Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Developer Demonstrates iOS Phishing Attack That Uses Apple-Style Password Request

This isn't new... it actually bothers me since years that Apple doesn't have a customized Apple Store Login Window. Or in other terms: Using a simple to fake message box for a high security password is rather stupid. This is one of the things Apple isn't so smart about. The list continues with unencrypted backup (use TLS ffs!) over WiFi, the fact that USB-C is the holy grail -yet not used on the iPhoneX, USB-C-chargers don't have a built-in daisy chain port nor any other port (so much for the premium user experience) -same for the iPhone charges (no headphones during charge),... and so on...

Also: "Appstore-review" is not an excuse for a design flaw...
 
I’m sure Apple can search the Source code to see if a password text box is being used and then scrutinise any app further.
They could then check for text on UI dialog boxes that look like fishing attacks. I’m sure Apples checking process is pretty rugged.

Also, I don’t think Apple will ever claim 100% that they can stop malicious attacks. What they can do that others can’t is actually stop them once found and disable them remotely (I think they need to be signed to work so a key can be revoked)

It’s about damage control really. Google could only guarantee this if you use their store but by default you can use any store if you want and you can side load on Android. So it’s just so much harder for them to help you out in this regard. But Apple is pretty much locked down.
 
I've always felt it was a little dodgy when I get these popups on iOS - how do I know it's iOS asking me for it (yeah and Mac OS too now you mention it, although that hadn't occurred to me before for some reason). Apple needs to address this.
 
  • Like
Reactions: Mr. Donahue
manni said:
Do you mean it was an app doing it to steal your info? Which app was it?

Or do you just mean you have been extra careful when the box appears? From now on I am going to do that with both Mac and iPhone. It's really bad when I think back over the past few months, having set up both a new MacBook and iPhone how many times I have just unthinkingly put my password in to whichever box appeared across four different devices!
Click to expand...
It happened while in safari on iOS.
 
  • Like
Reactions: dk001
ignatius345 said:
I think this one is on Apple. A user gets legitimately asked for his/her password enough times and fatigue sets in, and they stop really thinking about it.

Ultimately it's a UX problem that needs to be solved so that entering one's iCloud password is 1) hard to fake and 2) doesn't happen any more often than necessary.
Click to expand...
I saw this sort of thing even a decade ago with internet surfing... folks get all sorts of popups from their web browser about security and certificates that they just automatically click Yes/OK. On one hand, you'd think they'd do some research on this, but OTOH, no one ever really trains you on these sorts of things.
 
This is nothing new. This has been possible for many years.

The only problem is - there is NO way for apps to know what your Apple ID email is. The best they could do is get you to type in your email somewhere, for most users they would probably type in the same email they use for their apple ID.

Even worse - even IF Apple finds a way to block these messages from using UIAlertController with text asking for an Apple ID password, shady developers could simply mimic the UI appearance of UIAlertController and do it anyways.

Fortunately this type of attack vector would be incredibly unlikely since it would only work inside of an app intentionally by the developers. I am willing to bet this will never actually occur for any apps on the App Store.
 
This is interesting as just yesterday I had a box popup that was asking for my AppleID, and it looked nothing like a 'standard Apple dialog box'. I thought, when it popped up, that it was an odd time to be asking for my password too, but I was working with an older iPad, trying to clean it off prior to donating it. I thought maybe it was just the mix of the older iPad and the newer iTunes software. It was seizing while syncing too. That was such a PITA! ARG!!!
[doublepost=1507751933][/doublepost]I remember reading an article about software firewalls on computers and how the users always answer the dialog boxes favorably to get them to go away. So, with that in mind, why Apple wouldn't do more to control access to the 'official screen' is troubling.
 
MonkeyDavid said:
Apple needs to fix the bug(s) that ask for the password at random times (I also have one where occasionally the request pops up then disappears before I can type anything).
Click to expand...

I just had it happen to me when I opened the Camera from the lock screen today. Same thing it went away rather quickly
 
ackmondual said:
I saw this sort of thing even a decade ago with internet surfing... folks get all sorts of popups from their web browser about security and certificates that they just automatically click Yes/OK. On one hand, you'd think they'd do some research on this, but OTOH, no one ever really trains you on these sorts of things.
Click to expand...
My girlfriend does this constantly and it drives me nuts. An alert from iCloud or the OS asking about an update -- or really anything at all -- will show up and she'll just click "cancel" or "ok" without reading it. And then guess who gets to figure out later why her stuff isn't syncing... I've been trying to train her to stop for like one second and read things, but it's an uphill battle.
 
AxoNeuron said:
This is nothing new. This has been possible for many years.

The only problem is - there is NO way for apps to know what your Apple ID email is. The best they could do is get you to type in your email somewhere, for most users they would probably type in the same email they use for their apple ID.

Even worse - even IF Apple finds a way to block these messages from using UIAlertController with text asking for an Apple ID password, shady developers could simply mimic the UI appearance of UIAlertController and do it anyways.

Fortunately this type of attack vector would be incredibly unlikely since it would only work inside of an app intentionally by the developers. I am willing to bet this will never actually occur for any apps on the App Store.
Click to expand...
As mentioned earlier in this thread, I really hope all authentication is moved to Settings.app. Then people won't be fooled by random password popups.
 
  • Like
Reactions: AxoNeuron
threesixty360 said:
I’m sure Apple can search the Source code to see if a password text box is being used and then scrutinise any app further.
They could then check for text on UI dialog boxes that look like fishing attacks. I’m sure Apples checking process is pretty rugged.
Click to expand...

