Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Right. This is the problem with iOS at heart - that really needs to be fixed by Apple (only Apple can fix). Apple - because of way to drastic privacy policy ideology - conditioned its users to *CONSTANTLY* type in their Apple ID password over and over and over and over again!

Because Apple *still* doesn't have a desperately needed identity management system (SSO). So everyone is forced to manage on their own, and repeatedly typing in the password to the point it becomes second nature.

Google has one, Facebook has the most successful system, Amazon does to. Apple, we NEED an identity management system! We need a universal login system on iOS now!




This is a bit worrying, I have got so used to just putting my password in I hardly think about it. I notice sometimes it will seem to ask a lot over a few weeks then calm down.

Am I correct in thinking that for this to work in iOS or MacOS one would need to install an app containing this code? Or could they get it into your iphone/Mac without you downloading an app?

On both my MacBook and iPhone I only really have a few apps all from big legit companies so I hope I am safe but it does make me concerned - the other week I had a strange experience where when I opened settings for iCloud to turn keychain on and off to get it to remember some new wifi passwords, the box asking for my password popped up, i entered it and then it popped up immediately again asking for it then it seemed to work fine.

Has there actually been any example of this trick really being used? Or is it just theoretical? Maybe a good time for us to change passwords...
 
  • Like
Reactions: dwsolberg
Always enter an incorrect password first. If it doesn't complain you entered the wrong password, you know it is a phishing thingie.
This is a good idea however it doesn't get to the root of the problem of who is prompting the fraudulent pop up to begin with?
 
  • Like
Reactions: dwsolberg
Good to know. I usually just put in my password just to get rid of that annoying pop up. Apple definitely needs to work on this. It usually asks me when I’m on an app like Music, App Store, etc. It shouldn’t have to ask me to re-enter my password unless I purposely signed out (Signout all devices option when changing password, etc.) or try to purchase an app.
 
Typing in passwords (especially repeatedly) is such a horrendous experience on mobile. It should never be required. Or only asked once.

Apple is really dropping the ball around identity management, services, and software

What iOS really needs is an identity management system (universal identity management platform)


This is a good idea however it doesn't get to the root of the problem of who is prompting the fraudulent pop up to begin with?
[doublepost=1507678273][/doublepost]
Good to know. I usually just put in my password just to get rid of that annoying pop up. Apple definitely needs to work on this. It usually asks me when I’m on an app like Music, App Store, etc. It shouldn’t have to ask me to re-enter my password unless I purposely signed out (Signout all devices option when changing password, etc.) or try to purchase an app.


THIS is exactly it - how Apple reinforced really bad behavior/habits.... of constantly nagging for Apple ID password!

Over and over and over again

It's horrendous experience especially on mobile.

But Apple has a privacy policy.... they don't want to know and manage your identity and accounts.... SO instead iOS becomes Windows Vista UAC
 
... and then paste your 1password password into said pop up. So it would work, just 3 seconds later.

You have missed the point, a genuine apple pop up does not persist you have to re initiate whatever it was that brought it up. If I understand the article correctly a fake pop up would not do this.
 
Good to know. I usually just put in my password just to get rid of that annoying pop up. Apple definitely needs to work on this. It usually asks me when I’m on an app like Music, App Store, etc. It shouldn’t have to ask me to re-enter my password unless I purposely signed out (Signout all devices option when changing password, etc.) or try to purchase an app.
Right but I think it prompts this when apples servers are done because I've had this too like many here it use to last for a couple days and then it stops.
 
Right. This is the problem with iOS at heart - that really needs to be fixed by Apple (only Apple can fix). Apple - because of way to drastic privacy policy ideology - conditioned its users to *CONSTANTLY* type in their Apple ID password over and over and over and over again!

Because Apple *still* doesn't have a desperately needed identity management system (SSO). So everyone is forced to manage on their own, and repeatedly typing in the password to the point it becomes second nature.

Google has one, Facebook has the most successful system, Amazon does to. Apple, we NEED an identity management system! We need a universal login system on iOS now!

I don't know much about this side of technology but I am curious how do facebook, amazon and google do it? Now you write it, it occurs to me that yes I very rarely have had to re-enter passwords for any of those 3 (I'm guessing by google you mean google gmail etc? Or do you mean Android has a better way?)
 
  • Like
Reactions: collegitdept
Right but I think it prompts this when apples servers are done because I've had this too like many here it use to last for a couple days and then it stops.


Exactly this.

This just further highlights their really bad identity [login] management system even for their services.

This is a MASSIVE weakness for Apple, across all their platforms and services - that's actually making users LESS safe
 
  • Like
Reactions: MrGuder
The Windows security dialogs don't require control-alt-delete, which I think I understand is a sacred system-only input. They seem to have the same problem. They just have complicated full-screen animations and stuff that I'm guessing are to make it harder to spoof just from a practical standpoint.
On Windows, you can't use Alt+Tab during UAC elevation. So it's very easy. If Alt+Tab works, it's a scam. If Alt+Tab doesn't work, it's the real Windows dialog.
 
I don't know much about this side of technology but I am curious how do facebook, amazon and google do it? Now you write it, it occurs to me that yes I very rarely have had to re-enter passwords for any of those 3 (I'm guessing by google you mean google gmail etc? Or do you mean Android has a better way?)


Correct. Virtually every platform company - including microsoft - actually has an identity [login] management system

Apple doesn't

Hence why they run into sporadic serious security vulnerabilities such as this - which are actually very amateur....

Apple developer ID system, randomly displaying the wrong account information. iTunes, Apple Developer Connect, iTunes Connect, Apple ID.... all have DIFFERENT login systems with the worst security.


