Apple downplays risk of Masque Attack after U.S. government warning

Apple is downplaying a risk of a security bug in its mobile operating system for iPhones and iPads that the U.S. Department of Homeland Security warned users about yesterday.

The United States Computer Emergency Readiness Team, based at the Department of Homeland Security,issuedan alert Thursday about the Apple iOS "Masque Attack" technique, announced by the internet security firm FireEye in a blog post Nov. 10.

• Read the full alert from U.S.-CERT
• Apple iOS bug makes iPhones, iPads vulnerable to Masque Attack

FireEye said the technique allows hackers to replace one of the users' existing apps with malware, for example, replacing a user's banking and email apps with malware that sends banking and email data directly to the attackers. The company said recent Wirelurker attacks in China started to use a "limited form" of Masque Attacks to attack iOS devices via a USB connection.

• Apple devices hit by Wirelurkermalware in China

In an official statement emailed to CBC News on Friday, Apple said, "Were not aware of any customers that have actually been affected by this attack."

The company added,"We designed OS X and iOS with built-in security safeguards to help protect customers and warn them before installing potentially malicious software."

The statement came more than three days after CBC News sent Apple an emailrequest for comment about FireEye's blog post.

In response to the Apple statement, Vitor de Souza, vice-president of global communications for FireEye, confirmed that there is "no currently known exploit of the vulnerability in the wild" but noted that with most cyberattacks, the victim doesn't know they have been compromised.

"We are not saying that this is a widespread attack, but we believe consumers should be aware so they take the necessary precaution," he added in an email to CBC News on Friday.

But Chris Mills, a writer for the technology websiteGizmodo, wrote that he thinks the attack is "not anything to worry about."

"See, the 'attack' requires the user to first follow a dodgy-looking link, then click past an iOS pop-up warning people about downloading malicious apps. Not to mention, the hacker needs access to an iOS Developer Enterprise Program account," he wrote. "If we pretend that ignoring the built-in safeguards and then downloading dodgy apps is a security flaw, then every single major operating system, mobile or otherwise, has a security flaw."

However, users commenting on the article disagreed,

Apple recommended that in order to protect themselves:

• Customers should only download from "trusted sources like the App Store."
• Users should pay attention to warnings when they download apps.
• Enterprise users should install custom business app from their company's secure website.

FireEyesaidit notified Apple of the bug on July 26.