In the market for an iPhone? Here's a breakdown of all the currently shipping iPhones from Apple.
Apple Responds to 'Masque Attack' Vulnerability, Not Aware of Customers Affected by Attack
Just a couple days after the discovery of an iOS vulnerability referred to as Masque Attack because of its ability to emulate and replace existing legitimate apps with malicious ones, Apple has responded in a statement to iMore.
Masque Attack in action Earlier today, the United States government issued a warning about Masque Attack to iOS users. The vulnerability was discovered just a week after reports of malware called WireLurker surfaced. WireLurker is able to attack iOS devices through OS X using a USB cable. Both vulnerabilities are unlikely to affect the average iOS user as long as Apple's security features are not bypassed.
Both WireLurker and Masque Attack can be avoided by staying away from suspicious apps and avoiding links that prompt users to install apps outside of Apple's App Stores.
"We designed OS X and iOS with built-in security safeguards to help protect customers and warn them before installing potentially malicious software," an Apple spokesperson told iMore. "We're not aware of any customers that have actually been affected by this attack. We encourage customers to only download from trusted sources like the App Store and to pay attention to any warnings as they download apps. Enterprise users installing custom apps should install apps from their company's secure website."Masque Attack works by luring a user to install an app outside of the iOS App Store by clicking a phishing link in a text message or email. For example, a user could be prompted to download a new app in a text message that says something like "Hey, try out Flappy Bird 2". A user is then directed to a website where they're prompted to download the app, which will install the fake app over the legitimate one using iOS enterprise provision profiles, making it virtually undetectable.
Both WireLurker and Masque Attack can be avoided by staying away from suspicious apps and avoiding links that prompt users to install apps outside of Apple's App Stores.
[ 118 comments ]
Top Rated Comments
(View all)
68 months ago
why is being able to install faked apps on iPhone considered a vulnerability, when on every other OS the same thing could happen and they call it "open."
68 months ago
why is being able to install faked apps on iPhone considered a vulnerability, when on every other OS the same thing could happen and they call it "open."
Because Apple always claims that their "closed" system is more secure than those others due to the review process?Frankly, I don't understand why some people on this forum keep downplaying these security flaws. Perhaps they think they need to "defend" Apple, but that is misguided IMO. The "fappening" made it very obvious that Apple doesn't necessarily act to improve their security policies without public pressure. If that hadn't happended, we'd probably still have the weak iCloud security policy and incomplete 2-factor authentication. Public attention can only help to make the system more secure for everyone by forcing Apple to act.
68 months ago
why is being able to install faked apps on iPhone considered a vulnerability, when on every other OS the same thing could happen and they call it "open."
Because the apps replace an app that is already on the phone that is signed by a different developer. My guess is Apple is doing their usual "there is nothing to see here", while they are working to fix the issue as quietly as possible.
68 months ago
Quite honestly this has already run its course. Enough already.
Indeed. Count on MR to run a sensational story about a trivial threat. After all, gotta get those ad impressions!
It'll have run its course when Apple fixes the problem. You should not expect or want any less.
68 months ago
Because Apple always claims that their "closed" system is more secure than those others due to the review process?
Frankly, I don't understand why some people on this forum keep downplaying these security flaws. Perhaps they think they need to "defend" Apple, but that is misguided IMO. The "fappening" made it very obvious that Apple doesn't necessarily act to improve their security policies without public pressure. If that hadn't happended, we'd probably still have the weak iCloud security policy and incomplete 2-factor authentication. Public attention can only help to make the system more secure for everyone by forcing Apple to act.
While this is a legitimate issue, it's not specific to ONLY iOS. It is a phishing trick than any software can run in to on any system. If Apple fixes this, i'm impress since this is still and issue on every other system. You still get warning emails from your IT guys for not clicking on strange links, dont you? You can't fix stupid (ignore warnings) or greed (free apps).
I think people who are defending Apple is trying to get this point across. there're multitude of apple haters that are trying to make this an iOS issue only hence the need to counter their point. Beside , there's nothing wrong with defending a product/brand than you like, not that they need defending.
68 months ago
Adobe Photoshop? Microsoft Office for OS X? Are these gold standards available on the Mac App Store?
I don't think so...and to install them you have to break security code and change your settings, and allow untrusted installs...
Oh no! Apple doesn't want you installing these evil programs. They want you to use only Pixelmator and Pages...
Right...
