Developer Demonstrates iOS Phishing Attack That Uses Apple-Style Password Request

[iapplelove]

It doesn’t really happen anymore, but a while back this pop up would always just randomly happen.

It happened to everyone I know from time to time, just a random pop up asking to log into iCloud.

Again doesn’t really happen anymore.

 

[Tech198]

This is very smart actually... I'm surprised this isn't massively used by shady apps already.

haha... they could be,,,, but non were picked up by Apple's process.

These phishing attacks are getting smarter with visually how they mimic the 'real deal'

Although you offer a icon affix to the popup that would give a bit of re-assurance that its a legit popup, but even icons can be faked.... Your not fixing the problem, just working around it.

Apple offers sign directly anyway via Settings app. iTunes & App Store, but what this guy is asking is "could Apple decrease my security"

 

[Rigby]

“The phishing method that Krause describes is not new, and Apple vets apps that are accepted to the App Store”

So just another non-story about some supposed security flaw in iOS.

Apple's review process is far from perfect. It is not hard to hide things like this from the reviewers. The blog entry linked in the article describes a few options.

 

[wolfshades]

Pop-ups are the devil's business, I think. It's why I have such a consuming hatred for Adobe - who can't seem to get it into their thick heads that when their app needs to be updated, they need to tell users to go to the Adobe website and do it from there. I don't trust their pop-ups (and neither should anyone) because they are too easily spoofed.

 

[JamesPDX]

It seems that there should be something in XCode that would forbid such a dialog from being written into any app. Are "vetters" checking code by hand?

 

[jclo]

But with hundreds of apps being approved on a monthly basis…. it only takes 1 or 2 rogue app devs to sneak through to exploit the massive userbase to their advantage. I think that the concept of Apple "screening" the apps/devs is not foolproof enough. Apple also needs to add some kind of built-in iOS security barrier to prevent *any* dev from doing anything that can do this (should they attempt it). Just IMHO

Yep, I completely agree. Shouldn't be possible to mirror in the first place.

 

[ethanwa79]

A non-worry event with Apple vetting each app. But interesting it can happen nonetheless.

As a developer, I had to LOL.....

This would be SO easy to sneak past Apple.

 

[thespacekid]

I just transferred to a new iPhone and it asked many times for my apple id password at seemingly random times. Sometimes I'm never sure if I mistyped the password or it was a new request for something else. Apple needs to get more organized and at least let the user know why they have to enter the password.

 

[Scottsoapbox]

I initially thought the random requests for Apple passwords were some rogue app, but now after years of iOS demanding passwords for no obvious reason I would probably fall for this phishing attempt.

 

[mariusignorello]

Haha, what if the phishing thing always rejects the first password and only works when you enter the same password twice? Like in Rick and Morty...

You’ll know if after the second try it asks if you forgot your password.

 

[deanthedev]

Apple's review process is far from perfect. It is not hard to hide things like this from the reviewers. The blog entry linked in the article describes a few options.

Yet he never actually did get it into the App Store and just ran the code on his own devices. Just another “security expert” looking for their 15 minutes of fame courtesy of Apple.

As a developer, I had to LOL.....

This would be SO easy to sneak past Apple.

I develop for iOS and don’t think it’s that easy at all. Writing the code would be easy. But that’s not the same as getting into The App Store. But go ahead and do it. You seem to think it’s so easy. You’ll be famous and will get press coverage worldwide for exposing this flaw, not to mention a fond place in the hearts of Android users.

 

[Scottsoapbox]

Wouldn't work for me because I don't know my Apple ID password. When one of these pops up I have to leave the app and open up one password.

... and then paste your 1password password into said pop up. So it would work, just 3 seconds later.

 

[palmerc2]

Not so clever. Old trick from the 90s. The old solution that still works: Give security-related system popups some obvious indication of legitimacy that can't be spoofed, like something in the bezel.

Hard part is sandboxing apps so they can't spoof it. TouchID in iOS is one good solution.

I guess it's a bit more advanced than this....

