Earlier this week, the internet was up in arms about a new iOS vulnerability, dubbed ‘Masque Attack’, that was discovered by security firm FireEye. Apple have released a statement to iMore pointing out that Masque Attack isn’t really a flaw at all, and that it’s ‘not aware’ of anyone who’s actually been affected by the attack.
As described by the researchers in a blog post with the hyberbolic title “all your apps belong to us”, ‘Masque Attack’ allows attackers to create a fake version of a legitimate app, which sits on top of the real app and siphons off data without the users noticing. Sounds scary, right? Not really. See, the ‘attack’ requires the user to first follow a dodgy-looking link, then click past an iOS pop-up warning people about downloading malicious apps. Not to mention, the hacker needs access to an iOS Developer Enterprise Program account. As Apple said:
“We designed OS X and iOS with built-in security safeguards to help protect customers and warn them before installing potentially malicious software,” an Apple spokesperson told iMore. “We’re not aware of any customers that have actually been affected by this attack. We encourage customers to only download from trusted sources like the App Store and to pay attention to any warnings as they download apps. Enterprise users installing custom apps should install apps from their company’s secure website.”
If we pretend that ignoring the built-in safeguards and then downloading dodgy apps is a security flaw, then every single major operating system, mobile or otherwise, has a security flaw. The only worrying part about the ‘Masque Attack’ is that legit third-party apps can be compromised. But honestly, it’s not anything to worry about.
If anything, this proves that with the right marketing, almost anything can be spun into a security flaw these days. [iMore]
Ironically, the article just proves that if Apple marketing says it's not a flaw, you believe it without question. Cue scene of "These are not the droids you are looking for"
Let's look at reasons why:
"requires the user to first follow a dodgy-looking link". Right, well that can't possibly be camouflaged by using a redirect from a compromised but legitimate site, right ? RIGHT ???
"then click past an iOS pop-up warning people about downloading malicious apps." Which, if it's like any security pop up, tends to be indiscriminate, leading to them being almost ineffective.
Of course, if your IT department has created specific apps and are hosting them internally, then you're going ignore all those warnings.
"Not to mention, the hacker needs access to an iOS Developer Enterprise Program account."
Oh noes, all hackers are belong to us now. Sigh.
The flaw is still there.
If anything, this proves that with the right marketing, almost anything can be spun into a 'there is no security flaw' message these days
And everything can be blamed on the user.
Most of the "flaws" for Android were precisely this: something you expressly needed to turn off the option that blocks you from installing apps from outside sources, and yet Apple and a lot of the tech press always trumpeted it as a vulnerability.