If You Want an Apple Password, Just Ask Nicely

If you’re an iPhone user, you’re likely well acquainted with the system dialog boxes that iOS spits out on a regular basis, asking for our Apple ID password. It happens on a fairly regular basis, when you’re installing new apps or iOS updates or when you’ve been signed out for some reason. But it’s incredibly simple for non-Apple apps to produce the exact same dialog boxes and collect users’ credentials, making for a potentially highly effective phishing tool.

The root of the problem is that an app developer can use a small number of lines of code, added to an app that’s already on a target device, to mimic the precise look and feel of the legitimate iOS dialog boxes. A malicious app could show one of these popups to all of its users, or a selected portion of them, and collect their iTunes credentials, which could then be used for further attacks. Felix Krause, a mobile app developer, detailed the problem with iOS popups in a post this week and said virtually any app could exploit it.

“iOS asks the user for their iTunes password for many reasons, the most common ones are recently installed iOS operating system updates, or iOS apps that are stuck during installation. As a result, users are trained to just enter their Apple ID password whenever iOS prompts you to do so,” Krause said.

“However, those popups are not only shown on the lock screen, and the home screen, but also inside random apps, e.g. when they want to access iCloud, GameCenter or In-App-Purchases. This could easily be abused by any app, just by showing an UIAlertController, that looks exactly like the system dialog.”

Phishing attacks in browsers and email are decades old and users are generally pretty well aware of the warning signs: crummy grammar, sketchy URLs, weird email addresses. But the mobile environment is a different animal altogether, and users have grown accustomed to trusting the apps on the phones implicitly, which is sub-optimal. Apple does a good job vetting the apps in the iTunes Store, requires code-signing certificates for developers, and is usually quick to remove apps that exhibit undocumented or malicious behavior. But in a case like the one Krause is describing, the damage could be done in a matter of hours or days, before Apple could notice.

“Showing a dialog that looks just like a system popup is super easy, there is no magic or secret code involved, it's literally the examples provided in the Apple docs, with a custom text,” Krause said.

“iOS should very clearly distinguish between system UI and app UI elements, so that ideally it's even obvious for the average smartphone user that something seems off. This is a tricky problem to solve, and web browser are still tackling it, you still have websites that make popups look like macOS / iOS popups, so that many users think it's a system message.”

The best defense against this kind of attack--along with many other types of mobile account-takeover attempts--is to use two-factor authentication or two-step verification. Apple offers 2FA for iTunes accounts and recently converted most users to it. But attackers are persistent and resourceful and as users continue to depend on their mobile devices for more and more of their important tasks, the attacks will only continue to improve and evolve.

Dennis Fisher

Dennis Fisher

Dennis Fisher is editor-in-chief at Duo Security. He is an award-winning technology journalist who has specialized in covering information security and privacy for the last 15 years. Prior to joining Duo, he was one of the founding editors of On the Wire, Threatpost and previously covered security for TechTarget and eWeek.