“Masque Attack” has been gaining quite a bit of attention lately. Masked as a legitimate application, unsuspecting users grant access to secure information, such as a usernames, passwords and account information. At first glance, this seems like a significant security risk and frightening possibility: the apps you use on a regular basis could be subverted by an ill-meaning developer. What many gloss over in reporting on “masque attack” are the steps required to actually get a malicious app onto an iOS device.
These malicious applications take advantage of Apple’s Enterprise Developer Program, a program in which developers make and distribute apps for a company’s internal use without first submitting the application to Apple’s App Store for review. There are many legitimate reasons for this use case: an app that’s still in testing and not yet ready for public release, or perhaps the app is a tool for the business only and has no use case in the public app store. Since these applications are not available in the app store, they are installed on iOS devices through a very different process.
Here at Foundation we recommend using Mobile Device Management, or MDM, software to install these sort of applications. MDM grants IT control over how enterprise applications get deployed on user devices rather than entrusting end users to install non-App Store apps unsupervised.
Enterprise applications can still be installed without MDM via a website that could be sent in a email or text message to a device. This should be an immediate red flag to any iOS user. The usual process for downloading an application involves going through the App Store. Hopefully, you and your colleagues know the risks associated with clicking mysterious links – viruses being among them.
So, if you find yourself on a strange website being prompted to install an application, that should be your first warning. If the application is installed on your device, you’ll be prompted with a notification explaining the iOS application is from an “Untrusted App Developer” while also asking if you explicitly trust the application. Quick tip: don’t trust it.
On top of all this, if Apple identifies an Enterprise account as abusing their abilities or discovers they are behind one of these malicious apps, they can revoke their developer certificate which in turn will stop the application from being downloaded on an iOS device in the first place.
All in all, if you want to avoid falling victim to one of these applications, do not install applications from any source other than the App Store. If you do receive a prompt to trust an “untrusted app developer,” do not trust the application.
Following these simple steps will help keep you safe.