Security Experts:

Connect with us

Hi, what are you looking for?



Researchers Reveal More Details of iOS Masque Attacks

Researchers at FireEye revealed more information about how attackers can compromise iOS devices. 

Researchers at FireEye revealed more information about how attackers can compromise iOS devices. 

Last year, FireEye reported a flaw in iOS that can be exploited in what the firm dubbed the ‘Masque Attack’. In the attack, researchers showed it was possible for hackers to replace legitimate iOS apps with malicious ones via SMS, email or web browsing. In total, the firm notified Apple about five security issues related to four kinds of Masque Attacks. Recently, they pulled the covers further away and went into further detail about how attackers could pull off the attack. 

According to FireEye, it was possible to leverage a bypass for the iOS prompt for trust and iOS URL scheme hijacking as part of the attack. While the iOS trust prompt bypass issue was fixed in iOS 8.1.3, the iOS URL scheme hijacking issue remains present.

“By deliberately defining the same URL schemes used by other apps, a malicious app can still hijack the communications towards those apps and mount phishing attacks to steal login credentials,” FireEye researchers  Hui XueSong JinTao WeiYulong ZhangZhaofeng Chen noted in a joint blog post. “Even worse than the first Masque Attack, attackers might be able to conduct Masque Attack II through an app in the App Store.”

When the user clicks to open an enterprise-signed app for the first time, iOS asks whether the user trusts the signing party, the researchers explained.

“We find that when calling an iOS URL scheme, iOS launches the enterprise-signed app registered to handle the URL scheme without prompting for trust,” the researchers blogged. “It doesn’t matter whether the user has launched that enterprise-signed app before. Even if the user has always clicked “Don’t Trust”, iOS still launches that enterprise-signed app directly upon calling its URL scheme. In other words, when the user clicks on a link in SMS, iOS Mail or Google Inbox, iOS launches the target enterprise-signed app without asking for user’s “Trust” or even ignores user’s “Don’t Trust”. An attacker can leverage this issue to launch an app containing a Masque Attack.”

By creating and distributing enterprise-signed malware that registers app URL schemes identical to the ones used by popular, legitimate apps, an attacker can hijack the legitimate apps’ URL schemes and mimic their user interface to carry out phishing attacks or other malicious activities, the researchers noted.

According to FireEye, the mechanism of URL scheme handling allows apps from different developers to share the same URL schemes. However, it also means attackers can either publish an “aggressive app” into the App Store, or use enterprise-signed/ad hoc malware that registers app URL schemes identical to those of legitimate apps. By doing so, attackers can mimic a legitimate app’s user interface and carry out login credential theft or steal data meant to be shared between two trusted applications.

“On iOS App Store, the two apps “BASCOM Anywhere Filter Browser” and “Chrome – web browser by Google” both registered the URL schemes “googlechrome://” and  “googlechromes://”,” the researchers blogged. “With both apps installed, an iOS 8.1.3 device launches “BASCOM Anywhere Filter Browser” instead of Google’s Chrome browser when the user clicks on a link shown in Safari browser which uses the scheme “googlechrome://” or  “googlechromes://”. We’ve also seen 28 App Store apps all registering the URL scheme “fb://”, which is one of the URL scheme registered by the Facebook app. 16 of these 28 apps are not from Facebook. At least 8048 App Store apps register the same URL scheme “fb118493188254996” and many of these apps are from different developers.”

App stores, whether from Apple, Google, or Amazon, are quickly becoming platforms unto themselves, and that makes them viable targets for attack, noted Tim Erlin, director of IT security and risk strategy at Tripwire.

“This attack leverages a point of trusted interaction that Apple seems to have missed, or assessed incorrectly,” he said. “It’s nearly guaranteed that there are more of these points to exploit. We should expect to see follow on efforts from attackers and researchers against Apple and others.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet