iOS Password Prompts are Ripe for Abuse

Apple’s password prompts for iOS devices are an easy target for phishing attacks to steal iTunes passwords and IDs.

Apple’s policy to repeatedly ask users for their iTunes password needlessly exposes iOS device owners to possible phishing attacks, according a mobile app developer Felix Krause.

Krause’s beef with Apple is that too often and seemingly at random times, popups deliver a dialogue box for users to enter their Apple ID. The prompts have become so routine that users enter the personal data without considering popups could be malicious, he said.

“As a result, users are trained to just enter their Apple ID password whenever iOS prompts you to do so. However, those popups are not only shown on the lock screen, and the spring board, but also inside random apps, e.g. when they want to access iCloud, GameCenter or In-App-Purchases,” wrote Krause on Apple’s Open Radar community bug report posted Monday.

His premise is that repeated password requests could be abused by a rogue app developer that utilizes the “UIAlertController” prompt that looks exactly like Apple’s system dialog popup that requests an Apple ID or password (see below).

“Even users who know a lot about technology, have a hard time detecting that those alerts are phishing attacks,” Krause said.

The app developer proposes several solutions. For example, when Apple requests an iTunes ID from the user it should require the user to open the iOS settings app to do so. Another solution includes requiring app dialog boxes to have a visual indicator alerting users the app is asking for the credentials and not the system.

Krause also gripes on his personal blog that Apple should “fix the root of the problem” and that “users shouldn’t constantly be asked for their credentials.”

“Initially I thought, faking those alerts requires the app developer to know your email. Turns out, some of those auth popups don’t include the email address, making it even easier for phishing apps to ask for the password,” he said.

Krause said he is unaware of any instances where this dialogue box has been abused.

If Apple doesn’t take any action, Krause suggests when users come across an iOS dialog box they should hit the Home button. If the box closes then it’s a phishing attack. “If the dialog and the app are still visible, then it’s a system dialog. The reason for that is that the system dialogs run on a different process, and not as part of any iOS app,” he wrote.

Another solution is to enable two factor authentication. But even then, he cautions: “Even with 2FA enabled accounts, what if the app asked you for your 2 step code? Most users would gladly request a 2FA-token and ask for it, and directly pipe it over to a remote server.”

He said users should be trained not to automatically enter their credentials in Apple dialog boxes in the same way they are trained not to follow links in emails.

“Showing a dialog that looks just like a system popup is super easy, there is no magic or secret code involved, it’s literally the examples provided in the Apple docs, with a custom text,” he wrote. “I decided not to open source the actual popup code, however, note that it’s less than 30 lines of code and every iOS engineer will be able to quickly build their own phishing code.”

Suggested articles

enterprise mobility cyberthreats risk management

Mobile Risks Boom in a Post-Perimeter World

The bloom is on mobile, whether it be the enterprise, employees or the cybercriminals plotting new ways to slip past a corporate defenses in a post-parameter world.

Discussion

  • James on

    This problem is really bad. It's not a matter of 'if' a malicious user does this - it's a matter of how many examples of it are already in the wild. Terrible job by Apple's UI team. If you're going to force your users to login to your ecosystem, at least do it carefully.
  • Li on

    Apple's probably going to have everyone FaceID in place of all these pop ups. In that case, the only pop-up would be "Please purchase the iPhone X".
  • Neal on

    I was talking about it this week. I think for many, seeing the password dialogue makes users angry and they just put it in out of frustration rather than thinking twice.
  • Jaska the man on

    Can’t remember when my iPhones asked passwords... Both seem to want my fingerprint instead. I don’t play games or buy stuff from iTunes though.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.