This site may earn affiliate commissions from the links on this page. Terms of use.

phishing

Anyone who'due south spent more than a few minutes using iOS has been prompted to input their iTunes password. This tin can ensure that no i but you has admission to your important account information. Notwithstanding, iOS tends to ask for your password quite often, and security researcher Felix Krause points out this good-intentioned practice could actually accept the opposite effect.

According to Krause, Apple tree's constant insistence that users type in their passwords leaves them open to phishing. It'south not simply the frequency of requests, just the manner iOS asks for that password makes it very easy for malicious developers to steal passwords. Yous might think yous're simply typing your password into still another Apple dialog box, but it could be a simulated.

iOS asks for your password after system updates, when purchasing content under certain conditions, and when apps reach out to Apple services similar iCloud and GameCenter. Thus, users are trained to expect that dialog box to appear at any time. Apple gives developers a tool called UIAlertController, which tin can produce a dialog box that looks identical to the system notification that's always asking for your password. Information technology would be a simple matter to use that popup to harvest passwords. If an app besides has admission to a user's e-mail address, the account is compromised.

Krause has non included example lawmaking for this attack, only he says it's trivially piece of cake to gear up. He's hoped Apple would address this outcome without public pressure, only it's something he's been following for several years. Until Apple tree makes some changes, users can protect themselves by pressing the dwelling house button earlier inputting their password in dialog boxes. If the box is spawned by the app, information technology will disappear forth with the rest of the app. If it's actually a organization dialog, it will remain on the screen. You tin can as well open the settings to input your countersign, or expect for the lock screen notification (encounter beneath).

Apple has a famously tight grip on the App Store–it constantly rejects apps for seemingly pocket-sized issues. Krause notes information technology would be easy to hide the UIAlertController from Apple tree until after an app is canonical, and so remotely trigger it. Possible mitigation on Apple's end would be to include the app's icon in UIAlertController dialog boxes or simply finish asking for the iTunes password and so often. At the least, Apple might want to road users to the settings interface to ostend their identity rather than button the easy-to-false popups.