Tag Archive: IOS


Masque Attack: All Your iOS Apps Belong To Us

 

 

 

 

 

 

” In July 2014, FireEye mobile security researchers have discovered that an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier. This in-house app may display an arbitrary title (like “New Flappy Bird”) that lures the user to install it, but the app can replace another genuine app after installation. All apps can be replaced except iOS preinstalled apps, such as Mobile Safari. This vulnerability exists because iOS doesn’t enforce matching certificates for apps with the same bundle identifier. We verified this vulnerability on iOS 7.1.1, 7.1.2, 8.0, 8.1 and 8.1.1 beta, for both jailbroken and non-jailbroken devices. An attacker can leverage this vulnerability both through wireless networks and USB. We named this attack “Masque Attack,” and have created a demo video here: ” (see above)

” We have notified Apple about this vulnerability on July 26. Recently Claud Xiao discovered the “WireLurker” malware. After looking into WireLurker, we found that it started to utilize a limited form of Masque Attacks to attack iOS devices through USB. Masque Attacks can pose much bigger threats than WireLurker. Masque Attacks can replace authentic apps,such as banking and email apps, using attacker’s malware through the Internet. That means the attacker can steal user’s banking credentials by replacing an authentic banking app with an malware that has identical UI. Surprisingly, the malware can even access the original app’s local data, which wasn’t removed when the original app was replaced. These data may contain cached emails, or even login-tokens which the malware can use to log into the user’s account directly.

  We have seen proofs that this issue started to circulate. In this situation, we consider it urgent to let the public know, since there could be existing attacks that haven’t been found by security vendors. We are also sharing mitigation measures to help iOS users better protect themselves.

Security Impacts

  By leveraging Masque Attack, an attacker can lure a victim to install an app with a deceiving name crafted by the attacker (like “New Angry Bird”), and the iOS system will use it to replace a legitimate app with the same bundle identifier. Masque Attack couldn’t replace Apple’s own platform apps such as Mobile Safari, but it can replace apps installed from app store. Masque Attack has severe security consequences:

  1. Attackers could mimic the original app’s login interface to steal the victim’s login credentials. We have confirmed this through multiple email and banking apps, where the malware uses a UI identical to the original app to trick the user into entering real login credentials and upload them to a remote server.
  2. We also found that data under the original app’s directory, such as local data caches, remained in the malware local directory after the original app was replaced. The malware can steal these sensitive data. We have confirmed this attack with email apps where the malware can steal local caches of important emails and upload them to remote server.
  3. The MDM interface couldn’t distinguish the malware from the original app, because they used the same bundle identifier. Currently there is no MDM API to get the certificate information for each app. Thus, it is difficult for MDM to detect such attacks.
  4. As mentioned in our Virus Bulletin 2014 paper “Apple without a shell – iOS under targeted attack”, apps distributed using enterprise provisioning profiles (which we call “EnPublic apps”) aren’t subjected to Apple’s review process. Therefore, the attacker can leverage iOS private APIs for powerful attacks such as background monitoring (CVE-2014-1276) and mimic iCloud’s UI to steal the user’s Apple ID and password.
  5. The attacker can also use Masque Attacks to bypass the normal app sandbox and then get root privileges by attacking known iOS vulnerabilities, such as the ones used by the Pangu team. “

 

Read more on how to protect yourself from this latest iPhone privacy threat .

 

 

 

 

 

 

 

 

 

About these ads

Microsoft Pays $2.5bn For Minecraft Maker Mojang

 

 

 

 

” Microsoft has bought Mojang, the Swedish firm behind the popular video game Minecraft, for $2.5bn (£1.5bn).

  The title, which has sold over 54 million copies, allows players to build structures with retro Lego-style blocks, as well as explore a large map and battle others.

  The deal was announced by Xbox chief Phil Spencer.

  Mojang, whose three founders will leave the company, assured fans that “everything is going to be OK”.

  Some analysts have speculated the deal is designed to attract more users to Microsoft’s Windows Phone devices.

  The acquisition comes a year after Microsoft bought the Finnish mobile phone firm Nokia.

