U.S. Government Warns iOS Users About 'Masque Attack' Vulnerability

by

The United States government today issued a bulletin warning iPhone and iPad users about the recent "Masque Attack" vulnerability, a security flaw that first surfaced on Monday of this week, reports Reuters. Masque Attack is a vulnerability that can allow malicious third-party iOS apps to masquerade as legitimate apps via iOS enterprise provision profiles.

Written by the National Cybersecurity and Communications Integration Center and the U.S. Computer Emergency Readiness Teams, the bulletin outlines how Masque Attack spreads -- luring users to install an untrusted app through a phishing link -- and what a malicious app is capable of doing.

An app installed on an iOS device using this technique may:
-Mimic the original app's login interface to steal the victim's login credentials.
-Access sensitive data from local data caches.
-Perform background monitoring of the user's device.
-Gain root privileges to the iOS device.
-Be indistinguishable from a genuine app.

The post also advises iOS users to protect themselves by avoiding apps that have been installed from sources other than the App Store or an organization they're affiliated with, avoiding tapping "Install" on third-party pop-ups when viewing web pages, and tapping "Don't Trust" on any iOS app that shows an "Untrusted App Developer Alert."

Masque Attack in action

Computer security alerts issued by the government are fairly rare, and only 13 have been sent over the course of 2014. Other vulnerabilities that have prompted alerts include Heartbleed and an SSL 3.0 flaw called "Poodle."

FireEye, the team that discovered Masque Attack, has notified Apple about the vulnerability, but it has not been patched in the recent iOS 8.1.1 beta thus far. It also affects iOS 7.1.1, 7.1.2, 8.0, and 8.1, and as of today, Apple has not yet commented on Masque Attack.

Masque Attack, along with WireLurker, another vulnerability outlined earlier this month, is unlikely to affect the average iOS user so long as Apple's security features are not bypassed. Masque Attack works by circumventing the iOS App Store to install apps, while WireLurker is similar, infecting machines via third-party software downloaded outside of the Mac App Store.

Both WireLurker and Masque Attack can be avoided by staying away from suspicious apps and avoiding links that prompt users to install apps outside of Apple's App Stores.

Popular Stories

iPhone 17 Pro 34ths Perspective

iPhone 17 Pro Launching Later This Year With These 10 New Features

Sunday March 23, 2025 10:00 am PDT by
While the iPhone 17 Pro and iPhone 17 Pro Max are not expected to launch until September, there are already plenty of rumors about the devices. Below, we recap key changes rumored for the iPhone 17 Pro models as of March 2025: Aluminum frame: iPhone 17 Pro models are rumored to have an aluminum frame, whereas the iPhone 15 Pro and iPhone 16 Pro models have a titanium frame, and the iPhone ...
Read Full Article241 comments
macbook pro blue green

When Will Apple Release the M5 MacBook Pro?

Wednesday March 26, 2025 4:53 pm PDT by
Apple regularly refreshes the MacBook Pro models, and a new version that uses M5 series chips is in the works. Apple just finished refreshing most of the Mac lineup with M4 chips, and now it's time for the M5. Rumors suggest that we could see the first M5 MacBook Pro models this fall. Design There have been no rumors of a design update for the M5 MacBook Pro models that are coming this...
Read Full Article119 comments
iOS 18

iOS 18.4 Expected Next Week - Here Are the Release Notes

Friday March 28, 2025 2:01 pm PDT by
With the second release candidate of iOS 18.4 that Apple seeded out today, the company finally provided us with release notes that give a full rundown on what to expect. There's an Apple Vision Pro app, new Apple Intelligence features for notifications and additional language support, plus an Apple News Food feature for Apple News+ subscribers, and several updates that should improve the...
Read Full Article45 comments
Facebook Feature

Facebook's New iPhone App Feature Turns the Clock Back to 2007

Thursday March 27, 2025 1:59 pm PDT by
In the mid-to-late 2000s, Facebook was all about staying connected with friends and family. However, as the social media platform added new features and grew over time, that core experience began to get drowned out. That changes starting now, according to Meta, which today introduced a new feature that will "bring back the joy" of classic Facebook. Specifically, Meta has redesigned the...
Read Full Article115 comments
iOS 18 4 Ambient Music Control Center

