One of iOS’ rougher edges are the popups it produces on a regular but seemingly random basis. These popups require users to enter their Apple ID before they can install or update an app or complete some other mundane task. The prompts have grown so common most people don’t think twice about them.
Mobile app developer Felix Krause makes a compelling case that these popups represent a potential security hole through which attackers can steal user credentials. In a blog post published Tuesday, he showed side-by-side comparisons, pictured above, of an official popup produced by iOS and a proof-of-concept phishing popup. The lookalike popups require less than 30 lines of code and could be sneaked into an otherwise legitimate app that has already found its way into Apple’s App Store.
The popups are a common part of the iOS experience for many users, this author included. They can present themselves at a variety of times, including when people want to make an in-app purchase, after they’ve recently installed an iOS update, or when an app gets stuck installing. The root of the problem is that many of Apple’s official password prompts are indistinguishable from ones generated by apps. Most users respond by blindly trusting their password with either one.
“iOS should very clearly distinguish between system UI and app UI elements, so that ideally it’s… obvious for the average smartphone user that something seems off,” Krause wrote. “This is a tricky problem to solve, and Web browsers are still tackling it; you still have websites that make popups look like macOS/iOS popups so that many users think [they are] system message[s].”
Krause noted that some prompts generated by iOS look like the one to the right. It might serve as a model for all system-generated password prompts.
He suggested Apple create a uniform look for official iOS password prompts that can’t be easily mimicked by apps. Ars has asked Apple to comment on the proposal but didn’t receive a response by the time this post went live. We’ll update if we get one later.
In the meantime, iOS users can protect themselves by doing the following when they encounter a password popup: hit the home button. If the app and password prompt close, the prompt was likely a phishing attempt. If the dialog and app remain visible, the dialog was generated by iOS. Krause also suggested never entering passwords into any dialog box. Instead, we should dismiss it, manually open the iOS settings window, and enter the password there.
Of course, people should strongly consider using Apple’s two-factor authentication, which requires users to enter a verification number in addition to supplying a password. The protection is worth using, but it can be phished in much the same way a password can. For that reason, 2fa shouldn’t be seen as a solution for the problem Krause has highlighted. Krause also said Apple’s app-vetting process—which was designed to prevent attackers from sneaking malicious titles into the App Store—isn’t an adequate remedy because attackers can always find ways to bypass the measure.