Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Apple responds to Masque Attack concerns, says unaware of affected users

Last updated

Coming days after the discovery of an iOS vulnerability called "Masque Attack" was made public, Apple late Thursday issued a statement regarding the potentially malicious software, saying default OS X and iOS security settings are enough to thwart attacks.

In a statement provided to iMore, Apple responded to media reports propping up Masque Attack as a major threat to iOS security, which many consider to be one of the safest consumer solutions in the world.

We designed OS X and iOS with built-in security safeguards to help protect customers and warn them before installing potentially malicious software. We're not aware of any customers that have actually been affected by this attack. We encourage customers to only download from trusted sources like the App Store and to pay attention to any warnings as they download apps. Enterprise users installing custom apps should install apps from their company's secure website.

The comments are in line with AppleInsider's analysis of the threat. As reported earlier this week, Masque is not viral and can only affect users who intentionally disable default security settings and manually bypass Apple safeguards to install unsigned code.

According to computer security firm FireEye, which discovered Masque Attack earlier this year, the attack revolves around phony apps that masquerade as legitimate software, such as banking apps or finance programs. Because a phony app mimics the user interface of the program it replaces, users may be tricked into entering sensitive login information that is subsequently sent to an off-site command and control server.

Distributed through email or malicious websites, these fake apps take advantage of Apple's Enterprise provisioning system, which does not verify code signing certificates for apps that use identical bundle identifiers. To avoid downloading malicious software, users should not install apps distributed outside of the iOS App Store or secure corporate servers.

Apple has subsequently posted a support document detailing custom enterprise apps.



51 Comments

solipsismy 10 Years · 5099 comments

It's funny that this gets more press than the actual exploits that in years past have allowed phones to be jailbroken simply by going to a website. Some of those hacks were indeed clever and could have caused serious harm if the developer had been black hat. This Masque Attack is like worrying that a jet engine will fall through your bedroom and kill you. Beware the white rabbit. [quote name="Tallest Skil" url="/t/183416/apple-responds-to-masque-attack-concerns-downplays-threat-to-user-privacy#post_2639201"]8.1.1 in a week or so to make this moot.[/quote] How will 8.1.1 keep from circumventing the enterprise provisioning profiles?

applesauce007 17 Years · 1703 comments

Apple makes a good point in asking where are the affected users. The media, the researchers and the government are trying to make this something that it is not. Blowing this into something it's not does not help anyone.

welshdog 22 Years · 1898 comments

I find it difficult to only use the App Store for software downloads. There are a lot of good apps that for one reason or another are not available there. Carbon Copy Cloner, Indigo (home automation), CrushFTP, various Tivo interface apps, printer software and so on are not on the App Store. I also have things that use Java which I know plenty of people think is a terrible, but I don't really have a choice in the matter. I can complain to the developers and device manufacturers, but I'm pretty sure that falls on deaf ears. Of course Apple uses an amazing java app in their customer service centers and for At Home Advisors, so maybe Java isn't all that bad?

djsherly 15 Years · 1029 comments

Apparently only 9 people have bent iphones too.