Beware the New iOS Phishing Attack
If you use iOS, you are used to the Apple popups that ask you to enter your Apple ID password. These popups are standard any time you go to download a new application from the App Store, login into iCloud, or buy a song on iTunes. Unfortunately, it looks like attackers could potentially use a similar popup strategy to gain access to a user’s Apple ID account.
So far, this style of attack hasn’t been seen out in the wild. App developer Felix Krause recently shared a proof-of-concept on his website to prove that an app developer could use Apple-style popups in a phishing attack. Krause’s blog post shows side-by-side screen shots of an official popup and a phishing popup. By all accounts, the two popups look seemingly identical. Both popups prompt you to “Sign in to Apple Store,” and “To continue, enter the password for your Apple ID [email address].”
Krause used UIAlertController to spoof the design of Apple’s password request interface. He says that hackers could do the same thing to trick users into giving up their passwords. He described the process as “super easy,” requiring “no magic or secret code.”
The good news is that Apple is vigilant about screening apps and app developers. Not just anyone can get an app in the App Store. Developers without that Apple-approved status are highly unlikely to have access to enough iOS users to cause much damage. Some users download apps directly from the web, not through the App Store, despite Apple’s warnings to the contrary, but they are a distinct minority.
The bad news is that the phishing attack Krause demonstrated would likely be incredibly effective if a malicious app did make it through Apple’s vetting process. iOS users are predisposed to trust the official-looking popups on their iPhones or iPads. Since the counterfeit popup looks identical to the real one, an attacker would likely be able to fool most users.
Krause has sent the proof of concept to Apple and made a few suggestions for making iOS more secure. Specifically, he urged Apple to tweak iOS so that users would enter login credentials via Settings rather than through a popup.
In the meantime, Krause says users can protect themselves against any potential threats by pressing the home button any time an official-looking popup appears. Genuine password requests won’t disappear because they are system-wide. Counterfeit requests would disappear because they are only linked to one culprit application.