By asking iOS users to enter their AppleID password intermittently and with no regard of environment, Apple has laid the groundwork for phishers to go after the sought-after login credentials.
Where’s the problem?
“iOS asks the user for their iTunes password for many reasons, the most common ones are recently installed iOS operating system updates, or iOS apps that are stuck during installation. As a result, users are trained to just enter their Apple ID password whenever iOS prompts you to do so,” developer Felix Krause says.
“However, those popups are not only shown on the lock screen, and the home screen, but also inside random apps, e.g. when they want to access iCloud, GameCenter or In-App-Purchases. This could easily be abused by any app, just by showing an UIAlertController, that looks exactly like the system dialog,” he claims.
Even though Apple had employed this same strategy for years, and even though he knows of no attacks that used this technique, Krause believes phishing within mobile apps could easily become a thing.
That’s why he created PoC code to prove his point, and submitted a bug report to Apple (a copy can be viewed on Open Radar).
“Showing a dialog that looks just like a system popup is super easy, there is no magic or secret code involved, it’s literally the examples provided in the Apple docs, with a custom text. I decided not to open source the actual popup code, however, note that it’s less than 30 lines of code and every iOS engineer will be able to quickly build their own phishing code,” he says.
And while he admits that Apple has been doing a good job of keeping malicious apps from the official App Store, he says it would be easy for wanna-be phishers to bypass the store’s defenses by making it so that the feature is enabled only after the app is approved by the company.
Sooner or later Apple would discover the offending app and pull it, and block the phisher’s developer account, but perhaps not before a considerable number of users was tricked into sharing their AppleID password.
Potential solutions and protections
Krause would like to see Apple doing something about this, and counsels either fixing the root of the problem (user being constantly asked for their credentials), or asking them to enter the password in the Settings app instead of directly into the pop-up (as seen in the image below):
“[Phishing on mobile] will become more and more relevant, with users being uninformed, and the mobile operating systems not yet clearly separating system UI and app UI,” he says. “iOS should very clearly distinguish between system UI and app UI elements, so that ideally it’s even obvious for the average smartphone user that something seems off.”
In the meantime, users can check whether the password prompt comes from iOS or an open app by pressing the Home button. If the action results in the closure of the app AND the pop-up, they can be sure that it was a phishing attempt by the app’s developer.
Another way to make sure that you don’t get fooled is to dismiss the pop-up and go to the Settings app, then enter the password there. “This is the same concept, like you should never click on links on emails, but instead open the website manually,” Krause noted.