Apple responds to Masque Attack concerns, says unaware of affected users
Coming days after the discovery of an iOS vulnerability called "Masque Attack" was made public, Apple late Thursday issued a statement regarding the potentially malicious software, saying default OS X and iOS security settings are enough to thwart attacks.
In a statement provided to iMore, Apple responded to media reports propping up Masque Attack as a major threat to iOS security, which many consider to be one of the safest consumer solutions in the world.
We designed OS X and iOS with built-in security safeguards to help protect customers and warn them before installing potentially malicious software. We're not aware of any customers that have actually been affected by this attack. We encourage customers to only download from trusted sources like the App Store and to pay attention to any warnings as they download apps. Enterprise users installing custom apps should install apps from their company's secure website.
The comments are in line with AppleInsider's analysis of the threat. As reported earlier this week, Masque is not viral and can only affect users who intentionally disable default security settings and manually bypass Apple safeguards to install unsigned code.
According to computer security firm FireEye, which discovered Masque Attack earlier this year, the attack revolves around phony apps that masquerade as legitimate software, such as banking apps or finance programs. Because a phony app mimics the user interface of the program it replaces, users may be tricked into entering sensitive login information that is subsequently sent to an off-site command and control server.
Distributed through email or malicious websites, these fake apps take advantage of Apple's Enterprise provisioning system, which does not verify code signing certificates for apps that use identical bundle identifiers. To avoid downloading malicious software, users should not install apps distributed outside of the iOS App Store or secure corporate servers.
Apple has subsequently posted a support document detailing custom enterprise apps.