Blog The Masque Attack iOS Security Flaw: Latest Details and Staying Safe
Alex Lloyd December 9, 2014

The Masque Attack iOS Security Flaw: Latest Details and Staying Safe

masque attack
The threat of a Masque Attack has made big headlines in recent weeks, warning iOS users of this potentially dangerous security flaw. While this type of attack does have the potential to compromise a user’s data, it’s not as malicious or as pressing of a concern as it may seem.

The key to avoiding a Masque Attack is as simple as understanding how it works and taking common sense precautions to protect yourself.

What is the Masque Attack?

At first glance, the headlines about a Masque Attack security flaw are alarming. However, it’s important to understand that a Masque Attack is just a particular way that a hacker may target you and access your data.

A security firm gave this type of attack its catchy name, but the idea behind it is not new. A Masque Attack is simply a certain approach for hacking into an iPhone in which a developer creates an application that mimics an existing piece of software.

For example, an application that looks and acts like Gmail but is not actually Gmail could have the potential to collect the user’s private data without him realizing that anything is amiss. The app could prompt the user to enter login data on a fake page, or ask for other personal details that one might give up willingly if they believed the app to be a well-known program they use often.

How it Works

The security flaw that would allow a Masque Attack to work is a bit of iOS programming that enforces matching certification on apps with the same bundle identifier. This feature, which is handy for updating an app with a newer version, could replace a legitimate application with the false Masque Attack version, provided both have identical bundle identifiers.

While this can be seen as a minor security flaw, a recent article by iMore highlights the fact that it is neither a flaw nor a bug. It is simply the way this operating system works. Because the system is designed this way, it is also designed with appropriate security measures to thwart most Masque Attacks.

Apple commented in a statement to the Telegraph, “We designed OS X and iOS with built-in security safeguards to help protect customers and warn them before installing potentially malicious software.”

In order for a Masque Attack to work, the user must install an app from a source other than the official App Store. After willingly installing said app, the user must also tap “Trust” on the warning dialog that pops up. Understanding the possible dangers of these two actions will go a long way toward protecting users from such an attack.

What the Masque Attack is Not

A Masque Attack is not something that can attack users completely unaware. If you haven’t installed new apps on your phone, you can’t succumb to this attack. If you install apps exclusively from the Apple App Store, you’re also safe. Unlike some security threats, where technology can become infected with little participation from the user, this type of attack is something that will only impact you if you’re not careful about what you download and where you get it.

Known Attacks

The most important thing to know about the Masque Attack is that it is only theoretical at this point. Though some companies detected and highlighted the potential for this type of attack, Apple issued a statement saying, “We’re not aware of any customers that have actually been affected by this attack.” Despite the hype about this new iOS security weakness, the Masque Attack isn’t something that’s actually occurred, so the potential threat is much smaller than what some users perceive.

As with so many security threats, understanding that this flaw exists gives users a huge edge in protecting themselves and avoiding it. Keeping your iPhone safe is as easy as following a few common sense steps.

Protecting Yourself

If you’re concerned about the potential threat of a Masque Attack, the most important thing to do is educate yourself about the applications that you download. Sticking to apps from the App Store will keep you safe. If you download apps from a third party, you’re always opening yourself up to the potential for a security threat.

iOS will display an “Untrusted App Developer” alert for apps that are not from the App Store. Pay attention to alerts like this on your phone and you can easily stay away from potentially threatening apps. Even if you download an app that’s intended for use as a Masque Attack, you still have to trust that app because it can begin collecting your data.

If you download an update to a known app and suddenly see the Untrusted App Developer warning when you open the app, you should click “Don’t Trust” and delete the app immediately. This is a huge warning sign that the app you downloaded is not authentic and may compromise your privacy and security.

The most effective way for a Masque Attack to work is through an email link. When you click a link embedded in an email that prompts you to download an upgrade, you’re less likely to see where the application is coming from. It’s generally considered good practice to avoid clicking links in any email, particularly those from an unknown sender.

Downloading applications from an email link will make you more vulnerable to a Masque Attack. If you get a message alerting you to an upgrade, leave the email and download the upgrade through the App Store instead.

Though Apple contends that the Masque Attack is something that hasn’t yet happened, some companies claim that the attack is starting to circulate. Should hackers try to exploit this weakness, research done by security companies will give users a huge advantage against such attempts. Staying alert and aware is all it takes to keep yourself safe from this minor threat. Know your apps and stay mindful of your downloads, and you can easily keep your personal information safe from a Masque Attack.

About Alex Lloyd

Alex Lloyd heads AnchorFree's content department. Before joining the team, he was a former professional race car driver—competing in the Indianapolis 500 four times—and has spent the past decade writing content for major publications such as Yahoo and CNN.

View all posts by Alex Lloyd
Subscribe to our newsletter

Become a Hotspot Shield insider to get the latest news, updates, and special offers delivered directly to your inbox.