New iOS Vulnerability Allows Copy Cat Apps to Spy on Users

The iOS security breaches and vulnerabilities continue to mount. We repeatedly hear from severely misinformed people touting the security of iOS and how 2 factor authentication has put iOS on the same level as BlackBerry which is complete and utter nonsense.

Forbes ran an article today revealing a new and very scary vulnerability in iOS which can affect anyone from a general user to enterprise users discovered by security firm FireEye.

A potentially serious flaw in iOS that has been left open by Apple could be abused by rogue applications that mimic the operations of legitimate software to spy on users, according to security firm FireEye. The vulnerability resides in how iOS apps communicate with other applications using what’s known as a “URL scheme”.

To exploit the flaw, a hacker would have to create an enterprise-signed application, signing it with an official enterprise Apple ID, that mimicked another app’s URL scheme. They would then send a download link to their bad app to a target. When opened, there would be no warning from Apple, FireEye said. A smart hacker would simply create a similar app to ”hijack legitimate apps’ URL schemes and mimic their user interface to carry out phishing attacks, [such as] stealing the login credentials”, according to the security firm.

“Attackers can either publish an ‘aggressive’ app into the App Store, or craft and distribute an enterprise-signed/ad-hoc malware that registers app URL schemes identical to the ones of legitimate popular apps. Through this, attackers can mimic a legitimate app’s UI to carry out phishing attacks to steal login credentials or gather data intended to be shared between two trusted apps,” FireEye said in its blog.

The biggest thing about this is that it may be difficult for Apple to fix this issue as it is essentially a feature of their operating system.

Fixing this “URL scheme hijacking” might be difficult for Apple as it appears to be more of a feature than a bug, allowing apps to run the same protocols for communicating to one another, FireEye said in its blog post.

In typical Apple fashion, they have failed to respond to this and when they do, will likely blame users, enterprise, the media, twitter, you dog and anyone else they can find but will certainly not accept the fact that there is an issue.

So whether its 2 factor authentication, 10 factor authentication or whatever the case may be, the reality is iOS is inherently insecure not to mention outdated and stale. Do yourself a favor and grab a device with a fresh new OS that can handle more than one thing at a time and will not leak all your private data to anyone who decided they should have it.