I'm a iOS developer and my apps are able to change their behaviour without needing a new submit to the app store.
I could easily add a popup to request a password, or even change the text in the popup well after the approval process.
Sure, my app would be reported by some users and my developer account would be cancelled. But it is a possibility and it isn't hard at all to implement.

Apple checking process is good, sometimes is even too pedantic, but they should continue checking an app even after app store review is done to wipe out malicious apps.
 
This is terrifying. I never knew this was possible, I may have already given up my password without knowing. I hope apple comes out with an official statement regarding wether this has already affected users or not. They should at least fix the login process so it can’t happen in the future.
 
Scottsoapbox said:
I initially thought the random requests for Apple passwords were some rogue app, but now after years of iOS demanding passwords for no obvious reason I would probably fall for this phishing attempt.
Click to expand...

Whenever I see this I make it a habit to attempt to solve from settings. Otherwise I am likely to get it again. And again. and ... Especially after OS updates or restores.
Even though I mention this to family members and friends, most don't see the need. If this becomes a problem, most would likely fall for it I would think.
 
recoil80 said:
I'm a iOS developer and my apps are able to change their behaviour without needing a new submit to the app store.
I could easily add a popup to request a password, or even change the text in the popup well after the approval process.
Sure, my app would be reported by some users and my developer account would be cancelled. But it is a possibility and it isn't hard at all to implement.

Apple checking process is good, sometimes is even too pedantic, but they should continue checking an app even after app store review is done to wipe out malicious apps.
Click to expand...
Can you change the text of UIAlertController after it is already presented to the user? I have never tried that so I wouldn't know.

Nonetheless, I think Apple could easily add some key value observation to check for changes to the text on UIAlertController and scan each one for suspicious requests. They could even use neural networks to do so if they want really good accuracy.

But really, if Apple does that, bad developers could simply come up with a mimic UI that looks like a UIAlertController and simply present that. Apple would have a VERY hard time catching that without user reports.

Edit: yeah, you definitely can change the title of a UIAlertController even after it has been presented to the user:

Code: 
let alert = UIAlertController(title: "test1", message: "test msg", preferredStyle: .alert);
alert.addAction(UIAlertAction(title: "test action", style: .cancel, handler: nil));
self.present(alert, animated: true) {
   alert.title = "test 2";
};
 
Last edited:
Yea I've had double take moments in the past when proved to input apple password. It seem out of order. So I didn't.

Good tip using junk password on first try.

Perhaps Apple could introduce a life screen scan system, not only create a unique look for their UI alerts for ID/pwd but also encode a gfx code in a black or white dot that is scanned live to verify the pop-up. So if IOS scans a pop up that looks like it's own but finds no verification code it catches it instantly. It should issue all it's POP-Up with unique digital watermarks.

There is probably another way to do this but this is like a gfx watermark that iOS can only detect and is essentially invisible to the human eye and the verification and the app debs have no ability to reproduced the correct code even if they coudl graphically they can't generate the right code ever.
 
Tiger8 said:
Apple vets, yes. But do they test every single scenario of the app?

I like the trick with the homepage button described in the article
[doublepost=1507690743][/doublepost]
It's his job. The best security experts are hackers and phishers.
Click to expand...

Did you read what I typed?
 
AxoNeuron said:
Can you change the text of UIAlertController after it is already presented to the user? I have never tried that so I wouldn't know.

Nonetheless, I think Apple could easily add some key value observation to check for changes to the text on UIAlertController and scan each one for suspicious requests. They could even use neural networks to do so if they want really good accuracy.

But really, if Apple does that, bad developers could simply come up with a mimic UI that looks like a UIAlertController and simply present that. Apple would have a VERY hard time catching that without user reports.

Edit: yeah, you definitely can change the title of a UIAlertController even after it has been presented to the user:

Code: 
let alert = UIAlertController(title: "test1", message: "test msg", preferredStyle: .alert);
alert.addAction(UIAlertAction(title: "test action", style: .cancel, handler: nil));
self.present(alert, animated: true) {
   alert.title = "test 2";
};
Click to expand...

I think you don't need to change the title after the alert is presented to the user.
You can just have a standard text and ship you app with it, then your app receives the new string via a REST api call, let's say after a couple of months, and you start collecting password.
By the time you are reported to Apple you can have stolen a lot of passwords, then you create a new account, publish a new app and start again.
 
recoil80 said:
I'm a iOS developer and my apps are able to change their behaviour without needing a new submit to the app store.
I could easily add a popup to request a password, or even change the text in the popup well after the approval process.
Sure, my app would be reported by some users and my developer account would be cancelled. But it is a possibility and it isn't hard at all to implement.

Apple checking process is good, sometimes is even too pedantic, but they should continue checking an app even after app store review is done to wipe out malicious apps.
Click to expand...

Yeah you are right.

It’s a hard problem to solve.

Gruber mentioned that they could move All Apple ID password requests to the settings app. Which could be jarring but it would at least mean that if any app requested your Apple ID it’s fake and you could report the app. Maybe that could work?
 
threesixty360 said:
Yeah you are right.

It’s a hard problem to solve.

Gruber mentioned that they could move All Apple ID password requests to the settings app. Which could be jarring but it would at least mean that if any app requested your Apple ID it’s fake and you could report the app. Maybe that could work?
Click to expand...

That's my idea as well, take the user to the settings and only ask for a password within that app
 
This happened to me exactly a couple weeks ago, I got prompted to sign in with my password after I updated to the newest iOS system on my iPhone and it then asked me to fill in my Apple ID’s details again like CC information and address and today I got hacked with multiple charges on my card plus all my iTunes account details got changed from an outside source in Indonesia!
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back