According to the findings of Felix Krause, a mobile app developer and founder of Fastlane, there is a flaw in iOS that is potentially dangerous for the security of users’ passwords. In his blog post, Krause explained that cybercriminals could use pop-up dialog boxes to carry out phishing attacks so that an unsuspecting user could be tricked into providing his/her Apple ID password. It is worth noting that phishing attacks are conducted to get sensitive data such as credit card number or password or private information by stealing login data or infecting the device with malicious software.
To prove his findings, Krause developed a proof-of-concept showing that the security flaw indeed exists in iOS and wrote that there is just one method of differentiating the fake pop-up from the authentic one, which is by pressing the Home button. When this button is pressed, the fake pop-up dialog box will automatically close along with the app on which it appeared. For instance, if the user was playing a game and the fake pop-up appeared, by pressing the Home button the game will be closed and so will be the pop-up.
A genuine pop-up will not be closed when the Home button is pressed because it will be running on an entirely different process while the fake pop-up will run on a standard app. Furthermore, the fake system of pop-up was quite easy to create (with just 30 lines of code to be written).
Let’s have a look at the comparison of an authentic pop-up and a fake pop-up:
Screenshot via: Krausefx
Screenshot via: Krausefx
Krause suggests that to prevent users from being deceived into giving away their private details or sensitive data like passwords, app pop-up dialog boxes must include the app’s icon so that a system pop-up and an app pop-up could be differentiated. This would ultimately help in identifying fake pop-up from authentic ones. Moreover, using 2FA (two-factor authentication method) is also helpful in improving the security of the device. If cybercriminals obtain one of the two passwords, it will not be possible to complete the attack.
Krause opines that users shouldn’t be asked for passwords and similar credentials in the first place to prevent exploitation of the newly discovered iOS vulnerability. However, if they are asked for credentials, it is better to go to the Settings app and enter their credentials over there to eliminate the risk of abuse.
“Always close the dialog, and open the iCloud settings manually, and only enter [the password] there. Showing a dialog that looks just like a system popup is super easy, there is no magic or secret code involved, it’s the examples provided in the Apple docs, with a custom text,” stated Krause.
