It’s surprisingly easy for someone to steal your iOS passwords; one simply has to ask nicely.
App developer Felix Krause pointed out this design flaw in Apple’s iOS 11. He noted that any developer with malicious intent can incorporate a dialog box that mimics iOS’ password prompt.
Apple iOS asks for your iTunes account password for various reasons, be it OS updates, for purchases, changing your device pin, etc. As Krause notes, these pop-ups are common enough that we’ve been conditioned to simply enter our passwords whenever we see an official enough looking prompt.
As Krause demonstrates, however, mimicking this prompt is easy. He also notes that any developer can add such a prompt with just 30 lines of code. To make matters worse, some system prompts don’t even display the username or userID, making such a phishing attack even easier to implement.
For most users, it’s impossible to differentiate between system dialogs and the phishing prompt.
To protect yourself from such attacks, Krause suggests that you hit the Home button when the prompt pops up. If the app and dialog close, you were being phished. If the dialog and app are still visible, it’s a system dialog. He also adds that any data in the text field of the fake password prompt can be harvested even if you hit cancel.
To fix the issue, Krause suggests that Apple not ask users for their credentials so often to begin with and that users not be asked directly for their password. He also thinks that Apple should have some sort of prompt or indicate when a dialog is a system-generated one and when it is an app-generated one.
Even if you have two-factor authentication (2FA), what’s to stop an app developer from asking for your 2FA key as well?
Krause’ app was just a proof-of-concept, and Apple does have security protocols in place to weed out malicious apps. However, no security system is perfect and even Apple’s walled garden has been breached in the past.