iOS Is Ripe for Phishing Password Prompts

Felix Krause:

iOS asks the user for their iTunes password for many reasons, the most common ones are recently installed iOS operating system updates, or iOS apps that are stuck during installation.

As a result, users are trained to just enter their Apple ID password whenever iOS prompts you to do so. However, those popups are not only shown on the lock screen, and the home screen, but also inside random apps, e.g. when they want to access iCloud, GameCenter or In-App-Purchases.

This could easily be abused by any app, just by showing an UIAlertController, that looks exactly like the system dialog.

Even users who know a lot about technology have a hard time detecting that those alerts are phishing attacks.

I’ve been thinking about this for years, and have been somewhat surprised this hasn’t become a problem. It’s a tricky problem to solve, though. How can the system show a password prompt that can’t be replicated by phishers? The best idea I’ve seen is for these system-level prompts to only appear in the Settings app. When the system needs your iCloud or iTunes password while you’re in any other app, that prompt would take you to Settings, where you’d then be prompted for the password. That’s not great, though, because it makes entering your password far more cumbersome. And how would you get back to the original app after entering your password?

Krause suggests one way to protect yourself if you suspect a password prompt might be a phishing attempt: press the home button. If it’s a phishing scam, the dialog box will disappear when you go back to the home screen, because it’s part of the app you’re using. If it’s a real system-level prompt, the alert will still be there.

Tuesday, 10 October 2017