Proof-of-concept demonstrates how easy it is to fool Apple users with a simple popup
11 October, 2017, 23:07
Mr Krause said malicious developers can turn on alerts inside their apps that look nearly identical to Apple's pop-ups using a simple bit of code. "iOS should very clearly distinguish between system UI and app UI elements, so that ideally it's [.] obvious for the average smartphone user that something seems off", Krause says. A security vulnerability has been discovered that could allow hackers to steal your passwords. It can be downloaded now on the App Store for free.
You can also click the home button whenever a pop-up is shown.
'Users are trained to just enter their Apple ID password whenever iOS prompts you to do so, ' Mr Krause wrote in his post.
"This could easily be abused by any app..."
The login boxes usually appear when you try to install or update an app, and ask you to enter your Apple ID password before you can continue.
Mr Krause says he was able to create the lookalike popup with less than 30 lines of code, and that "every iOS engineer" would be capable of creating their own phishing code.
Felix Krause created a proof of concept phishing attack that looks identical to the official system popups in iOS. In the event the app closes along with the popup, it was a phishing attack, but where the app and password prompt remain on screen, it's a legitimate request. Apple went so far as to include a reminder to use Apple-certified screen fix services in the update notes, something I haven't seen before.
Krause's blog comes less than a week after an undocumented feature in the Uber app was uncovered that allowed the ride-hailing company to secretly record the screen of iPhone users. As they fix significant issues, however, they are no less important.