iOS: Security researcher Felix Krause is killing it this month, if “it” means iPhone users’ sense of security. We recently covered two of his security warnings: If you give an app permission to use your camera, it can also track your location and even secretly take photos and videos. Now he points out that if you’re not careful, any app could easily steal your Apple ID.
The problem, Krause says, is any app could easily imitate Apple’s password dialog. (He even built a proof of concept.) And if you use an iPhone or iPad, you know that Apple is almost constantly asking for your password. So you get desensitized to it, so whenever you’re asked, you just enter it in. An app can just swoop in with a fake password prompt, like so:
There’s an easy way to avoid this, but you have to remember it whenever your phone asks for your password: Hit the home screen. If the app closes and the password prompt disappears, then it was fake. If the password pop-up is really from Apple, it will stay on the screen until you hit Sign In or Cancel.
If you’ve enabled two-factor authentication for your Apple ID, then you’re still a little safer. But it’s still very dangerous to hand out your password, especially if you’ve reused it, or if there’s any danger of anyone with your password getting physical access to your device.
This phishing attack is one of the things Apple’s app store is supposed to screen out. But Krause points out that many apps have snuck by with bad behavior before, and even lists ways that apps could hide this attack from Apple. He believes Apple owes its customers a better design, which would clearly distinguish real password requests from fake ones. Until then, it’s on users to stay vigilant.