Cybercriminals have a surefire way to steal Apple ID credentials: Just ask users to provide them.
A blog post by software engineer and fastlane founder Felix Krause reveals that it's dead simple to spoof iOS popups that ask for Apple ID passwords. What makes it worse, Krause said, is that we're trained to put in passwords for a variety of reasons in a variety of apps.
The average user won't question the legitimacy of an Apple ID password request, which makes the spoof a very dangerous form of phishing. All an app needs to do is show a UIAlertController popup—an incredibly common part of an app.
A tricky, but not foolproof, exploit
Krause said he was able to add fake dialog windows to an app with less than 30 lines of code, which he says are "literally the examples provided in the Apple docs, with a custom text."
Add to that the mindlessness with which the average iOS user (myself included) enters passwords whenever prompted and you have a serious problem on your hands. One that Krause believes has been around since roughly the time of iOS 4 or 5.
SEE: How to build a successful career in cybersecurity (free PDF) (TechRepublic)
As impossible as it may be for a user to tell the difference between a fake and legitimate dialog window there are still things that iOS users can do to protect themselves.
- If you get a popup asking for a password inside an app, hit the home button. If you can quit back to the home screen it's not a legitimate request. Real system dialogs that ask for passwords are run as a separate process and can't be quit in that fashion.
- Treat password requests inside apps like you would a link in an email—don't use it. Instead, open the Settings app and put the password in there, similar to going directly to a website that wants you to verify your information.
- Don't type anything into a password-requesting popup. Even if you press the cancel button the information has already been captured.
I know I'll be tapping home from now on whenever an app asks me to put in a password.
What iOS devs need to consider
Krause points out that phishing inside of mobile apps is relatively new, and thus there's not a lot of protections in place to stop it from happening. It's important for developers to engender trust in their users, which he says they can do by considering two things.
SEE: The Complete iOS 11 Developer Course (TechRepublic Academy)
First off, do you need to be asking users for passwords inside your app? You don't necessarily need to, and should instead ask them to open the Settings app and enter it there.
Second, your app shouldn't be constantly asking users for their credentials. Get to the root of the problem and fix it instead of shifting responsibility to users.
Krause also says that Apple should add a feature that places the app icon in the popup window so it becomes clear what is requesting the password. If it's Settings it's legitimate. If it's anything else is should raise suspicions.
It's not known if this exploit is alive in the wild, but it should give iOS users pause regardless. Putting passwords into popups is something we do every day, and now we have to think about their legitimacy.
It's just one more thing to worry about in an ever-shrinking bubble of cyber surety.
The top three takeaways for TechRepublic readers:
- A recently revealed iOS flaw could allow hackers to steal Apple ID passwords using fake, but completely real looking, popups inside of apps.
- The popups perfectly mimic password requests that come from the iOS Settings app. Users can determine if one is fake by pressing the home button. If the app quits to the home screen the popup isn't coming from iOS—it's coming from an app and is likely a phishing attempt.
- Developers should work to remove repeat popup password requests from their apps. Instead, direct users to the Settings app to resolve the issue.
- iOS and Android security: A timeline of the highlights and the lowlights (TechRepublic)
- iOS 11's most underrated security feature? A password manager (ZDNET)
- Hacker claims to have decrypted Apple's Secure Enclave, destroying key piece of iOS mobile security (TechRepublic)
- New to iOS 11? Change these privacy and security settings right now (ZDNET)
- Hiring kit: IOS developer (Tech Pro Research)
Brandon Vigliarolo has nothing to disclose. He does not hold investments in the technology companies he covers.
Brandon writes about apps and software for TechRepublic. He's an award-winning feature writer who previously worked as an IT professional and served as an MP in the US Army.