iOS developer, Felix Krause, has published a rather worrying blog post on Tuesday, detailing how easy it would be to get Apple credentials from iPhone users. And they would provide it themselves without even knowing.
If you are an iPhone user, chances are, you regularly get the pop-up asking you to provide your Apple ID password, and that, according to Krause, is why this phishing attack would work.
“iOS asks the user for their iTunes password for many reasons, the most common ones are recently installed iOS operating system updates, or iOS apps that are stuck during installation. As a result, users are trained to just enter their Apple ID password whenever iOS prompts you to do so. However, those popups are not only shown on the lock screen, and the home screen, but also inside random apps, e.g. when they want to access iCloud, GameCenter or In-App-Purchases,” Krause explains in his post.
How it would work
If an app was designed to phish your Apple ID credentials, all it would need to do is use “UIAlertController” to show you a fake dialog box. It could be make to look identical to the legitimate one, and if you are used to getting them all the time, you would think nothing of it, and simply type in your password.
The developer did not include the source code of the alert in his blog post but revealed that it was “shockingly easy to replicate the system dialog.”
The fake pop-up looks completely identical to the real one. Even the most security-cautious users would have a difficult time identifying the fake one at first glance. However, there are ways you tell whether you just got a real or a fake alert.
What to do to protect yourself from this type of phishing attack
The easiest way to tell whether you are being phished is to hit the ‘home’ button. Krause explains that if that closes both the app and the pop-up, it was a phishing attack.
“If the dialog and the app are still visible, then it’s a system dialog. The reason for that is that the system dialogs run on a different process, and not as part of any iOS app.”
He also suggests that users should not put in their passwords into the pop-up. Instead, they should open the Settings app manually and provide their credentials there.