Researchers Expose Attack on iOS That Can Break System Apps

[Karamjit]

Companies should rush into applying iOS 8.4 to their devices

Among the security vulnerabilities addressed by Apple in iOS 8.4, released on Tuesday, two of them can be leveraged by an attacker to break system apps on a device or to replace a genuine app with a malicious one and steal its content.

Exploiting the flaws is possible on both jailbroken and non-jailbroken devices from Apple and requires the victim to install an in-house developed app, which is certified and provisioned within the Enterprise Developer Program.

These are signed apps created in Xcode by companies for their employees, whose distribution is outside the App Store, can be done wirelessly and it is limited to the organization’s devices.

Manifest Masque attack can render system apps inoperable

Taking advantage of the vulnerabilities has been dubbed “Masque Attacks” by security experts at FireEye. The compromise is possible because iOS does not distinguish between apps with the same bundle identifier by comparing their certificates.

The first attack detailed by FireEye, “Manifest Masque,” has been addressed by Apple in iOS 8.4, but researchers say that the fix is not complete, without offering any info on current methods of compromise on this version of the operating system

Manifest Masque exploits two vulnerabilities (CVE-2015-3722 and CVE-2015-3725) and it can be used to cause both App Store and system apps (Apple Watch, Health, Pay, Store, Safari, Settings) to stop functioning; they are not available even if the device is restarted.

Phishing is another risk as the threat actor could deliver an app that impersonates a legitimate one and collect sensitive data or expand the attack. iOS versions 7.x and 8.x up to 8.4 are affected.

As its name suggests, the attack relies on altering the manifest file (an XML containing metadata of the in-house software) for the malicious app, so that the bundle identifier matches the one of the target.

Although Apple’s official documentation states that the identifier in the manifest has to be same one specified in the Xcode project of the in-house app, no mechanism exists to validate this.

Basically, if the XML advertises “a bundle identifier equivalent to that of another genuine app on the device, and the bundle-version in the manifest is higher than the genuine app’s version, the genuine app will be demolished down to a dummy placeholder, whereas the in-house app will still be installed using its built-in bundle id,” researchers say.

FireEye demonstrated the exploit (video embedded below) and broke multiple system apps, including Gmail downloaded from the App Store. All the users had to do was click once on a link pointing to a fake in-house app.

Malicious extensions seamlessly steal info from legit apps

Apple’s introduction of the app extension feature in iOS 8 allowed increased functionality of apps, as well as the surface for the Masque attack. They can be installed only together with an app.

“An app extension can execute code and is restricted to access data within its data container,” FireEye says. A malicious extension using the same bundle identifier as the targeted app could give a threat actor full access to sensitive information such as emails.

“An attacker can lure a victim to install an in-house app using enterprise provisioning from a website and to enable the malicious extension of the in-house app on his/her device,” the researchers said.

In the demonstration of the vulnerability (available below), FireEye shows how a victim’s Gmail content can be sent to the attacker’s server, without any sign of malicious activity on the device.

The experts found that an Extension Masque attack can go completely undetected if the malicious code is delivered before the targeted app is installed. Under this scenario, full access to the data container is gained and the original software would continue to function normally.

In the opposite case, when the malicious extension is added after the targeted app, the latter would be prevented from accessing the data container and could even crash.

However, users would most likely fail to recognize this sign of nefarious activity and re-install the app, which recovers and the initial scenario would be created.

VPN traffic hijacking and monitoring on iOS lower than 8.1.3

FireEye disclosed another attack called Plugin Masque, which exploits a vulnerability related to CVE-2014-4493, patched in iOS 8.1.3. The damage potential is also significant as it can be used to replace the legitimate VPN plugin and hijack protected traffic exchanged via this service.

“We discovered that if an in-house app embeds a malicious VPN Plugin that has the same bundle id as the legitimate VPN Plugin on the victim’s iOS, the malicious VPN Plugin can be successfully installed and replace the legitimate one without any special entitlement,” explain the researchers.

When the victim connects over VPN, all the traffic is visible to the threat actor and can be hijacked. What is worse, even if the VPN app with the malicious code is uninstalled, it is restored after rebooting the device.

As of June 22, 84% of Apple’s mobile users ran iOS 8 on their devices. According to FireEye’s web traffic monitoring, almost 31% of iOS devices are powered by an iOS version that is lower than 8.1.3, hence are vulnerable to all three newly disclosed Masque attacks.

Until iOS 8.4 is adopted, company iDevices remain exposed to Manifest and Extension Masque attacks.

Manifest Masque attack:

Play Video

Extension Masque attack:

Play Video

Plugin Masque attack:

From