Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Developer Demonstrates iOS Phishing Attack That Uses Apple-Style Password Request
- Thread starter MacRumors
- Start date
- Sort by reaction score
Right. This is the problem with iOS at heart - that really needs to be fixed by Apple (only Apple can fix). Apple - because of way to drastic privacy policy ideology - conditioned its users to *CONSTANTLY* type in their Apple ID password over and over and over and over again!
Because Apple *still* doesn't have a desperately needed identity management system (SSO). So everyone is forced to manage on their own, and repeatedly typing in the password to the point it becomes second nature.
Google has one, Facebook has the most successful system, Amazon does to. Apple, we NEED an identity management system! We need a universal login system on iOS now!
Because Apple *still* doesn't have a desperately needed identity management system (SSO). So everyone is forced to manage on their own, and repeatedly typing in the password to the point it becomes second nature.
Google has one, Facebook has the most successful system, Amazon does to. Apple, we NEED an identity management system! We need a universal login system on iOS now!
This is a good idea however it doesn't get to the root of the problem of who is prompting the fraudulent pop up to begin with?
Good to know. I usually just put in my password just to get rid of that annoying pop up. Apple definitely needs to work on this. It usually asks me when I’m on an app like Music, App Store, etc. It shouldn’t have to ask me to re-enter my password unless I purposely signed out (Signout all devices option when changing password, etc.) or try to purchase an app.
Typing in passwords (especially repeatedly) is such a horrendous experience on mobile. It should never be required. Or only asked once.
Apple is really dropping the ball around identity management, services, and software
What iOS really needs is an identity management system (universal identity management platform)
THIS is exactly it - how Apple reinforced really bad behavior/habits.... of constantly nagging for Apple ID password!
Over and over and over again
It's horrendous experience especially on mobile.
But Apple has a privacy policy.... they don't want to know and manage your identity and accounts.... SO instead iOS becomes Windows Vista UAC
Apple is really dropping the ball around identity management, services, and software
What iOS really needs is an identity management system (universal identity management platform)
[doublepost=1507678273][/doublepost]
THIS is exactly it - how Apple reinforced really bad behavior/habits.... of constantly nagging for Apple ID password!
Over and over and over again
It's horrendous experience especially on mobile.
But Apple has a privacy policy.... they don't want to know and manage your identity and accounts.... SO instead iOS becomes Windows Vista UAC
You have missed the point, a genuine apple pop up does not persist you have to re initiate whatever it was that brought it up. If I understand the article correctly a fake pop up would not do this.
Right but I think it prompts this when apples servers are done because I've had this too like many here it use to last for a couple days and then it stops.
I don't know much about this side of technology but I am curious how do facebook, amazon and google do it? Now you write it, it occurs to me that yes I very rarely have had to re-enter passwords for any of those 3 (I'm guessing by google you mean google gmail etc? Or do you mean Android has a better way?)
Exactly this.
This just further highlights their really bad identity [login] management system even for their services.
This is a MASSIVE weakness for Apple, across all their platforms and services - that's actually making users LESS safe
On Windows, you can't use Alt+Tab during UAC elevation. So it's very easy. If Alt+Tab works, it's a scam. If Alt+Tab doesn't work, it's the real Windows dialog.
So, maybe Apple should publish all the parts of the system where you could expect this type of popup (if it is at all possible). If it happens while using "Fred's App", then you could be suspicious.
Correct. Virtually every platform company - including microsoft - actually has an identity [login] management system
Apple doesn't
Hence why they run into sporadic serious security vulnerabilities such as this - which are actually very amateur....
Apple developer ID system, randomly displaying the wrong account information. iTunes, Apple Developer Connect, iTunes Connect, Apple ID.... all have DIFFERENT login systems with the worst security.