How to Use iOS 18.4's New Ambient Music Feature in Control Center

Thursday March 27, 2025 7:45 am PDT by
The upcoming iOS 18.4 update for the iPhone adds an Ambient Music feature to Control Center. Below, we take a closer look at how it works. iOS 18.4 is currently in beta, so the Ambient Music feature is not widely available yet. The update will likely be released to the general public next week. To use the feature on iOS 18.4, open Control Center and tap on the plus sign in the top-left...
Read Full Article42 comments
Foldable iPhone 2023 Feature 1

'iPhone Fold' to Feature Metallic Glass Hinge That Resists Deformation

Thursday March 27, 2025 4:21 am PDT by
Last week, we covered a report claiming that Apple's book-style foldable iPhone (or "iPhone Fold," as we are provisionally calling it here) will use liquid metal hinges to improve durability and help minimize screen creasing. Today, a Chinese leaker provided more details on the properties of this hinge material that help to clarify why Apple chose it for its first foldable device. According...
Read Full Article111 comments
Magic Mouse Green

What to Expect From the Magic Mouse 3

Saturday March 29, 2025 10:15 am PDT by
Apple is reportedly working on a new Magic Mouse. Below, we recap what to expect. The two key rumors for the Magic Mouse 3 so far include a relocated charging port, along with a more ergonomic design. It was briefly rumored that the Magic Mouse 3 would also feature voice control, but that was misinterpreted information. Relocated Charging Port While the Magic Mouse switched from...
Read Full Article204 comments
Foldable iPhone 2023 Feature Homescreen

Six Things to Know About Apple's Upcoming Foldable iPhone

Friday March 28, 2025 3:54 pm PDT by
We've been hearing rumors about a foldable iPhone for almost a decade now, but it looks like we might finally see the device come to fruition in 2026. We're going to be waiting many more months for the foldable iPhone, but so far we're hearing good things. Apple wants to make it creaseless. It's taken Apple multiple years to design a foldable iPhone that it's satisfied with because Apple ...
Read Full Article178 comments
Apple Lumon Terminal Pro

Apple's Mac Site Features Fictional 'Lumon Terminal Pro'

Wednesday March 26, 2025 12:19 pm PDT by
Apple is going all out with promotions for the popular Severance Apple TV+ show today, and as of right now, you'll find a new "Lumon Terminal Pro" listed on Apple's Mac site. The Lumon Terminal Pro is designed to look similar to the machines that Severance employees like Mark S. and Helly R. use for macrodata refinement. The Terminal features a blue keyboard, a small display with wide...
Read Full Article107 comments

Top Rated Comments

spectrumfox Avatar
spectrumfox
135 months ago
"iOS Enterprise Certificates".

Then it isn't a security flaw. I love how this Apple-centric site fails to mention that you actually have to install the certificate. This is blown way out of proportion!
If the US government is putting out an official warning, then it's not being blown out of proportion.

Stop apologizing for Apple. This is exactly how these situations come about in the first place: Too many people excusing Apple for problems with their software instead of pressing them to fix the problems.
Score: 22 Votes (Like | Disagree)
shenan1982 Avatar
shenan1982
135 months ago
"iOS Enterprise Certificates".

Then it isn't a security flaw. I love how this Apple-centric site fails to mention that you actually have to install the certificate. This is blown way out of proportion!

Sadly a large part of the iPhone user base will click ACCEPT to anything that pops up, without even reading it. It's what America has become... we don't read, then we complain we've been scammed.
Score: 18 Votes (Like | Disagree)
Rogifan Avatar
Rogifan
135 months ago
So basically they're just telling people don't be stupid.
Score: 14 Votes (Like | Disagree)
SolarShane Avatar
SolarShane
135 months ago
"iOS Enterprise Certificates".

Then it isn't a security flaw. I love how this Apple-centric site fails to mention that you actually have to install the certificate. This is blown way out of proportion!
Score: 13 Votes (Like | Disagree)
KdParker Avatar
KdParker
135 months ago
So - You only want apps that you get from the app store.

Don't apps have to be from the app store unless your phone is jailbroken?
Score: 8 Votes (Like | Disagree)
spectrumfox Avatar
spectrumfox
135 months ago
As much as trivial and "common sense"ish this may seem, there is absolutely nothing wrong with this type of warning. I don't understand the hate for it. If the US government released a warning about "please lock your doors at night.." will people be fundamentally against that also?

We have a lot warning labels on cars, on machines, on prescription drugs..this is no different.

Having the US government comment on the security of an Apple product negates the idea that Apple products are infallible. And apparently that upsets some people.
Score: 7 Votes (Like | Disagree)
Read All Comments