New type of phishing attack unknowingly makes you reveal your Apple ID password
The two screenshots above look exactly the same don’t they? One’s actually a demonstration of a phishing popup proof of concept by mobile app developer Felix Krause. As detailed in his blog, iOS asks you for your iTunes password for many reasons, mostly during iOS system updates, or when apps get stuck during installation.
The popups are not only shown during the lock screen, but also inside apps like iCloud, GameCenter, or when games ask for in-app purchases for example. As such, most of us simply fill in the necessary when prompted. However, Krause warns against doing so as any developer can simply use the UIAlertController class to create a system dialog prompting you to enter the necessary details.
Some useful tips to protect yourself
Because it uses system functions to create the dialog prompt, this particular form of attack is especially hard to detect.
As such, Krause has the following tips you can use to protect yourself.
1. Hit the home button, and see if the app quits:-
- If it closes the app, and with it the dialog box, then this was a phishing attack.
- If the dialog box and the app are still visible, then it’s a system dialog. The reason being that the system initiated dialog boxes run on a different process, and not as part of any iOS app.
2. Don’t enter your credentials into a popup. Instead, dismiss it, and open the Settings app manually. This is the same concept as not clicking on links in emails (especially from sources you're not aware of), but instead launching the website manually in a browser app.
3. If you hit the Cancel button on a dialog box, the app still gets access to the content of the password field! Even after entering the first few characters, the app probably already has your password.
A call to app developers to take action
Krause also proposes the following changes developers could make to their apps to offer better protection:-
- When asking for the user's Apple ID, instead of asking for the password directly, ask them to open the settings app.
- Stop constantly asking users for their credentials.
- Dialog boxes from apps could contain the app icon on the top right of the dialog, to indicate that the app is responsible for the dialog and not the system, just like with push notifications. This way, apps won’t be able to just send push notifications as the iTunes app.
Here are some web links from Apple for other steps you can take to secure your devices:-
- Security and your Apple ID - Apple Support
- Privacy - Manage Your Privacy – Apple
- Avoid phishing emails, fake virus alerts, phony support calls, and other scams.