Apple is the only company that doesn't have an identity management system. It's downright criminally negligent because they have so many amateur security issues that makes all of us LESS safe
 
This has always driven me crazy. I'm using some random app, and I just get a notification to enter my password. The way it should work is, at a minimum, it should never request a password while you're in an unrelated app. Ideally, it would only request the password when you're in the relevant Apple app, but if they somehow deem it necessary to interrupt the user for a password (for example, it's preventing something the user asked for previously), then it should only pop up in the springboard, and it should clearly identify the name of the app that is requesting the password. If the user dismisses the popup in springboard, then opens the app, that app should immediately request the password.
 
It's easy to fix in iOS since apps are sandboxed, so they could lock some part of the screen, but I know apps can access the entire screen currently. Dunno how it could be fixed in macOS for unsandboxed apps.

It's not that easy to fix on iOS, because games can draw to 100% of the screen, and they can do just about anything. Apple could try to use something like a red keyboard, but app developers could easily create a fake keyboard that looks like anything.

It's going to be easier with the iPhone X, because it has that bottom "swipe up" area where app developers absolutely cannot draw pixels, no matter what.

There are a few thing that developers cannot fake. For example, the swipe up for control center and swipe down for notification center cannot be disabled by developers. Apple could make their password dialog so that they disable swipes. Then we could test the authenticity by swiping. If swiping brings up the control center, it's a fake dialog. But who's going to do this every time Apple is asking for a password? How many of us are so knowledgeable, and how many of us are going to remember to check the swipe or the volume button, or something like that.
 
  • Like
Reactions: collegitdept
It's not that easy to fix on iOS, because games can draw to 100% of the screen, and they can do just about anything. Apple could try to use something like a red keyboard, but app developers could easily create a fake keyboard that looks like anything.

It's going to be easier with the iPhone X, because it has that bottom "swipe up" area where app developers absolutely cannot draw pixels, no matter what.

There are a few thing that developers cannot fake. For example, the swipe up for control center and swipe down for notification center cannot be disabled by developers. Apple could make their password dialog so that they disable swipes. Then we could test the authenticity by swiping. If swiping brings up the control center, it's a fake dialog. But who's going to do this every time Apple is asking for a password? How many of us are so knowledgeable, and how many of us are going to remember to check the swipe or the volume button, or something like that.



BINGO!

This is actually all on Apple to solve the true problem at hand: NEVER ask for passwords! Have an identity management system (SSO).... and the user never has manage passwords & passwords requests again.

BUT... Apple really set terrible security practices and bad habits. Forcing the user to manage their own passwords so Apple doesn't have to store it. So, iOS *CONSTANTLY* nags the user over and over again to enter their passwords again.

Causing fatigue.

iOS is Windows Vista with UAC all over again... but worse
 
But wait ... Apple store employees always tell me, Apple products are the most advanced products (software) in the world and are iimpervious to attack, that is why Windows products are so horrible ... could they be mistaken or just too amped up on Kool-Aid :confused:
 
Here's what Apple could do. The authentic message box could say this: Sign-In Required. Please press the home button, then enter your password.

If someone wanted to fake this behavior, pressing the home button would simply quit their app. When Apple is doing it, they have enough control to program this special behavior, which is impossible to fake by mundane developers. On the iPhone X, use a swipe up, which does the same as the home button.
 
Here's what Apple could do. The authentic message box could say this: Sign-In Required. Please press the home button, then enter your password.

If someone wanted to fake this behavior, pressing the home button would simply quit their app. When Apple is doing it, they have enough control to program this special behavior, which is impossible to fake by mundane developers. On the iPhone X, use a swipe up, which does the same as the home button.

Certainly they should do some version of this, with a unique, impossible-to-fake prompt style.

I'm really surprised they haven't done that already. All of this technology behind unlocking and encrypting the phone, while the iCloud password prompt is so basic that it could be spoofed by a really good website.
 
  • Like
Reactions: cppguy
Most important bit:

"As Krause says, users can protect themselves by being wary of these popup dialogues. If one pops up, press the Home button to close the app. If the popup goes away, it's tied to the app and is a phishing attack. If it remains, it's a system request from Apple."
 
  • Like
Reactions: sniffies and cppguy
Correct. Virtually every platform company - including microsoft - actually has an identity [login] management system

Apple doesn't

Hence why they run into sporadic serious security vulnerabilities such as this - which are actually very amateur....

Apple developer ID system, randomly displaying the wrong account information. iTunes, Apple Developer Connect, iTunes Connect, Apple ID.... all have DIFFERENT login systems with the worst security.


Apple is the only company that doesn't have an identity management system. It's downright criminally negligent because they have so many amateur security issues that makes all of us LESS safe

Interesting and a bit worrying to read. I admit I am rather surprised as I have generally put a lot of faith in apple, as is probably quite common with other readers here.
 
Not so clever. Old trick from the 90s. The old solution that still works: Give security-related system popups some obvious indication of legitimacy that can't be spoofed, like something in the bezel.

Hard part is sandboxing apps so they can't spoof it. TouchID in iOS is one good solution.
If you throw up a CALayer over your app you can pretty much draw anything you want in it (make it look like anything), and make it touch enabled.

TouchID seems like a good and maybe only way to prevent this (I guess FaceID on the X). But there's a problem with FaceID because you can only recognize 1 face per device. So for example if I want to set a bunch of stuff up on my wife's or mom's or kid's phone or do a software upgrade, they have to be physically present every time one of these dialogs pop up, and they pop up frequently. Using your passcode as a backup is also problematic because that could also be spoofed (another thing developers could steal) and is less secure than TouchID/FaceID.
 
This isn’t new. I filed a bug (RADAR) with Apple shows this years ago. I also asked for an icon to show the app that brings up the alert. It was closed as a dupe of an internal issue.

I think it was at least 4-5 years ago.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.