Masque Attack – Apple iOS Vulnerability

Masque Attack - Demo

What is it?

A couple of days ago a vulnerability was spotted which has been named “Masque Attack”. So named for it’s ability to emulate or replace legitimate apps with ones that contain malicious code.

The way it works is by luring a user to download an app outside of the App Store. This could be through a text message, email a link on a blog, a twitter link, etc. Usually using enticing text, such as “Check out the latest version of Flappy Birds today!”.

Most users download their apps solely through the App Store, they click on to the App Store, choose an app to download and install it. However lots of blogs, websites and twitter links do link to apps. People are used to clicking a link to an app from a website then being redirected to the app store for the download. This vulnerability prays on this as some users wouldn’t notice they aren’t being redirected to the App Store for the download.

The attack works by downloading the fake app over the top of your legitimate app you already have, or if a new app just installing. This makes detecting it is installed virtually undetectable.

Masque Attack - Demo

So what does it do?

Once it is installed, you apps still work as normal, but your device is feeding information back to the hacker. Your text messages are relayed back to them, copies of your emails and other sensitive data. Scarily it is very easy to do. Any one can download the code, send it on to someone and start receiving data.

Security measures

Apple make it’s devices to be very locked down, you can only install apps from the app store, they don’t like random downloads for good reason. This is a vulnerability that needs to be plugged. But in the main they are very safe devices. They don’t have the freedom you have with an android device but they are very secure.

Jailbreaking an iPhone/iPad, etc seems like a great idea as it gives so much more freedom but can also cause so many security issues like the above mentioned.

Top Tip

So our top tip is if you receive a text, email, visit a blog no matter if it’s from a trusted source or not don’t download it. Trusted sources can get compromised too. Instead take not of the app name they are recommending, open up the App Store, search for the app and download it. That way you will be safe in the knowledge it is genuine.


If you would like to discuss iPad’s or IT Security in education or any other ICT requirements then please contact Kyle or Gary via, call us on 0161 850 1117 or message us via Facebook or Twitter

Tags: , ,

No comments yet.

Leave a Reply