iOS is often hailed as having better security mechanisms than Android, though often at the expense of openness. But while it certainly has the big malware and exploits covered, Apple may have overlooked the overly simpler cases. Apparently, it’s quite easy to deceive users into giving up their Apple ID passwords, which can be used to potentially hack the user’s other accounts. All of that using the official tools that Apple provides developer to make popups and dialog boxes.
It’s one half social engineering and one half oversight. Even without this technical loophole, users, on iOS or elsewhere, are sometimes too willing to enter their password in any window that simply asks them for it. Even with the spate of hacking incidents in the past 2-3 years, users still haven’t adopted best practices as far as passwords go.
It doesn’t help that iOS also makes it easy for any developer to actually ask users for their password, masquerading as an official system prompt to, say, sign in to iTunes or authorize payment. Every platform provides UI building blocks to make it easy for developers to create things like popup windows, dialog boxes, and whatnot. As it turns out, those can be used to easily create one mimicking a legit iOS system popup as well.
Even to keen, tech-savvy users, it’s not easy to tell phishing version from the official ones. Complicating matters is the fact that, even if users cancelled the popup, if they entered their password already, the app and its developer will have access to the input regardless. And while Apple does diligently screen each and every app that goes into the App Store, some do slip through the cracks from time to time.
Developer Felix Krause, who brought the public’s attention to this rather simple but very dangerous situation, makes a few suggestions for Apple to rectify the matter. Users, however, are really left with little recourse than a few tricks, like pressing the home button to see if the popoup is an official system one, in which case it will remain on screen, or a phishing attempt, in which case it should disappear. Ultimately, however, it will be a matter of vigilance, which few users seem to have the patience for.
SOURCE: Felix Krause