Based on our research into the iOS threat Masque Attacks announced last week, Trend Micro researchers have found a new way that malicious apps installed through successful Masque Attacks can pose a threat to iOS devices: by accessing unencrypted data used by legitimate apps.
According to reports, the iOS threat uses enterprise provisioning to attack non-jailbroken iOS devices as WireLurker does. This means that provisioning allows enterprises to install “homegrown” apps on iOS devices without the need to be reviewed by Apple. They can then distribute these apps to their employees through iTunes (via USB) or via wireless transfer through the company’s app store.
While the WireLurker threat has been found to install fake or malicious apps via USB, Masque Attack brings more severe consequences by leveraging this. Masque Attack can replace installed apps with malicious versions via the same signing key or bundle ID. In that sense, the replacement (and malicious) app can then perform routines such as steal sensitive data.
Masque Reveals App Flaw
Much has been reported about how enterprise provisioning can be abused by malicious apps. But what happens when the malicious app actually make its way into the iOS device?
We tested several apps and found that some of the popular iOS apps do not employ data encryption for their databases. In our analysis, we simply used file browsers to access these files. Additionally, the apps we tested are messaging/communication apps, which means that they store a lot of sensitive information like names and contact details.
Figure 1. Unencrypted database in instant messaging (IM) app
Figure 1 shows that incoming and outgoing messages in a popular IM app are unencrypted. Any info-stealing malware can easily look through the messages for information. Figure 2 below has the same results, this time for a popular email app client in China.
Figure 2. Unencrypted email in Chinese local email client
Meanwhile, a look at another popular messaging app shows that messages and contact lists are not encrypted as well.
Figure 3. Unencryted message
Figure 4. Unencrypted contact list
The popular messaging app recently announced their implementation end-to-end encryption, so the abovementioned flaws may cease to exist. The change was already implemented in Android, but will be rolled out to iOS soon.
A Different Story for Android Counterparts
What makes our discovery more interesting is that the same cannot be said for these apps’ Android counterparts. We found that the databases for the Android versions of these apps are encrypted. Any attacker will need to perform decryption in order to access the data.
Figure 5. Encrypted data for Android apps for Chinese IM app (top) and local email client based in China (bottom)
The Android versions may have encryption because majority of the mobile threats target the Android platform. Because there are relatively fewer iOS threats, the developers may not have seen the need for encryption in iOS apps.
Enterprise Provisioning in the Public
Perhaps what makes Masque Attack more of a real threat is that enterprise provisioning is currently being used by third-party app sites, especially those based in China.
Figure 6. Users who install apps via enterprise provisioning will see this notification
One particular third-party app store in China has even developed offline terminals that provide free installation of apps on Android and iOS devices. The installations on the latter rely on enterprise provisioning. The terminals can be found in areas with large traffic such as airports, cinemas, and even KTVs. While it may provide an easier way of installing apps to devices, security could instead be compromised.
Protecting iOS Devices
App developers, especially those for iOS devices, shouldn’t be complacent when it comes to app security. As WireLurker and Masque Attack have proven, iOS devices aren’t spared from mobile threats. While iOS devices may not attract the same volume of threats compared to Android, iOS threats do exist.
Apple users should take great care when it comes to installing apps on their devices. As much as possible, they should limit their downloads from iTunes or the App Store. Make sure your Apple devices are up-to-date. Users who need to install software from other sources (and opt to select the App Store and identified developers) are strongly advised to practice extreme caution before installing them, and to make sure that the installers are from trusted sources and not tampered with.