Masquerade Attack is an iOS exploit and you are referring to OS X apps. Two different operating systems with two different App Stores.
68 months ago
This is my two cents.
Apple should ramp up the security level against Apps deployed with enterprise provision. They can effectively block any potential attacks like Wirelurker and Masque, by sandboxing the install packages of provision Apps within another sandbox: the AppStore.app.
They can add a new tab in App Store called "Enterprise." This tab is hidden by default, and becomes visible only after provision Apps being installed. All apps inserted from 3rd. party sources shall be isolated within this tab.
For example, any URL that is recognized as an IPA package shall be passed from Safari.app to AppStore.app. AppStore.app shall download the package and extract necessary identities such as bundle ID, title, icon, developer identity, and provision profile, before the package is actually installed.
When an IPA package is ready to install, users shall first click the package in "Enterprise" tab. A confirmation dialog with detailed informations shall be displayed, and users can decide whether to trust the package. If any conflict (other Apps with identical bundle ID) exists, users shall be asked for further confirmation to overwrite the old data.
This approach is unnecessary for those who aware the danger of unidentified internet resource, and it will not stop those who insist to shoot themselves in the foot either. But this would be very helpful for the rest of users who have little awareness of computer security. By adding an extra step and binding the whole thing within AppStore.app, it should be fairly effective to alter these users, and make them to think twice before clicking the "Trust" button.
Apple should ramp up the security level against Apps deployed with enterprise provision. They can effectively block any potential attacks like Wirelurker and Masque, by sandboxing the install packages of provision Apps within another sandbox: the AppStore.app.
They can add a new tab in App Store called "Enterprise." This tab is hidden by default, and becomes visible only after provision Apps being installed. All apps inserted from 3rd. party sources shall be isolated within this tab.
For example, any URL that is recognized as an IPA package shall be passed from Safari.app to AppStore.app. AppStore.app shall download the package and extract necessary identities such as bundle ID, title, icon, developer identity, and provision profile, before the package is actually installed.
When an IPA package is ready to install, users shall first click the package in "Enterprise" tab. A confirmation dialog with detailed informations shall be displayed, and users can decide whether to trust the package. If any conflict (other Apps with identical bundle ID) exists, users shall be asked for further confirmation to overwrite the old data.
This approach is unnecessary for those who aware the danger of unidentified internet resource, and it will not stop those who insist to shoot themselves in the foot either. But this would be very helpful for the rest of users who have little awareness of computer security. By adding an extra step and binding the whole thing within AppStore.app, it should be fairly effective to alter these users, and make them to think twice before clicking the "Trust" button.
68 months ago
Tried out Flappy Bird Two.
Had my bank account cleaned out.
High score still only 2.
Had my bank account cleaned out.
High score still only 2.
68 months ago
Quite honestly this has already run its course. Enough already.
Indeed. Count on MR to run a sensational story about a trivial threat. After all, gotta get those ad impressions![ Read All Comments ]
Tile today is offering two flash sales on some of its most popular Bluetooth trackers. To start, the Tile Pro 2-pack is on sale for $34.99, down from $59.99. Secondly, you can get the Tile...
A new sale on the 10.2-inch iPad from 2019 has opened up this morning on Amazon, providing a round of lowest-ever prices on the cellular model of the tablet. You can get the 32GB cellular iPad for...
Apple intends to donate money in support of groups fighting the outbreak of the Coronavirus in China, Tim Cook said on Saturday.
Electron micrograph of coronavirus virions
In a morning tweet...
This week saw an interesting variety of Apple news and rumors, ranging from rumors about upcoming iPhone and iPad releases to Apple TV+ announcements to news that Adobe Flash support will finally be...
For this week's giveaway, we've teamed up with Choetech to offer MacRumors readers a chance to win a 61W USB-C power adapter and accompanying USB-C cable for charging a Mac or an iPad Pro.
...
Best Buy has kicked off a new 3-day sale as we head into the weekend, with discounts on MacBook Air, MacBook Pro, Beats products, and iPhone cases. This sale lasts through Sunday, January 26 at 11:59...
The App Store is experiencing a temporary outage that started at 7:30 a.m. Pacific Time, according to Apple's System Status website. Apple's site says that there's an unspecified ongoing...
Throwboy, known for its Iconic Pillow Collection featuring a selection of plush pillows designed to look like Apple devices, today launched a new selection of mini pillows called the "Pocket...
