Researchers at FireEye have discovered a pathway for malware makers and data snoopers to install iOS software that replaces well-known apps while retaining any data associated with those apps. This allows an attacker to access locally cached mail in Gmail, impersonate your bank's app, and more. Installation still requires the active participation of naive users, but the outcome is substantially worse than previously thought.
It's a two-part method for ne'er-do-wells to carry out this attack, which has a lot of self-limiting aspects, as serious as it could be. First, they need to obtain either an ad hoc or enterprise provisioning profile through Apple, which means they need a developer account — inexpensive, but it does require one-at-a-time setup and verification, and carries some measure of identity and trackability. I expect that some developers will have their accounts hacked in order to make use of this vector. Apple didn't respond to a request for comment. (Apple still doesn't have two-factor authentication enabled for Apple IDs in its developer center, though it uses other methods of tracking and notification of changes.)
These provisioning profiles contain digital certificates that bypass Apple's normal app installation limit that all apps must come from the App Store. The ad hoc profile lets a developer distribute testing versions of software to a very small number of people (up to 100 devices using their unique hardware ID). The enterprise (company) version is for firms that want to develop and distribute in-house software to employees. The yearly fee is $99 for a regular developer license and $299 for the enterprise version. (Apple purchased TestFlight, a beta distribution service, and now allows sending out in-progress builds to up to 1,000 accounts and unlimited devices, but the distribution workflow is quite different.)
These profiles aren't binary executables: they're XML documents that can be delivered and installed in all manner of ways, including via email or a Web site download, and over USB, cellular, or Wi-Fi. These are more powerful than configuration profiles, which may be used to set up an email account without entering the details and for other purposes, but a user installs them the same way: a simple tap for Install; with ad hoc, there's an extra step to tap Trust when the app is launched.
This is a well-known situation, and hasn't seemed worth exploiting until now because the certificates used in the profile are issued, checked, and may be revoked by Apple. A villain would have to get someone to install a profile and run an app, and then ostensibly enter personal data or allow access to parts of the system, such as Contacts, to phone anything useful home. This could be a method to run sandbox exploits in iOS, where an app could break through Apple's code moats that keep app environments ostensibly separate, but the bar is so high, it wouldn't seem like a worthwhile investment of time and the subsequent loss of valuable certificates once uncovered by security folks or Apple.
It's the second part, though, that truly escalates the risk into something to worry about. Attackers can use the app identifier (its bundle ID, a public bit of text) for any iOS app except Apple's built-in ones to replace that program on installation. Apple not only doesn't cross-check the certificate to make sure that the app being replaced matches the original developer's signature, but also retains any associated data caches. The install message can be benign, offering to install "New Flappy Bird," but then install an app named and identified however the attacker likes. The cuckoo's egg is laid in iOS, hatches on launch, and can greedily devour any "food" around it, like email messages, documents, and the like.
FireEye reported this issue first to Apple in July, the firm writes on its blog, and then went public on November 10 when it found its so-called Masque Attack in the wild.
This is a potent one-two punch, but it has significant limits. Rich Mogull, a principal at Securosis, an independent security research and consulting firm (and, disclosure, old friend), finds FireEye's explanation credible and the exploit concerning, but thinks because of the limitations, it will be used only for attacking specific individuals or organizations. He notes that because Apple can revoke certificates, and users have to be fooled into installing the profile, there's no vector for a mass assault.
FireEye's advice is good wisdom any time, however: don't install or trust anything in iOS you didn't specifically request or intend to install. If you work at a company, agency, or group that could be a spearphishing target, this is another tool in the arsenal for such attacks. And Apple should be able to fix this problem by adding a certificate check before one app replaces another — assuming it agrees it's a problem. Based on its recent rapid response to security issues, one hopes an improvement will be shipped soon.
