iOS Apps Become a Hotbed of Phishing Attacks Thanks to Apple’s Constant Password Popups
Apple products and services have been attracting most of the criminal efforts in the past few months, with attackers targeting iOS, macOS, iCloud, 2-factor authentication, and other corners of the ecosystem. In a latest of such potential weaknesses, a security researcher has revealed how easy it is for scammers and criminals to recreate legit-looking Apple pop ups asking for user's Apple ID and password.
In a proof of concept published by Felix Krause, an iOS developer, the researcher has revealed that the dialog box is incredibly simple to recreate tricking users into giving away their passwords when they are least likely to question their authenticity.
It's quite easy to phish on iOS
Apple users are accustomed to the company asking for passwords even when they are not making a purchase in the App Store. Among other such instances, a simple operation like trying to update your macOS prompts a dialog box asking for your password. This security feature could be used against user security by malicious apps (or even legit apps that may have been compromised) that demand users passwords. While it may seem like a clear social engineering trick, given the familiarity with the dialog box, many users fall for these tricks.
"It's literally less than 30 lines of code," Krause said.
"Showing a dialog that looks just like a system popup is super easy, there is no magic or secret code involved, it's literally the examples provided in the Apple docs, with a custom text.
"I decided not to open source the actual popup code, however, note that it's less than 30 lines of code and every iOS engineer will be able to quickly build their own phishing code."
Krause has recommended users to be wary of any and all of these pop ups regardless of where they appear.
- Hit the home button, and see if the app quits:
- If it closes the app, and with it the dialog, then this was a phishing attack
- If the dialog and the app are still visible, then it's a system dialog. The reason for that is that the system dialogs run on a different process, and not as part of any iOS app.
Google and others do a tremendous job continually updating their capabilities to warn users of growing phishing campaigns on the web browsers. However, apps present a lucrative attack vector. The security researcher has also recommended Apple to "fix" this design issue, demanding credentials only through the Settings app and not showing pop ups everywhere.
"When asking for the Apple ID from the user, instead of asking for the password directly, ask them to open the settings app," Krause writes. He further adds that dialogs coming from apps should be required to carry the app icon to clearly communicate to users that the app - and not the system - is pushing these dialog boxes and notifications.