If you are an iOS user, you would definitely have come across the pop up dialog above at some point. The prompt to key in your password for your Apple ID tied to the device can appear for various reasons, like updating iOS, when certain apps require access to iCloud, or when making in-app purchases. However, it has been discovered that hackers can use this method to steal passwords.
Developer Felix Krause recently found that the popup dialog could easily be replicated. A false password prompt looks identical to the real thing, and can easily trick even the most tech-savvy individuals. We are all so used to seeing the prompt asking for our password that we just key in the details without any hesitation. As Krause says, “Just ask your users politely, they’ll probably just hand over their credentials, as they’re trained to do so.”
Krause says that the problem has been around for many years. The reason for publishing his finding is to hopefully get Apple to close the loophole. So, what can you do to protect yourself now? Here are some suggestions by the developer:
How can you protect yourself
- Hit the home button, and see if the app quits:
- If it closes the app, and with it the dialog, then this was a phishing attack
- If the dialog and the app are still visible, then it’s a system dialog. The reason for that is that the system dialogs run on a different process, and not as part of any iOS app.
- Don’t enter your credentials into a popup, instead, dismiss it, and open the Settings app manually. This is the same concept, like you should never click on links on emails, but instead open the website manually
- If you hit the Cancel button on a dialog, the app still gets access to the content of the password field. Even after entering the first characters, the app probably already has your password.
Check out Felix Krause’s blog for the full explanation of the flaw.