This week Apple has released the latest version of iOS for iPhone and iPad users – iOS 8.4 – introducing Apple Music.
But even if you’re not interested in Apple’s attempt to dislodge the likes of Spotify, security firm FireEye has given you another good reason to update your devices to iOS 8.4 – especially if you work for a company that uses its own in-house iOS apps.
In a blog post, security researchers provide details of new so-called Masque attacks, exploiting iOS’s failure to properly distinguish between apps with the same bundle identifier.
Full details can be found in the FireEye blog post, including the reveal of a previously undisclosed code injection attack that could allow communications – including those over VPN – to be intercepted and hijacked.
Clearly any vulnerability which would lead to unauthorised monitoring of VPN traffic is very bad news indeed.
It’s important to emphasise that targeted iPhones and iPads do not have to be jailbroken to be at risk of having malware installed onto them.
Through social engineering, an attacker could trick users into installing a malicious app onto their iOS devices using the enterprise provisioning feature that Apple provides for companies who wish to roll out their own apps to staff.
The researchers believe that “around one third of iOS devices still have not updated to versions 8.1.3 or above, even 5 months after the release of 8.1.3, and these devices are still vulnerable to all the Masque Attacks.”
FireEye describes Apple’s update for some of the vulnerabilities it reported as only “partial”, but it still feels sensible for users to update to iOS 8.4 at the earliest opportunity if possible.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.