It seems that iOS has more cracks than Apple wants to make us believe. The first story that comes to mind is when FBI asked Apple to unlock the iPhone 5C owned by the San Bernadino terrorist and the Cupertino-based company said it’s impossible to hack the iOS, but FBI did it anyway.
Now a pretty well known apps developer explains how easily iOS users can become victims of a phishing attack and lose their Apple ID password. And Apple is the one providing the app developers the means to attack the users. Not actually telling them how to attack the users, but the vulnerability is there, created by Apple and any developer can take advantage of it.
How? You might ask. Well according to Felix Krause it’s incredibly easy for an iOS app maker to recreate the Apple ID password prompt. From there, the app could send that popup and subsequently log the Apple ID and password. It takes less than 30 lines of code and could seemingly be dropped in any legitimate iOS app and sneak past App Store review teams.
“Showing a dialog that looks just like a system popup is super easy, there is no magic or secret code involved, it’s literally the examples provided in the Apple docs, with a custom text. I decided not to open source the actual popup code, however, note that it’s less than 30 lines of code and every iOS engineer will be able to quickly build their own phishing code“, said Krause. He also posted the images bellow to illustrate that there’s no way you can tell the real from the fake.
Krause notes that he’s already filed this issue as a radar with Apple and explains that it could be fixed by Apple not allowing passwords to be entered in popups, but rather only in the Settings app/App Store.
Krause also offer some tips about how to protect against any potential attacks
Hit the home button, and see if the app quits:
– If it closes the app, and with it the dialog, then this was a phishing attack
– If the dialog and the app are still visible, then it’s a system dialog. The reason for that is that the system dialogs run on a different process, and not as part of any iOS app.
Don’t enter your credentials into a popup, instead, dismiss it, and open the Settings app manually. This is the same concept, like you should never click on links on emails, but instead open the website manually
If you hit the Cancel button on a dialog, the app still gets access to the content of the password field. Even after entering the first characters, the app probably already has your password.
I don’t remember about any phishing attack on iOS using this method, but since Krause outlined it I would suggest to be more careful. Usually when something like this is out, some will surely try to benefit from it. Sometimes, somethings are better if they are not revealed.