 

[fairuz]

I guess it's a bit more advanced than this....

Haha. There are also those scam sites that buy certificates so they look all secure and legit just cause they use HTTPS.

 

[ignatius345]

Haha, what if the phishing thing always rejects the first password and only works when you enter the same password twice? Like in Rick and Morty...

This is smart advice!

 

[Rigby]

Yet he never actually did get it into the App Store and just ran the code on his own devices.

If he had actually submitted this in an app, it would have been a violation of Apple's developer guidelines and they would have suspended his account once he posted it on his blog.

Just another “security expert” looking for their 15 minutes of fame courtesy of Apple.

Yeah that's it. How dare a developer post something useful on their blog.

I develop for iOS and don’t think it’s that easy at all. Writing the code would be easy. But that’s not the same as getting into The App Store. But go ahead and do it. You seem to think it’s so easy. You’ll be famous and will get press coverage worldwide for exposing this flaw, not to mention a fond place in the hearts of Android users.

Of course malware getting through Apple's review is entirely unprecedented.

 

[bumpylumpy]

Always enter an incorrect password first. If it doesn't complain you entered the wrong password, you know it is a phishing thingie.

While this may work for simplistic password captures, it doesn't mean they haven't implemented something that attempts to check your password immediately and respond appropriately.

For example, there are lots of Google phishing campaigns going around now that not only ask for your password but also your 2 Factor authentication token if you have one. They way they do this is by capturing your password, then submitting it to Google and if they get a 2 factor auth request they will ask for that as well, and submit it to google so they can obtain the appropriate authentication cookies to continue.

 

[thejasonhowell]

From what I remember, any password field you encounter forces you into the stock keyboard, with no option to change from it.

That for me would be a dead giveaway.

 

[pat500000]

Scary for unawares people. I hope apple is on this 24/7.

 

[canucksfan88]

Damn...I would say I am pretty vigilant...and I would fall for this...

 

[deanthedev]

If he had actually submitted this in an app, it would have been a violation of Apple's developer guidelines and they would have suspended his account once he posted it on his blog.
Yeah that's it. How dare a developer post something useful on their blog.
Of course malware getting through Apple's review is entirely unprecedented.

First off, I never claimed nobody could get something into The App Store. The poster I replied to specifically stated it would be easy. If it’s easy, then show proof.

Researchers in the past have shown their proofs getting in The App Store. Of course your developer account would get revoked. Maybe, just maybe, someone might create a fake account to do such a test? It’s not like this has never been done before.

This developer did not discover anything new or come up with anew attack vector. He just reminded people of Artie if attack that’s been around forever. And one that I have never heard of getting in The App Store. Unless you know of Apps that tried this particular technique in the past.

 

[fairuz]

From what I remember, any password field you encounter forces you into the stock keyboard, with no option to change from it.

That for me would be a dead giveaway.

Ah. Maybe I should install another keyboard for this. I only have the stock one.

 

[thejasonhowell]

Ah. Maybe I should install another keyboard for this. I only have the stock one.

Also, get another keyboard as the stock keyboard is rubbish (minus the ability to dictate with Siri.) Personal favorites are Gboard, Fleksy and Minuum.

 

[Suckfest 9001]

dont know if this was mentioned in any replies but the third-party popups are unable to use your apple id email. so these mockups are completely misleading

 

[manni]

This is a bit worrying, I have got so used to just putting my password in I hardly think about it. I notice sometimes it will seem to ask a lot over a few weeks then calm down.

Am I correct in thinking that for this to work in iOS or MacOS one would need to install an app containing this code? Or could they get it into your iphone/Mac without you downloading an app?

On both my MacBook and iPhone I only really have a few apps all from big legit companies so I hope I am safe but it does make me concerned - the other week I had a strange experience where when I opened settings for iCloud to turn keychain on and off to get it to remember some new wifi passwords, the box asking for my password popped up, i entered it and then it popped up immediately again asking for it then it seemed to work fine.

Has there actually been any example of this trick really being used? Or is it just theoretical? Maybe a good time for us to change passwords...