Apparently, it's the season for novel iOS security exploits. Researchers at FireEye say they'vediscovered a vulnerability, nicknamed "Masque Attack," that lets malicious websites replace legitimate apps with malware. If ne'er-do-wells have an enterprise developer account or your device's universal device identifier, they can send you a request to install new software outside of the App Store. Since iOS doesn't double-check that the security certificates match when the app bundle IDs are the same, it lets the rogue code overwrite the real deal and swipe data (including from the original app). FireEye says it notified Apple about the exploit in July, but the technique still works the iOS 8.1.1 beta.

http://www.engadget.com/2014/11/11/m...k-ios-exploit/