U.S. Warns of Vulnerability That Could Leave Apple iOS Devices Open to Attack

The U.S. government’s cyber squad is warning Apple users about a security vulnerability that hackers could use to trick them into installing bogus versions of legitimate apps on their mobile devices.

This particular exploit, called the Masque Attack, is designed to lure users into downloading malicious versions of legitimate applications from somewhere other than Apple’s App Store.

As frequently occurs with a phishing attack, the hacker — in this case posing as corporate IT staff — would send out an email or text message inviting users within a corporation to download an “update” to software they may already have installed on their iPhones, such as banking or email apps.

The U.S. Computer Readiness Team said hackers could substitute a bogus version of a legitimate app by using the same “bundle identifier,” a unique number that is registered with Apple and identifies the app. The malicious app could even mimic the look of the authentic app to gain access to the user’s login and sensitive information stored on the device.

The exploit is possible because Apple’s iOS mobile operating system does not enforce matching certificates for apps with the same bundle identifier, according to the US-CERT.

The security research firm FireEye said it identified and notified Apple of the potential vulnerability this summer. It would impact more than 90 percent of iPhone users running iOS 7 or iOS 8.

FireEye and Apple say there have been no known instances of hackers using this exploit.

Apple issued a statement late Thursday, urging users to exercise caution when downloading mobile apps — and to pay attention to warnings that they may be installing malicious software.

“We encourage customers to only download from trusted sources like the App Store and to pay attention to any warnings as they download apps,” said Apple spokesperson Trudy Muller. “Enterprise users installing custom apps should install apps from their company’s secure website.”

This article originally appeared on Recode.net.

We're here to shed some clarity

One of our core beliefs here at Vox is that everyone needs and deserves access to the information that helps them understand the world, regardless of whether they can pay for a subscription. With the 2024 election on the horizon, more people are turning to us for clear and balanced explanations of the issues and policies at stake. We’re so grateful that we’re on track to hit 85,000 contributions to the Vox Contributions program before the end of the year, which in turn helps us keep this work free. We need to add 2,500 contributions this month to hit that goal. Will you make a contribution today to help us hit this goal and support our policy coverage? Any amount helps.

One-Time Monthly Annual

$5/month

$10/month

$25/month

$50/month

Other

$

Yes, I'll give $5/month

Yes, I'll give $5/month

We accept credit card, Apple Pay, and Google Pay. You can also contribute via