BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Elite Russian Hackers Claim To Have Breached Three Major U.S. Antivirus Makers
School Lunch Business Rivalry Leads To Hacking Charges
Cybercriminals Steal $1.75 Million From An Ohio Church
Ransomware Hits Yet Another U.S. Airport
A Free Wi-Fi Finder App Exposed Passwords To Millions Of Networks
A Ransomware Attack Knocked The Weather Channel Off The Air
Edit Story
ForbesInnovationCybersecurity

iOS Vulnerability Means Copycat Apps Could Spy On iPhone Owners, Claims FireEye

Thomas Brewster
Forbes Staff
Senior writer at Forbes covering cybercrime, privacy and surveillance.
Following
This article is more than 9 years old.

A potentially serious flaw in iOS that has been left open by Apple could be abused by rogue applications that mimic the operations of legitimate software to spy on users, according to security firm FireEye. The vulnerability resides in how iOS apps communicate with other applications using what’s known as a “URL scheme”.

To exploit the flaw, a hacker would have to create an enterprise-signed application, signing it with an official enterprise Apple ID, that mimicked another app’s URL scheme. They would then send a download link to their bad app to a target. When opened, there would be no warning from Apple, FireEye said. A smart hacker would simply create a similar app to "hijack legitimate apps’ URL schemes and mimic their user interface to carry out phishing attacks, [such as] stealing the login credentials", according to the security firm.

“Attackers can either publish an ‘aggressive’ app into the App Store, or craft and distribute an enterprise-signed/ad-hoc malware that registers app URL schemes identical to the ones of legitimate popular apps. Through this, attackers can mimic a legitimate app’s UI to carry out phishing attacks to steal login credentials or gather data intended to be shared between two trusted apps,” FireEye said in its blog.

The vulnerability is similar to one exploited by FireEye researchers in November, when they used a technique they called “Masque Attack”. In that attack, they took advantage of the fact that Apple didn’t enforce “matching certificates”, which are used to sign app updates and prove they came from a legitimate source, for software with the same “bundle identifier”. That identifier is used by iOS to recognize any updates to an app. The end result was that legitimate apps could be turned evil through updates using those identifiers.

Fixing this “URL scheme hijacking” might be difficult for Apple as it appears to be more of a feature than a bug, allowing apps to run the same protocols for communicating to one another, FireEye said in its blog post. “Apple may improve its architecture to collaborate with security vendors for a better enterprise-level security solution.”

Apple had not responded to a request for comment at the time of publication.

Thomas Brewster
Thomas Brewster