Every iOS user is familiar with the popups that require an Apple ID password before completing a task; muscle memory usually takes over to type the secret code and “sign in.”
But, according to mobile developer Felix Krause, iDevice owners should think twice before handing over credentials.
In a recent blog post, Krause shines the light on a long-time loophole that turns seemingly innocuous popups into an easily replicated phishing scam.
Installing an operating system update? App stuck during installation?
“Users are trained to just enter their Apple ID password whenever iOS prompts you to do so,” the blog said. “This could easily be abused.”
Even those with two-step verification can be duped.
Krause posted side-by-side screenshots of official system popups (left) and phishing popups (right). See if you can spot the difference. (Hint: There are none.)
“Even users who know a lot about technology have a hard time detecting that those alerts are phishing attacks,” he added.
The lookalikes—which, to the naked, untrained eye, appear identical—require fewer than 30 lines of code, and can be snuck into otherwise legitimate programs already in the iTunes App Store.
“While the [Apple] review process provides a basic safety filter, organizations with bad intent will always find a way to somehow work around the limitations of a platform,” Krause wrote.
Ideally, he said, all system-generated password prompts would emulate the company’s lock-screen notification, which opens directly to iCloud Settings— “a much better approach than to ask for the password directly.”
Apple did not immediately respond to Geek’s request for comment.
iOS users should remain alert. Try to rein in your fingers from automatically typing a password; even if you cancel a dialog box, the app can still access any content in the field.
“Even after entering the first characters, the app probably already has your password,” Krause warned.
And the next time you see a password popup, protect yourself by following these guidelines:
Press the Home button: If the app and dialog box close, it was a phishing attack; if they are still visible, it’s a system dialog (which runs on a different process, separate from any iOS application).
Do not enter your credentials into a popup: Instead, dismiss it and open the Settings manually.