clock menu more-arrow no yes mobile

Filed under:

U.S. Warns of Vulnerability That Could Leave Apple iOS Devices Open to Attack

This exploit could impact more than 90 percent of iPhone users running iOS 7 or iOS 8.

Sergey Nivens / Shutterstock

The U.S. government’s cyber squad is warning Apple users about a security vulnerability that hackers could use to trick them into installing bogus versions of legitimate apps on their mobile devices.

This particular exploit, called the Masque Attack, is designed to lure users into downloading malicious versions of legitimate applications from somewhere other than Apple’s App Store.

As frequently occurs with a phishing attack, the hacker — in this case posing as corporate IT staff — would send out an email or text message inviting users within a corporation to download an “update” to software they may already have installed on their iPhones, such as banking or email apps.

The U.S. Computer Readiness Team said hackers could substitute a bogus version of a legitimate app by using the same “bundle identifier,” a unique number that is registered with Apple and identifies the app. The malicious app could even mimic the look of the authentic app to gain access to the user’s login and sensitive information stored on the device.

The exploit is possible because Apple’s iOS mobile operating system does not enforce matching certificates for apps with the same bundle identifier, according to the US-CERT.

The security research firm FireEye said it identified and notified Apple of the potential vulnerability this summer. It would impact more than 90 percent of iPhone users running iOS 7 or iOS 8.

FireEye and Apple say there have been no known instances of hackers using this exploit.

Apple issued a statement late Thursday, urging users to exercise caution when downloading mobile apps — and to pay attention to warnings that they may be installing malicious software.

“We encourage customers to only download from trusted sources like the App Store and to pay attention to any warnings as they download apps,” said Apple spokesperson Trudy Muller. “Enterprise users installing custom apps should install apps from their company’s secure website.”

This article originally appeared on

Sign up for the newsletter Sign up for Vox Recommends

Get curated picks of the best Vox journalism to read, watch, and listen to every week, from our editors.