Apple is the only company that doesn't have an identity management system. It's downright criminally negligent because they have so many amateur security issues that makes all of us LESS safe
This has always driven me crazy. I'm using some random app, and I just get a notification to enter my password. The way it should work is, at a minimum, it should never request a password while you're in an unrelated app. Ideally, it would only request the password when you're in the relevant Apple app, but if they somehow deem it necessary to interrupt the user for a password (for example, it's preventing something the user asked for previously), then it should only pop up in the springboard, and it should clearly identify the name of the app that is requesting the password. If the user dismisses the popup in springboard, then opens the app, that app should immediately request the password.
It's not that easy to fix on iOS, because games can draw to 100% of the screen, and they can do just about anything. Apple could try to use something like a red keyboard, but app developers could easily create a fake keyboard that looks like anything.
It's going to be easier with the iPhone X, because it has that bottom "swipe up" area where app developers absolutely cannot draw pixels, no matter what.
There are a few thing that developers cannot fake. For example, the swipe up for control center and swipe down for notification center cannot be disabled by developers. Apple could make their password dialog so that they disable swipes. Then we could test the authenticity by swiping. If swiping brings up the control center, it's a fake dialog. But who's going to do this every time Apple is asking for a password? How many of us are so knowledgeable, and how many of us are going to remember to check the swipe or the volume button, or something like that.
BINGO!
This is actually all on Apple to solve the true problem at hand: NEVER ask for passwords! Have an identity management system (SSO).... and the user never has manage passwords & passwords requests again.
BUT... Apple really set terrible security practices and bad habits. Forcing the user to manage their own passwords so Apple doesn't have to store it. So, iOS *CONSTANTLY* nags the user over and over again to enter their passwords again.
Causing fatigue.
iOS is Windows Vista with UAC all over again... but worse
But wait ... Apple store employees always tell me, Apple products are the most advanced products (software) in the world and are iimpervious to attack, that is why Windows products are so horrible ... could they be mistaken or just too amped up on Kool-Aid 
Here's what Apple could do. The authentic message box could say this: Sign-In Required. Please press the home button, then enter your password.
If someone wanted to fake this behavior, pressing the home button would simply quit their app. When Apple is doing it, they have enough control to program this special behavior, which is impossible to fake by mundane developers. On the iPhone X, use a swipe up, which does the same as the home button.
If someone wanted to fake this behavior, pressing the home button would simply quit their app. When Apple is doing it, they have enough control to program this special behavior, which is impossible to fake by mundane developers. On the iPhone X, use a swipe up, which does the same as the home button.
Certainly they should do some version of this, with a unique, impossible-to-fake prompt style.
I'm really surprised they haven't done that already. All of this technology behind unlocking and encrypting the phone, while the iCloud password prompt is so basic that it could be spoofed by a really good website.
Most important bit:
"As Krause says, users can protect themselves by being wary of these popup dialogues. If one pops up, press the Home button to close the app. If the popup goes away, it's tied to the app and is a phishing attack. If it remains, it's a system request from Apple."
"As Krause says, users can protect themselves by being wary of these popup dialogues. If one pops up, press the Home button to close the app. If the popup goes away, it's tied to the app and is a phishing attack. If it remains, it's a system request from Apple."
Too bad most users won't read this. At least I suggest making this sentence bold in the main article.
Interesting and a bit worrying to read. I admit I am rather surprised as I have generally put a lot of faith in apple, as is probably quite common with other readers here.
If you throw up a CALayer over your app you can pretty much draw anything you want in it (make it look like anything), and make it touch enabled.
TouchID seems like a good and maybe only way to prevent this (I guess FaceID on the X). But there's a problem with FaceID because you can only recognize 1 face per device. So for example if I want to set a bunch of stuff up on my wife's or mom's or kid's phone or do a software upgrade, they have to be physically present every time one of these dialogs pop up, and they pop up frequently. Using your passcode as a backup is also problematic because that could also be spoofed (another thing developers could steal) and is less secure than TouchID/FaceID.
