The Masque Attack & Protecting Your iOS Devices
Michael T. Raggo | November 24, 2014
On November 13, 2014, U.S. CERT issued an alert based on research from FireEye about an attack on Apple iOS called the “Masque Attack.” This attack can occur by luring a user to install an app outside of the iOS AppStore. There are two primary ways in which this attack can occur:
- Downloading an update to a legitimate app outside of the AppStore, where the fake app will overwrite the existing app, for example through a fake email.
- An insider in an Enterprise organization who distributes a malicious app update to a legitimate one through the MDM or EMM app distribution
Additionally, there are two prerequisites to performing the attack:
- The end user must be tricked into installing an app from a source other than the iOS App Store or an enterprise app store such as MobileIron Apps@Work
- The attacker must have a valid enterprise provisioning profile and code-signing certificate provided by Apple.
According to U.S. CERT, the malicious app cause prompt a variety of nefarious activity including:
- Mimic the original app’s login interface to steal the victim’s login credentials.
- Access sensitive data from local data caches.
- Perform background monitoring of the user’s device.
- Gain root privileges to the iOS device.
- Be indistinguishable from a genuine app.
To deter this activity we recommend both proactive and reactive countermeasures using MobileIron. Proactively, an Enterprise organization should leverage a MobileIron integrated 3rd party App Reputation Service vendor to scan updates to apps before they are posted to the MobileIron Apps@Work corporate app distribution. This is a standard security process already embraced by leading mobile first organizations. Here's the workflow:
This leverages a fundamental security practice know as separation of duties that “restricts the amount of power held by any one individual.” It also embraces App Reputation Service security analysis to analyze in-house (and 3rd party) apps for malicious behaviors, through dynamic, static, and behavioral analysis. Most of the App Reputation Services have a web-based interface by which an in-house app can be submitted for analysis followed by a report. Upon a clean bill of health for the app, the App Security team or the Administrator then takes that app and posts the update to the MobileIron console to be distributed through Apps@Work. Additionally, MobileIron's audit trail logs provide for appropriate checks and balances.
To address concerns about a user updating apps outside of the AppStore, say through a fake email with a link to a malicious site, the aforementioned App Reputation Service can provide an additional layer of security to identify malicious apps on an iOS device. Some of these products can also feed into the MobileIron Quarantine blacklist, to allow a device to be quarantined when a malicious app is detected. This can block the device’s corporate network access and also perform wipe, or a selective wipe of the corporate data to mitigate a data breach. Please also note that, when using MobileIron's secure container for corporate data, data is proactively protected from Apps downloaded and updated outside of the container. Additionally, our partners such as FireEye provide a Malware Protection System to identify and block such behaviors malicious email links and websites.
In summary, every organization should ensure they have implemented following proactive and reactive countermeasures:
- Implement a process for scanning in-house or 3rd party developed apps using an App Reputation Service, many of which are listed on the MobileIron site
- Separation of duties for your enterprise/internal app distribution via MobileIron's Apps@Work by restricting Developers from uploading apps and leaving that procedure to the App Security team or EMM Administrator
- Leverage an App Reputation Service integrated with MobileIron for identifying Apps on user devices that exhibit malicious or risky behaviors
- Enable MobileIron's automated Quarantine to block network access to and wipe or selectively wipe the device when a device has been reported as having a malicious or risk app/li>
- Use MobileIron's AppConnect & Docs@Work container to isolate corporate data from personal data, thus providing an additional proactive proactive barrier for apps downloaded to the device outside of the corporate container
- Monitor MobileIron logs and dashboards for out-of-compliance devices, and logins to the console, note that we also now have the Splunk forwarder for those customers using Splunk
- Leverage a Malware Protection Service to identify malicious emails and links and block them
- MobileIron administrators should ensure that users are running iOS 7.1 or later. This version check can be configured as a policy in MobileIron Core. In iOS 7.1 and later, enterprise app deployment requires SSL. Use of SSL does not fully prevent the attack; however, it makes it more difficult for an attacker to use unauthorized hostnames when attempting the attack.
- Consider using enterprise iOS devices in “supervised mode”. This can fully prevent the attack because devices can be configured to reject any unauthorized applications.
- Educate users to not install apps from sources other than the Apple AppStore
- And per the U.S. CERT educate your users “when opening an app, if iOS shows an ”Untrusted App Developer“ alert, click on ”Don't Trust“ and uninstall the app immediately”
Lastly, if it is discovered that an enterprise certificate is used for malicious purposes, the certificate will be revoked by Apple and the malicious apps will be disabled on all iOS devices. Through appropriate proactive and reactive controls, MobileIron provides protection from the Masque Attack. While user education is important, automated controls such as those outlined can provided the multiple layers of defense to protect your enterprise data from such an attack. For additional information for fortifying your Mobile Security Strategy, please see MobileIron's Security Infographic.