Apple Inc. might really be facing hard times these days. A few days ago Apple devices were reported to be vulnerable with Wirelurker malware vulnerability. Now the latest vulnerability assessment report published by FireEye on their blog has raised temperature again. The Security Firm has exposed a serious vulnerability on iOS devices. FireEye mobile security researchers have found that an iOS app installed through any third-party provisioning could replace another genuine app installed through the App store, as long as both apps used the same bundle identifier.

A bundle identifier lets iOS and OS X recognize any updates to your app. Your bundle ID must be registered with Apple and be unique to your app. Bundle IDs are app-type specific (either iOS or OS X). The same bundle ID cannot be used for both iOS and OS X apps.

The new own-built app may lure the user with a catchy name and provoke the user to install it. Once it get installed, it replaces the genuine app, taking control of the cache, security tokens, login cookies etc. of the original app (because these items were not deleted from device while replacing app). All the apps on iOS can be replaced using this vulnerability except the system apps. Researchers belief that this vulnerability exists because apple doesn't enforce matching certificates for apps with same bundle identifier. Vulnerability is identified on iOS 7.1.1, 7.1.2, 8.0, 8.1 and 8.1.1 beta, for both jailbroken and non-jailbroken devices. The devices can be hacked if the vulnerability is exploited by the attacker either through wireless networks or USB.

FireEye reported this vulnerability to Apple on july 26. The recently discovered Wirelurker malware by Claud xiao of Pal Alto Networks Firm was found to be utilizing a limited form of Masque attacks to attack iOS devices through USB. Masque attacks are believed to pose much bigger risks than Wirelurker. Using Masque attacks, genuine banking apps can be replaced with the malware through Internet. Thus, an attacker can easily steal a user's banking or other personal credentials by replacing the authentic app with the malware that has same Interface. These credentials can be anything and everything, which can be used directly to access user's personal bank accounts, social networking accounts, email accounts etc.

The Security Impacts, as already told, include

genuine app replacement

stealing of login credentials of the users

non-removal of cached data under the directory of original app

mimic UI of genuine app, fooling user to submit login credentials to attacker

possess data under the folders and then use that directly

malware and original app can't be distinguished by MDM interface as long as both the malware and original app use same bundle identifier

masque attacks can be escalated to bypass the normal app sandbox and then get root privileges

Following is the example shown of the Masque Attack:

Protection Measures as told by FireEye researchers include: