijack the
communications towards those apps and mount phishing attacks to steal
login credentials. Even worse than the first Masque Attack [3],
attackers might be able to conduct Masque Attack II through an app in
the App Store. We describe these two parts of Masque Attack II in the
following sections.
When the user clicks to open an enterprise-signed app for the first
time, iOS asks whether the user trusts the signing party. The app
won’t launch unless the user chooses “Trust”. Apple suggested
defending against Masque Attack by the aid of this “Don’t Trust”
prompt [8]. We notified Apple that this was inadequate.
We find that when calling an iOS URL scheme, iOS launches the
enterprise-signed app registered to handle the URL scheme without
prompting for trust. It doesn’t matter whether the user has launched
that enterprise-signed app before. Even if the user has always clicked
“Don’t Trust”, iOS still launches that enterprise-signed app directly
upon calling its URL scheme. In other words, when the user clicks on a
link in SMS, iOS Mail or Google Inbox, iOS launches the target
enterprise-signed app without asking for user’s “Trust” or even
ignores user’s “Don’t Trust”. An attacker can leverage this issue to
launch an app containing a Masque Attack.
By crafting and distributing an enterprise-signed malware that
registers app URL schemes identical to the ones used by legitimate
popular apps, an attacker may hijack legitimate apps’ URL schemes and
mimic their UI to carry out phishing attacks, e.g. stealing the login
credentials. iOS doesn’t protect users from this attack because it
doesn’t prompt for trust to the user when launching such an
enterprise-signed malware for the first time through app URL scheme.
In Demo Video 1, we explain this issue with concrete examples.
We’ve also found other approaches to bypass “Don’t Trust” protection
through iOS springboard. We confirmed these problems on iOS 7.1.2,
8.1.1, 8.1.2 and 8.2 beta. Recently Apple fixed these issues and
acknowledged our findings in CVE-2014-4494 in the iOS 8.1.3 security
content [2]. As measured by the App Store on 2 Feb 2015 [4], however,
28% devices use iOS version 7 or lower, which are still vulnerable. Of
the 72% iOS 8 devices, some are also vulnerable given that iOS 8.1.3
came out in late January 2015. We encourage users to upgrade their iOS
devices to the latest version as soon as possible.