In early November, another Apple vulnerability made news in the technology world, and this time, it’s an interesting one. It’s also one that relies upon cybercriminals’ favorite “assistants”―people―to start the chain of intrusion.
Technically, the bug isn’t a bug (a code defect) at all. It’s a built-in, but flawed, capability that unfortunately encourages foolish behavior. The Apple operating system, iOS, has a feature called enterprise provisioning that lets users download apps through links rather than going to Apple’s App Store. It is intended for developers (and one can assume from the name, enterprises) to distribute software to more devices, more quickly.
Hackers discovered that the feature’s design allows replacement software (e.g. updates) to be installed without matching security certificates. Apple apps have a unique “tag” called a bundle identifier, and if a new app comes along with the same identifier as a previously installed, non-default app, iOS will install it.
Hackers realized they could create malware with the same bundle identifier as an existing, commonly installed app, give it an interesting name (or call it an update) and send it via email to users, who would probably download and install it. They were right.
Once a user clicks the link and downloads the malware, the malicious app can steal data off the phone, potentially including sensitive information. Fortunately for iOS users and the companies that allow them on their networks, the enterprise provisioning feature is not a default function. Users must install a special setting before they can enable it. Dubbed Masque Attack by security firm FireEye, which discovered it, the vulnerability affects devices running iOS 7.1.1, 7.1.2, 8.0, 8.1 and 8.1.1 beta.
For corporations with iOS devices running on their networks, the “patch” is simple. Tell employees not to install any new app through a link they receive. A pop-up warning before the app installs even gives users a chance to cancel the download.
From a broader perspective, however, the solution is not so clear. As the number of Apple devices continues to climb, a growing pool of hackers find the iOS worth exploiting. Hackers have already found and exploited several Apple bugs, including one that affected SSL/TLS, which is a protocol that allows secure information exchange across the Internet.
In other words, Apple isn’t invulnerable, as many aficionados have proclaimed for years. It’s just never been a big enough target to be worth attacking. Now, apparently, it is.
If you would like to ask questions or learn more about protecting your enterprise and its Apple devices against hackers, feel free to email us or give us a call at 770-643-4400 (toll-free: 877-841-8069).