Developer Demonstrates iOS Phishing Attack That Uses Apple-Style Password Request

by

Developer Felix Krause today shared a proof of concept phishing attack that's gaining some traction as it clearly demonstrates how app developers can use Apple-style popups to gain access to an iPhone user's Apple ID and password.

As Krause explains, iPhone and iPad users are accustomed to official Apple requests for their Apple ID and password for making purchases and accessing iCloud, even when not in the App Store or iTunes app.

phishingconcept1
Using a UIAlertController that emulates the design of the system request for a password, developers can create an identical interface as a phishing tool that can fool many iOS users.

Showing a dialog that looks just like a system popup is super easy, there is no magic or secret code involved, it's literally the examples provided in the Apple docs, with a custom text.

I decided not to open source the actual popup code, however, note that it's less than 30 lines of code and every iOS engineer will be able to quickly build their own phishing code.

Though some of the system alerts would require a developer to have a user's Apple ID email address, there are also popup alerts that do not require an email and can recover a password.

phishingconcept2
The phishing method that Krause describes is not new, and Apple vets apps that are accepted to the App Store, but it's worth highlighting for iOS users who may not be aware that such a phishing attempt is possible.

As Krause says, users can protect themselves by being wary of these popup dialogues. If one pops up, press the Home button to close the app. If the popup goes away, it's tied to the app and is a phishing attack. If it remains, it's a system request from Apple.

Krause also recommends users dismiss popups and enter their credentials directly within the Settings app.

Krause has reported the issue to Apple and recommends a fix that would include Apple asking customers to enter their credentials into the Settings app rather than directly through a popup that can be easily mimicked. Alternatively, he suggests credential requests could include an app icon to indicate that an app is asking rather than the system.

As extra protection from attacks like this, Apple customers should enable two-factor authentication as it prevents attackers from being able to log into an Apple ID account without a code from a verified device.

Tags: Apple ID Guide, hack, Two-Factor Authentication, phishing

Top Rated Comments

b11051973 Avatar
b11051973
53 months ago
Always enter an incorrect password first. If it doesn't complain you entered the wrong password, you know it is a phishing thingie.
Score: 47 Votes (Like | Disagree)
nutmac Avatar
nutmac
53 months ago
Similarly, macOS's Authorization Service dialog box is also easily spoofed.

Similar to Windows' Control-Alt-Delete, Apple's iOS and macOS should make it impossible to spoof these dialog boxes.
Score: 28 Votes (Like | Disagree)
alex00100 Avatar
alex00100
53 months ago
This is very smart actually... I'm surprised this isn't massively used by shady apps already.
Score: 15 Votes (Like | Disagree)
BMcCoy Avatar
BMcCoy
53 months ago
Yup, I’d fall for this.
And I’m paranoid.

Cunning.
And a bit frightening.
Score: 11 Votes (Like | Disagree)
thespacekid Avatar
thespacekid
53 months ago
I just transferred to a new iPhone and it asked many times for my apple id password at seemingly random times. Sometimes I'm never sure if I mistyped the password or it was a new request for something else. Apple needs to get more organized and at least let the user know why they have to enter the password.
Score: 10 Votes (Like | Disagree)
ignatius345 Avatar
ignatius345
53 months ago
Fair point about our social conditioning on these dialogs. I don't know of a good way to address this though.
I think this one is on Apple. A user gets legitimately asked for his/her password enough times and fatigue sets in, and they stop really thinking about it.

Ultimately it's a UX problem that needs to be solved so that entering one's iCloud password is 1) hard to fake and 2) doesn't happen any more often than necessary.
Score: 10 Votes (Like | Disagree)
Read All Comments

Related Stories

youtube apple tv

YouTube Discontinuing 3rd-Generation Apple TV App, AirPlay Still Available

Wednesday February 3, 2021 3:09 pm PST by
YouTube is planning to stop supporting its YouTube app on the third-generation Apple TV models, where YouTube has long been available as a channel option. A 9to5Mac reader received a message about the upcoming app discontinuation, which is set to take place in March.Starting early March, the YouTube app will no longer be available on Apple TV (3rd generation). You can still watch YouTube on...
Read Full Article97 comments
iPhone 13 Dummy Thumbnail 2

Kuo: iPhone 13 to Feature LEO Satellite Communications to Make Calls and Texts Without Cellular Coverage

