By John Gruber

• Archive
• The Talk Show
• Dithering
• Projects
• Contact
• Colophon
• Feeds / Social
• Sponsorship

Linked List: October 10, 2017

Tuesday, 10 October 2017

iOS Is Ripe for Phishing Password Prompts ★

Felix Krause:

iOS asks the user for their iTunes password for many reasons, the most common ones are recently installed iOS operating system updates, or iOS apps that are stuck during installation.

As a result, users are trained to just enter their Apple ID password whenever iOS prompts you to do so. However, those popups are not only shown on the lock screen, and the home screen, but also inside random apps, e.g. when they want to access iCloud, GameCenter or In-App-Purchases.

This could easily be abused by any app, just by showing an UIAlertController, that looks exactly like the system dialog.

Even users who know a lot about technology have a hard time detecting that those alerts are phishing attacks.

I’ve been thinking about this for years, and have been somewhat surprised this hasn’t become a problem. It’s a tricky problem to solve, though. How can the system show a password prompt that can’t be replicated by phishers? The best idea I’ve seen is for these system-level prompts to only appear in the Settings app. When the system needs your iCloud or iTunes password while you’re in any other app, that prompt would take you to Settings, where you’d then be prompted for the password. That’s not great, though, because it makes entering your password far more cumbersome. And how would you get back to the original app after entering your password?

Krause suggests one way to protect yourself if you suspect a password prompt might be a phishing attempt: press the home button. If it’s a phishing scam, the dialog box will disappear when you go back to the home screen, because it’s part of the app you’re using. If it’s a real system-level prompt, the alert will still be there.

Windows Mobile Effectively Put on End-of-Life ★

Zac Bowden, writing for Windows Central:

Microsoft’s Corporate Vice President for Windows, Joe Belfiore, has today clarified the company’s stance with Windows 10 Mobile and what it’s currently doing in the mobile space. In a series of tweets on Twitter, Belfiore states that as an individual end-user, he has switched to Android, and that Windows 10 Mobile is no longer a focus for Microsoft.

Belfiore confirms what we have been reporting in the past; that from here on out, Microsoft will continue to service Windows 10 Mobile with bug fixes and security patches, mainly for the enterprise market who adopted Windows 10 Mobile for work. Microsoft is not planning to bring any new consumer-facing features to Windows 10 Mobile, nor is it planning to release any new hardware.

The end is always ignominious, but especially so for a company as mighty and proud as Microsoft. But they’re doing the right thing: it’s time to move on.

Twitterrific for Mac Returns ★

After a successful Kickstarter campaign to bring back Twitterrific for Mac, The Iconfactory has done it. Beautiful, thoughtful, and thoroughly modernized. There is no other Twitter client organized like Twitterrific. The golden age from Twitter’s early years is over, but it’s good to see that Twitter clients are still a UI design playground.

WSJ: ‘Apple Strikes Deal With Spielberg’s Amblin for “Amazing Stories” Reboot’ ★

I said on my podcast a few episodes ago that we shouldn’t judge the future potential of Apple’s original content based on Planet of the Apps or Carpool Karaoke. Those shows are Apple dipping its toes in the water. This is diving in head first.

I absolutely loved Amazing Stories as a kid — one of my very favorite shows from the ’80s. I expect nothing short of greatness from a reboot.

(Here’s a t.co link that should get you through the Journal’s paywall.)