A developer named Felix Krause has published a worrying blog post that details an easily doable phishing attack on iPhone and iPad users. His proof of concept takes advantage of a loophole that’s been around for years and is yet to be resolved by Apple.
Krause’s scheme involves recreating the dialog that pops up when iOS asks for your Apple ID password. As can be seen above, he was able to perfectly mirror the official one with his own fake one. It would be difficult for users to make out the difference, leading them to enter their credentials and being none the wiser.
Apps frequently ask for a person’s password to access iCloud, in-app purchases, and GameCenter. This freedom can be abused by showing a UIAlertController which looks just like a regular system dialog.
Krause is advising people to press the home button if they become suspicious. If the application and its fake pop-up closes, it was a phishing attack. If the app and dialog are still open, then it’s an official system dialog. He’s also cautioning against entering passwords into a popup directly, telling individuals to open the Settings app manually.
The developer also has a couple of solutions to offer Apple. One suggestion sees the company forcing applications to place an app icon on the top right of their popup so that a person would know it’s from the app and not iTunes or iOS.
Even owners with 2-step verification switched on aren’t entirely in the clear since the app could ask them for the code. Plus, many folks use the same username/password combo on other services, so those could get hacked instead.