Apple has published a new knowledge base document on enterprise application installation in response to the ‘Masque Attack’ vulnerability.
The Masque attack makes use of iOS enterprise provision profiles to install malicious apps outside of the iOS App Store that emulate and replace existing legitimate apps to retrieve information from the user as they input important information, including email addresses, phone numbers, passwords and more.
If you install custom apps created for your organization then here are some of the security guidelines provided by Apple to avoid vulnerabilities like ‘Masque Attack’:
If you install custom Enterprise Apps
- You should install enterprise apps from your company’s secure website. You should avoid installing apps from third-party website or links you don’t recognize or trust.
- When you tap on a link to download a custom enterprise app from your company’s website, you should get a popup message that informs you that “yourorganization.com” would like to install an app as you can see in the image below.
- If you download an app and get see an alert prompting you whether you want to run apps from and “Untrusted App Developer,” then tap Don’t Trust and delete the app from your device.
If you don’t install custom Enterprise Apps
If you don’t install custom enterprise apps, then you should only install apps from the App Store.
To find out if you’re fallen victim to the Masque attack, you can check in Settings > General > Profiles to find out the profiles that was used to install a non-App Store app. If you see a profile for an untrusted developer, then delete it.
Let me know if you have any questions.
[via Apple]