Masque: The major security flaw that wasn’t

In the latest in a series of Apple security warnings, the US government warned iOS users not to install apps from anywhere but the App Store, unless they can vouch for the source.

Choose your masques

Strangely many reports into the so-called “Masque Attack” (as spotted by FireEye) seem to think that iOS device users purchasing apps from sources other than the App Store is Apple’s problem, rather than being a problem users bring upon themselves.

Certainly, if you happen to be a developer beta tester or work within an enterprise shop that distributes internal company apps you may be able to install software from sources other than the official channel, but otherwise you can’t — unless you jailbreak your phones.

The unlikelihood of the problem being a problem shouldn’t stand in the way of an anti-Apple salvo, of course, and even the US government got in on the act when it issued its Masque warning. (Perhaps Tim Cook has upset government security staff with his stance on privacy?)

Masters of the universe

This is what Apple says about Masque (as provided to iMore):

“We designed OS X and iOS with built-in security safeguards to help protect customers and warn them before installing potentially malicious software.

“We’re not aware of any customers that have actually been affected by this attack. We encourage customers to only download from trusted sources like the App Store and to pay attention to any warnings as they download apps. Enterprise users installing custom apps should install apps from their company’s secure website.”

Or in other words, “don’t install an app unless you know where it comes from.”

The best way those accustomed to downloading apps from third party sources can protect themselves is to remember never to download an app using a link sent in an email.

Brainbox pollution

You really have to want to install these apps. In order to be compromised by Masque you must download and install a subverted app from a source other than the App Store and then tap “Trust” when prompted to do so by your iOS device. Given that most iPhone users don’t do that then this threat is tiny and really only impacts those who get their apps from proprietary enterprise or jailbreaking app stores. This means most iOS device users needn’t worry too much about the problem — if however you are accustomed to grabbing apps from an enterprise or developer seed download link then try to follow this advice:

Always download apps from an authorized source;

If you distribute apps make it easy for users to verify their apps are genuine.

Spirit of the age

Enterprise security pros will want to take steps to educate their users about the vulnerability, given the complex multi-vector attacks used by some hackers to undermine protection. You see, combining data stolen from multiple users using multiple methods can give sophisticated hackers enough information to break into core systems, which means security pros must keep their workers actively aware of common sense steps to protect themselves.

In this case, that step is only as simple as to avoid clicking a download link in an email. Which doesn’t seem worthy of a government health warning, unless you happen to read your Assange.

The plain truth is that the Masque threat has been overrated, but that’s no excuse for complacency on any platform. Certainly as Apple becomes the go-to tech for enterprise mobility, it will become a more attractive target for such attempts.

Google+? If you use social media and happen to be a Google+ user, why not join AppleHolic’s Kool Aid Corner community and join the conversation as we pursue the spirit of the New Model Apple?

Got a story? Drop me a line via Twitter or in comments below and let me know. I’d like it if you chose to follow me on Twitter so I can let you know when fresh items are published here first on Computerworld.