  Minecraft creator Markus Persson has been critical of Microsoft

  Minecraft is one of the top-selling apps on both Apple’s iOS store and and Android’s Google Play, and has recently been released for the Xbox One and PlayStation 4, further boosting sales. “

 

Continued

 

 

 

 

 

 

 

 

 

 

The Voice Of Siri Is Susan Bennett

 

 

 

 

” “I’m the original voice of Siri.” That’s the quote CNN attributes to Susan Bennett, a voice talent that says her voice was used for Apple’s virtual assistant. “I wasn’t sure that I wanted the notoriety,” Bennett tells CNN, explaining her delay in coming forward, “and I also wasn’t sure where I stood legally.” In fact, it was The Verge‘s article on synthesized speech that prompted her to come forward.”

 

 

 

 

 

 

 

 

 

YouTube Will Let Users Watch Videos Offline In Its App

 

 

 

” YouTube is adding a feature to its mobile app in November that will let users add videos to their handsets to watch for a short period, even when they are unable to get an Internet connection.

Exactly how long the “short period” will be is not clear yet, but YouTube hints that it could be as long as your journey to work in the morning, saying: “Your fans’ ability to enjoy your videos no longer has to be interrupted by something as commonplace as a morning commute.” “

 

 

 

 

 

 

 

9 Top Tech Myths Debunked

 

 

Jailbreaking and Rooting are Illegal

” Smartphone owners can jailbreak their iOS devices and root their Android phones to get around the restrictions of manufacturers and carriers. But is this ominous-sounding practice legal? The word itself—jailbreaking—makes it sound like the process is illegal. In actuality, it’s more complicated: The technique both is and isn’t illegal under U.S. copyright law. Last fall, when the Library of Congress updated the rules for 2013 through late 2015, it decided that you can legally jailbreak your smartphone (though you’ll void your Apple warranty) but not necessarily your tablet, because, the Library says, “tablets” is an ill-defined category. What is definitely not legal is unlocking your phone. The Library’s ruling prohibits tinkering with your device so it works on different cellular networks without your wireless carrier’s permission, which is subject to as much as $2500 in fines, or even jail time. 

Legal questions aside, is jailbreaking worth the trouble? Nearly 7 million iOS users who cracked their devices using the latest jailbreak since it became available in February say yes. And as for the riskiness of jailbreaking an iPad, just consider: Despite the law, absolutely no one has (yet) been prosecuted or fined.”

Read the other 8 here

 

 

 

 

 

 

 

Army Practices Poor Data Hygiene on Its New Smartphones, Tablets

 

 

 

” The Army absolutely loves its new Android, iOS and Windows smartphones and tablets. Just not enough to properly secure the sensitive data it stores on them.

A spot check of mobile devices used by the Army at its West Point military academic and its corps of engineers shows inconsistent and outright poor data security. The Pentagon inspector general has found that the smartphones and tablets the Army buys at local electronics stores often aren’t configured to protect sensitive data, leaving it to individual users to safeguard their data. (.pdf)

“If devices remain unsecure,” writes assistant inspector general Alice F. Carey, “malicious activities could disrupt Army networks and compromise sensitive [Defense Department] information.” “

 

 

 

Looks Like A Blast

Folkrace is a popular, inexpensive, and entry-level form of Swedish rallycross that originally came fromFinland, where it was called (Everyone’s Class). The sport also exists in Norway and Denmark, where it is known as Bilcross and Folkerace respectively.


The races are run on special gravel or tarmac tracks, 2,400 metres 
(1.5 mi) in length. The tracks are designed to limit the top speed to 
80 km/h (50 mph). The competitions are divided into different classes 
depending on age and gender. Participants can be as young as 15 years of
age.
The race is divided into different heats with usually 6 cars. The 
driver winning a race is awarded seven points, second five points, third
four points and so on. When all the heats have been driven, the total 
score is calculated and the top six drivers get to race in the A final, 
the next six in the B final and so on. The winner of the A final wins 
the event.

Folk Race

 

Follow

Get every new post delivered to your Inbox.

Join 6,850 other followers