Most iPhone users are probably all-too familiar with the annoying iTunes Store sign-in popups for Apple and iTunes that seem to randomly appear onscreen. But that annoyance may be the least of our worries, as one security researcher has discovered.
Felix Krause, an iOS developer who runs a website about his work, published a post on Tuesday that warns iPhone users just how easy it would be for a malicious attacker to replicate this dialog box for the purpose of phishing. In this post, he explains that his ambition is to have Apple fix this exploitable “loophole” that has existed for many years.
To demonstrate, he created sample phishing popups designed to resemble official Apple popups with UIAlertController, a framework iOS developers use to display alert messages to app users. Within the post, Krause described the coding process intentionally generally so as to not give would-be malicious actors insight.
According to Krause, the crux of the issue is that users are “trained to just enter their Apple ID password whenever iOS prompts you to do so.” These popups can appear on the home screen, lock-screen, and inside apps. Add this to the fact that UIAlertController generates popups visually identical to the iOS system dialog and you have a recipe for disaster.
As Motherboard notes, there’s no evidence this approach has actually ever been used before. It’s the exact kind of thing Apple looks for when accepting apps to the App Store. That said, there are some hacks that developers can use to run code only after the app has already been approved, meaning it would be theoretically possible to circumvent Apple’s safety review process.
Luckily for iPhone users, there’s a simple way to protect yourself from this type of attack. If a dialog box asking you to enter your password appears while you’re using an app — something that typically happens when making in-app purchases or accessing GameCenter — you should close out by hitting the home screen button. If the box disappears with the app, there’s a good chance that you were just hit with a phishing attack. If the dialog and app don’t automatically disappear, you’re good. But still, it’s a good idea to embrace the best practice of only entering credentials manually by navigating to “Settings.”
Though Apple has yet to respond to press inquiries (including one from Inverse) Krause notes just how easy it would be for the company to cease asking for Apple ID information from the user in popups altogether. Instead, he writes, popups intended for this purpose could advise users open the settings app and navigate from there. Another option might be to ensure any dialog popups from apps have a distinguishing feature like an app icon to clearly distinguish them from dialogs sent from the operating system.