Developer Demonstrates iOS Phishing Attack That Uses Apple-Style Password Request

by

Developer Felix Krause today shared a proof of concept phishing attack that's gaining some traction as it clearly demonstrates how app developers can use Apple-style popups to gain access to an iPhone user's Apple ID and password.

As Krause explains, iPhone and iPad users are accustomed to official Apple requests for their Apple ID and password for making purchases and accessing iCloud, even when not in the App Store or iTunes app.

phishingconcept1
Using a UIAlertController that emulates the design of the system request for a password, developers can create an identical interface as a phishing tool that can fool many iOS users.

Showing a dialog that looks just like a system popup is super easy, there is no magic or secret code involved, it's literally the examples provided in the Apple docs, with a custom text.

I decided not to open source the actual popup code, however, note that it's less than 30 lines of code and every iOS engineer will be able to quickly build their own phishing code.

Though some of the system alerts would require a developer to have a user's Apple ID email address, there are also popup alerts that do not require an email and can recover a password.

phishingconcept2
The phishing method that Krause describes is not new, and Apple vets apps that are accepted to the App Store, but it's worth highlighting for iOS users who may not be aware that such a phishing attempt is possible.

As Krause says, users can protect themselves by being wary of these popup dialogues. If one pops up, press the Home button to close the app. If the popup goes away, it's tied to the app and is a phishing attack. If it remains, it's a system request from Apple.

Krause also recommends users dismiss popups and enter their credentials directly within the Settings app.

Krause has reported the issue to Apple and recommends a fix that would include Apple asking customers to enter their credentials into the Settings app rather than directly through a popup that can be easily mimicked. Alternatively, he suggests credential requests could include an app icon to indicate that an app is asking rather than the system.

As extra protection from attacks like this, Apple customers should enable two-factor authentication as it prevents attackers from being able to log into an Apple ID account without a code from a verified device.

Tags: Apple ID Guide, Hack, Phishing, Two-Factor Authentication

Popular Stories

iPhone SE 4 Vertical Camera Feature

iPhone SE 4 Rumored to Use Same Rear Chassis as iPhone 16

Friday July 19, 2024 7:16 am PDT by
Apple will adopt the same rear chassis manufacturing process for the iPhone SE 4 that it is using for the upcoming standard iPhone 16, claims a new rumor coming out of China. According to the Weibo-based leaker "Fixed Focus Digital," the backplate manufacturing process for the iPhone SE 4 is "exactly the same" as the standard model in Apple's upcoming iPhone 16 lineup, which is expected to...
Read Full Article136 comments
iPhone 16 Pro Sizes Feature

iPhone 16 Series Is Just Two Months Away: Everything We Know

Monday July 15, 2024 4:44 am PDT by
Apple typically releases its new iPhone series around mid-September, which means we are about two months out from the launch of the iPhone 16. Like the iPhone 15 series, this year's lineup is expected to stick with four models – iPhone 16, iPhone 16 Plus, iPhone 16 Pro, and iPhone 16 Pro Max – although there are plenty of design differences and new features to take into account. To bring ...
Read Full Article129 comments
bsod

Crowdstrike Says Global IT Outage Impacting Windows PCs, But Mac and Linux Hosts Not Affected

Friday July 19, 2024 3:12 am PDT by
A widespread system failure is currently affecting numerous Windows devices globally, causing critical boot failures across various industries, including banks, rail networks, airlines, retailers, broadcasters, healthcare, and many more sectors. The issue, manifesting as a Blue Screen of Death (BSOD), is preventing computers from starting up properly and forcing them into continuous recovery...
Read Full Article492 comments
iphone 14 lineup

Cellebrite Unable to Unlock iPhones on iOS 17.4 or Later, Leak Reveals

Thursday July 18, 2024 4:18 am PDT by
Israel-based mobile forensics company Cellebrite is unable to unlock iPhones running iOS 17.4 or later, according to leaked documents verified by 404 Media. The documents provide a rare glimpse into the capabilities of the company's mobile forensics tools and highlight the ongoing security improvements in Apple's latest devices. The leaked "Cellebrite iOS Support Matrix" obtained by 404 Media...
Read Full Article66 comments
Apple Watch Series 9

2024 Apple Watch Lineup: Key Changes We're Expecting

Tuesday July 16, 2024 7:59 am PDT by
Apple is seemingly planning a rework of the Apple Watch lineup for 2024, according to a range of reports from over the past year. Here's everything we know so far. Apple is expected to continue to offer three different Apple Watch models in five casing sizes, but the various display sizes will allegedly grow by up to 12% and the casings will get taller. Based on all of the latest rumors,...
Read Full Article38 comments
tinypod apple watch

TinyPod Turns Your Apple Watch Into an iPod

Wednesday July 17, 2024 3:18 pm PDT by
If you have an old Apple Watch and you're not sure what to do with it, a new product called TinyPod might be the answer. Priced at $79, the TinyPod is a silicone case with a built-in scroll wheel that houses the Apple Watch chassis. When an Apple Watch is placed inside the TinyPod, the click wheel on the case is able to be used to scroll through the Apple Watch interface. The feature works...
Read Full Article133 comments

Top Rated Comments

b11051973 Avatar
b11051973
89 months ago
Always enter an incorrect password first. If it doesn't complain you entered the wrong password, you know it is a phishing thingie.
Score: 47 Votes (Like | Disagree)
nutmac Avatar
nutmac
89 months ago
Similarly, macOS's Authorization Service dialog box is also easily spoofed.

Similar to Windows' Control-Alt-Delete, Apple's iOS and macOS should make it impossible to spoof these dialog boxes.
Score: 28 Votes (Like | Disagree)
alex00100 Avatar
alex00100
89 months ago
This is very smart actually... I'm surprised this isn't massively used by shady apps already.
Score: 15 Votes (Like | Disagree)
BMcCoy Avatar
BMcCoy
89 months ago
Yup, I’d fall for this.
And I’m paranoid.

Cunning.
And a bit frightening.
Score: 11 Votes (Like | Disagree)
thespacekid Avatar
thespacekid
89 months ago
I just transferred to a new iPhone and it asked many times for my apple id password at seemingly random times. Sometimes I'm never sure if I mistyped the password or it was a new request for something else. Apple needs to get more organized and at least let the user know why they have to enter the password.
Score: 10 Votes (Like | Disagree)
ignatius345 Avatar
ignatius345
89 months ago
Fair point about our social conditioning on these dialogs. I don't know of a good way to address this though.
I think this one is on Apple. A user gets legitimately asked for his/her password enough times and fatigue sets in, and they stop really thinking about it.

Ultimately it's a UX problem that needs to be solved so that entering one's iCloud password is 1) hard to fake and 2) doesn't happen any more often than necessary.
Score: 10 Votes (Like | Disagree)
Read All Comments