About Masque Attack in iOS.
I wonder what's going on about Masque Attack in iOS. Does it has any bad impact on my 1password data?
Comments
-
Hi @PHUTHASONE
I'll ask our security guru, @jpgoldberg, to comment on this for you. Thanks!
0 -
Hello @PHUTHASONE,
The short answer is only install 1Password for iOS from the iTunes App Store.
The longer answer is longer.
Typically, you cannot install an app on your iOS device that doesn't come from Apple's App Store. The exceptions are if you jailbreak your device or if you install Enterprise apps through an enterprise Provisioning Profile. The Masque Attack assumes that you have already installed an Enterprise Provisioning Profile. An organization and provide these profiles to its members if it has the appropriate set up authorized by Apple.
The purpose of an Enterprise Provisioning Profile is that the organization behind it can produce apps for just for the members without making them fully public through the App Store. As I understand the bug, once this is enabled, certificate checking is disabled for all apps and not just the ones that come from the particular enterprise. This means that an existing app, such as 1Password, could be replaced by a counterfeit if one actually goes and tries to install that counterfeit.
So for someone to fall victim to this, they would need both the right sort of Provisioning Profile installed and they need to get tricked into installing apps from bad sources (things other than the App store or the provisioning enterprise's own "store").
For this to affect 1Password, there would also need to be a malicious counterfeit.
So if you aren't part of an organization that has "provisioned" your iOS device, then there is no way that this could affect you. If you do have such a provisioning profile, then be sure to only install apps from the App Store and the specific apps for your organization from their "store".
I hope this helps.
0 -
Thank you very much for the answer. Very useful information.
0 -
Glad @jpgoldberg could help :)
0
