Apparently, it's the season for novel iOS security exploits. Researchers at FireEye say they've discovered a vulnerability, nicknamed "Masque Attack," that lets malicious websites replace legitimate apps with malware. If ne'er-do-wells have an enterprise developer account or your device's universal device identifier, they can send you a request to install new software outside of the App Store. Since iOS doesn't double-check that the security certificates match when the app bundle IDs are the same, it lets the rogue code overwrite the real deal and swipe data (including from the original app). FireEye says it notified Apple about the exploit in July, but the technique still works the iOS 8.1.1 beta.
We've reached out to Apple for its response to the flaw. Whatever its solution may be, the practical threat to your iOS gear is relatively low. Perpetrators effectively have to hit the jackpot; they not only need the privileges to install an untrusted app over the web, but your explicit permission. Apple can also disable enterprise apps by revoking certificates, so outbreaks are likely to be limited. You'll still want to exercise caution, but you'll likely be fine so long as you stick to downloading from the App Store.
Photo by Will Lipman.
Filed under: Cellphones, Internet, Mobile, Apple
Via: 9to5Mac
Source: FireEye
0 comments:
Post a Comment