Tuesday, October 10, 2017

In-App Apple ID Password Phishing

Felix Krause (tweet, Hacker News):

As a result, users are trained to just enter their Apple ID password whenever iOS prompts you to do so. However, those popups are not only shown on the lock screen, and the home screen, but also inside random apps, e.g. when they want to access iCloud, GameCenter or In-App-Purchases.

This could easily be abused by any app, just by showing an UIAlertController, that looks exactly like the system dialog.


Hit the home button, and see if the app quits:

  • If it closes the app, and with it the dialog, then this was a phishing attack
  • If the dialog and the app are still visible, then it’s a system dialog. The reason for that is that the system dialogs run on a different process, and not as part of any iOS app.


Initially I thought, faking those alerts requires the app developer to know your email. Turns out, some of those auth popups don’t include the email address, making it even easier for phishing apps to ask for the password.

Previously: macOS 10.12.2 Impedes Safari Bookmarklets.

Update (2017-10-11): Marco Arment:

It’s long past time that Apple removes the random password popups that plague iOS.

They’re a security flaw that should not exist in 2017.

John Gruber:

I’ve been thinking about this for years, and have been somewhat surprised this hasn’t become a problem. It’s a tricky problem to solve, though. How can the system show a password prompt that can’t be replicated by phishers?

4 Comments RSS · Twitter

Good luck with that. Similar issues have been reported to Apple at least 4 years ago regarding the iCloud, Messages alerts that periodically appear in Mac OS X and request you to enter your Apple ID password (*). Haven't seen any feedback from Apple regarding this.

* this happens when you register on a new iOS device for instance.

Solution to this should be more technical/design. For example Apple can display those dialogs in a special way, like with an unusual animation, or with a special screen elements. Then on the system level it can be monitored and detected when an app tries to imitate such visual clues.

For this purpose a small part of the screen accessible only to system would be useful, and iPhone X even has some of it. It also can be a little LED light that indicates that a proper security prompt is initiated.

One solution might be to use a notification with a unique style available only to Apple. Tapping the notification takes the user to the appropriate section in the settings app. Yes this is still potentially spammable, but a) it wouldn't be possible for 3rd parties to use to use the "special" notification styling and b) users are no longer trained to enter their password in a generic alert!

I agree with Marco though: a better solution would be to stop the constant password requests in the first place. I find these really annoying compared to Android, which generally doesn't have this problem.

"It’s a tricky problem to solve, though. How can the system show a password prompt that can’t be replicated by phishers?"

No, this is a solved problem. One solution I saw years ago: A bank I used had me select an image that only it and I would know about, and each time I logged in, it'd show me the nonsense image so I knew it was them.

This assumes that I was actually talking to the bank the first time, and that their nonsense image stash isn't hacked, and I haven't stored that image in a vulnerable browser cache somehow... Etc etc. I get it.

Nothing's 100% safe, but all Apple needs for several nines of protection is to grab something you haven't shared with anyone but them, and that they show you each time a valid, iOS-controlled dialog appears.

Leave a Comment