In a recent column I covered the ongoing fear-mongering about alleged OS X and iOS security problems. Over the years, you’ve no doubt read lurid headlines about potential security leaks that might be exploited, only they generally aren’t. Most are based on social engineering, where you are enticed to visit a site, or just stumble on the place. You tap or click the wrong link or download something you shouldn’t download, and suddenly bad things might happen.
I recall, for example, Mac Defender, when people were convinced to pay for fraudulent software that pretended to remove a virus (non-existent) allegedly discovered on your Mac. This rogue security app, from 2011, actually had thousands of takers. Apple soon blocked it with a security update.
While some reports spoke of Mac Defender as the first major malware outbreak on the Mac, that’s just not so. In the days before the arrival of OS X, there were various virus infections, but they were few and far between. I should point out that I first installed virus protection software in the late 1980s after I bought an infected Mac app on a floppy disk from a legitimate software retailer. It was just one of those things, and it never happened again, although there were occasional malware issues on the platform.
But nothing near a virulent as what you’d find routinely on the Windows platform, where the number of malware variants long ago exceeded 100,000. But if it happens on a Mac, it has to be big news. Just the prospect of claiming that Apple’s security policies are inadequate is enough to make the critics salivate.
So Thursday came a warning from U.S. Department of Homeland Security to be careful when you install or upgrade apps on your iPhone or iPad. Why? Well, there’s supposedly a vulnerability that impacts both iOS 7 and iOS 8 that allows Internet criminals to install bogus apps on devices used in a business setting. Such devices are configured via Apple’s enterprise provisioning so that you can install dedicated corporate apps from a company’s site.
According to a security company, FireEye, Apple has allegedly known about this vulnerability since July 26. While I think warnings of OS X malware outbreaks from security companies are sometimes designed to sell you an app you may not need, I’ll take this particular warning for iOS as something serious.
So FireEye has finally decided to publish information about what they have labeled “Masque Attack.” What’s a good trojan if it isn’t given a flashy name? It actually rhymes with that other notorious malware outbreak, Flashback, which was a Java security flaw that, because Apple failed to deploy the fix for a few months, allegedly impacted up to 600,000 Macs..
In any case, Masque Attack doesn’t do its nastiness unless someone is convinced to install the imposer app, which may be presented via a link. Otherwise, the sky won’t fall, and that only makes it all the more important that people be careful about downloading stuff only from trusted sources. With a standard iPhone or iPad, you are going to get your stuff from the App Store, so installing a bogus app is essentially a non-issue. Well, unless you decide to jailbreak your iOS gadget, in which case all bets are off.
So how do you protect yourself from getting bogus apps?
The answer from US-CERT, which is the operational arm of Homeland Security’s National Cyber Security Division, simply says you only install apps from the App Store or directly from the company for which you work, if they are using custom iOS apps. Further, don’t tap “install” from a web site, and, “when opening an app, if iOS shows an ‘Untrusted App Developer’ alert, click on ‘Don’t Trust’ and uninstall that app immediately.”
Apple’s official response essentially echoes government, “We designed OS X and iOS with built-in security safeguards to help protect customers and warn them before installing potentially malicious software. We’re not aware of any customers that have actually been affected by this attack. We encourage customers to only download from trusted sources like the App Store and to pay attention to any warnings as they download apps. Enterprise users installing custom apps should install apps from their company’s secure website.”
You see, common sense!
Nothing in this warning scenario presents any new or unusual situation. There will be malware threats from time to time, but they largely rely on social engineering. So you might receive an email asking you to update your personal information at your bank or other financial institution. The message might even have some urgency to it, such as protecting your security. But rather than tap or click a link in the email, go directly to the bank’s site and check your account directly. Don’t assume a link that appears genuine is the real thing.
When it comes to getting software on an iOS device, unless you really know how to handle yourself in such situations, the romantic ideal of jailbreaking your iPhone or iPad is not something you really want to try. Once you leave Apple’s walled garden, all bets are off. It’s the wild wild west so far as any element of app security is concerned. Yes, you might really want to try out an app that Apple won’t approve, but consider the downsides.
Now Apple’s critics will say the sky is falling because of Masque Attack, or that it represents an entirely new threat front for the platform. But remember Apple’s statement about nobody actually being affected by this threat. So not much has changed.