For anyone who has used iOS for any length of time, they’ve probably seen at least one pop-up notification requesting their username and/or password, all of these typically presented by Apple.
For one developer, this has led to the conclusion that a phishing attack might not be too difficult to sneak in, especially considering how frequent, and standard, these types of pop-ups are. Felix Krause has put together a proof-of-concept that shows such a phishing attack, articulating that it demonstrates app developers can package a phishing attack in an Apple-style pop-up notification.
AS Krause puts it, iOS users are accustomed to seeing these types of pop-ups asking for their username and/or password, even when they are not in the iTunes app or in the App Store. Krause used UIAlertController, which effectively emulates the design of the stock pop-up request for a password or username, which can then be used to interlink a phishing scheme behind-the-scenes.
“iOS asks the user for their iTunes password for many reasons, the most common ones are recently installed iOS operating system updates, or iOS apps that are stuck during installation.
As a result, users are trained to just enter their Apple ID password whenever iOS prompts you to do so. However, those popups are not only shown on the lock screen, and the home screen, but also inside random apps, e.g. when they want to access iCloud, GameCenter or In-App-Purchases.
This could easily be abused by any app, just by showing an UIAlertController, that looks exactly like the system dialog.”
In most instances, a developer would need the user’s email address to have a chance at gaining the user’s password. However, there are some instances were the developer would not need to have the email address and would still be capable of recovering a user’s password.
Krause says that it’s good to be aware that this sort of thing is possible, if not likely. He suggests that if a pop-up like this appears, and there is some uncertainty towards it, simply hit the Home button. If the pop-up stays active, then it is tied to the Apple system and is officially supposed to be there. If the pop-up goes away, then it is tied to the app, and therefore one should be wary about inputting their credentials.
This sort of attack isn’t new by any means, and one of the vetting processes within Apple’s approval of applications for its App Stores is meant to address this particular issue. But being aware is always nice.
As it stands right now, Krause has informed Apple of the proof-of-concept.