Hack reveals how criminals could steal your Apple ID using dodgy pop-ups

If you own an iPhone, you’ll be used to the what seems like a constant request for your Apple ID when making purchases in iTunes, on the App Store or within apps. A little pop-up appears, you roll your eyes, and dutifully enter your password.

Hack reveals how criminals could steal your Apple ID using dodgy pop-ups

But what if that pop-up hasn’t come from Apple, and has instead been designed to look like an official request in an attempt by hackers to steal your credentials? That’s the case put forward by app developer Felix Krause, who has written a proof-of-concept breakdown of malicious lookalike pop-ups.  

As Krause notes, fewer than 30 lines of code can be used to make a very convincing phishing dialog. In side-by-side pictures, he compares Apple’s official ID password request with his own efforts. The idea would be that the code is smuggled in with an app, so that it’s actually the app’s notification – not Apple’s UI – that the user is seeing. As his pictures show, this can be designed by a developer to look identical to a “Sign into iTunes Store” pop-up.

The main issue, from Apple’s side, is that iOS makes it difficult to tell the difference between notification sources. “iOS should very clearly distinguish between system UI and app UI elements, so that ideally it’s […] obvious for the average smartphone user that something seems off,” Krause says.

“This is a tricky problem to solve, and web browser are still tackling it; you still have websites that make pop-ups look like macOS / iOS popups, so that many users think [they are] system message[s].”

Krause adds a few potential solutions to the problem, such as forcing the user to input their password in the settings app instead of a pop-up. More likely to happen is his suggestion that Apple change the design of its system prompts to include an extra icon that indicates it’s an official request. He points to the exclamation mark used in some Push notifications, below.app_store_phishing_2

For now, the developer notes a couple of steps users can take to prevent mobile phishing. The easiest is to press your Home button. If this closes the app and the dialog, then it was a phishing attack. If the dialog and the app are still visible, then it’s a system dialog.

It’s also worth noting that this type of attack would hinge on the malicious app making it through the App Store review process, and the code then being activated by the developer. Apple is generally on the ball with this type of thing, and would take action if such a violation of its guidelines were detected. Krause does however note that “organisations with bad intent will always find a way to somehow work around the limitations of a platform”.

Disclaimer: Some pages on this site may include an affiliate link. This does not effect our editorial in any way.

Todays Highlights
How to See Google Search History
how to download photos from google photos