Sunday August 29, 2021 7:39 am PDT by
The iPhone 13 will feature low earth orbit (LEO) satellite communication connectivity to allow users to make calls and send messages in areas without 4G or 5G coverage, according to the reliable analyst Ming-Chi Kuo. In a note to investors, seen by MacRumors, Kuo explained that the iPhone 13 lineup will feature hardware that is able to connect to LEO satellites. If enabled with the relevant...
Read Full Article299 comments
General Apps Messages

Android iMessage Competitor Puts Pressure on Apple

Friday July 30, 2021 3:15 am PDT by
Google and the three major U.S. carriers, including Verizon, AT&T, and T-Mobile, will all support a new communications protocol on Android smartphones starting in 2022, a move that puts pressure on Apple to adopt a new cross-platform messaging standard and may present a challenge to iMessage. Verizon recently announced that it is planning to adopt Messages by Google as its default messaging...
Read Full Article
os x mountain lion macs 16x9 2

Apple Makes OS X Lion and Mountain Lion Free to Download

Wednesday June 30, 2021 12:19 pm PDT by
Apple recently dropped the $19.99 fee for OS X Lion and Mountain Lion, making the older Mac updates free to download, reports Macworld. Apple has kept OS X 10.7 Lion and OS X 10.8 Mountain Lion available for customers who have machines limited to the older software, but until recently, Apple was charging $19.99 to get download codes for the updates. As of last week, these updates no...
Read Full Article129 comments
bluetti eb70 main

MacRumors Giveaway: Win a Bluetti EB70 Portable Power Station and 200W Solar Panel

Friday September 3, 2021 11:13 am PDT by
For this week's giveaway, we've teamed up with MAXOAK to offer MacRumors readers a chance to win a Bluetti portable power station and an accompanying solar panel. Bluetti makes a range of portable power station options that are useful for camping, emergencies, power outages, off-grid living, and similar situations. The Bluetti EB70 is a solid middle of the road option that offers 716Wh and...
Read Full Article25 comments
apple privacy

Apple Publishes FAQ to Address Concerns About CSAM Detection and Messages Scanning

Monday August 9, 2021 1:50 am PDT by
Apple has published a FAQ titled "Expanded Protections for Children" which aims to allay users' privacy concerns about the new CSAM detection in iCloud Photos and communication safety for Messages features that the company announced last week. "Since we announced these features, many stakeholders including privacy organizations and child safety organizations have expressed their support of...
Read Full Article1005 comments
General Spotify Feature

Spotify Pauses Plans to Add AirPlay 2 Support to iOS App [Update: Spotify Clarifies]

Friday August 6, 2021 9:07 am PDT by
See update at bottom of article Spotify this week confirmed that its plans to add AirPlay 2 support to its iOS app have been placed on indefinite hiatus. In an online discussion forum post, a Spotify representative said the streaming music service had been working on supporting AirPlay 2, but the company has paused the efforts "for now" due to "audio driver compatibility issues." The...
Read Full Article216 comments
iphone 13 teal with text

Apple Begins Preparation for iPhone 13 Production Ahead of Fall Launch

Monday June 28, 2021 3:29 am PDT by
We're just a few months away from when Apple is expected to reveal the 2021 iPhone, dubbed the "iPhone 13." In preparation for its launch, it has been pulling in shipments of different components needed to produce the new iPhones, according to a report from DigiTimes. In years past, Apple released its latest iPhone lineup, alongside a new Apple Watch, during a September event at Apple Park....
Read Full Article60 comments
General Spotify Feature

Spotify Partners With Delta to Provide Free In-Flight Music and Podcasts Service

Thursday September 2, 2021 12:59 am PDT by
Spotify has announced a new partnership with Delta that will see the streaming service take over the "audio" section of Delta's in-flight seatback entertainment, making select playlists and podcasts freely available to all passengers. You are now free to roam about the cabin—and get the music and podcasts you love at 30,000 feet. Beginning today, we're taking off in a new partnership with...
Read Full Article10 comments
iphone 12 colors 2021

iPhone 12 Colors: Deciding on The Right Color

Thursday November 5, 2020 8:35 am PST by
The iPhone 12 and iPhone 12 Pro arrived in October 2020 in a range of color options, with entirely new hues available on both devices, as well as some popular classics. The 12 and 12 Pro have different color choices, so if you have your heart set on a particular shade, you might not be able to get your preferred model in that color. iPhone 12 mini and iPhone 12 The iPhone 12 mini and iPhone...
Read Full Article