Any iPhone or iPad owner who has been using Apple devices for quite some time now, probably have seen a popup notification typically presented by Apple asking for username and password. The iOS users are so accustomed to such popups that a developer has come up with a phishing attack that might not be too difficult to sneak in.
A developer named Felix Krause has come up with a proof of concept to demonstrate such phishing attack. He demonstrates that it won’t be difficult for developers to package a phishing attack in an Apple-style popup inside their apps. The developer believes that iOS users are so accustomed to the popups asking for their username and password, even when they are not using App Store or iTunes app.
Using the UIAlertController, the developer emulated the design of the stock pop-up notification for username and password. Then, this interface can be used to interlink a phishing attack behind the scenes.
iOS asks the user for their iTunes password for many reasons, the most common ones are recently installed iOS operating system updates, or iOS apps that are stuck during installation.
As a result, users are trained to just enter their Apple ID password whenever iOS prompts you to do so. However, those popups are not only shown on the lock screen, and the home screen, but also inside random apps, e.g. when they want to access iCloud, GameCenter or In-App-Purchases.
This could easily be abused by any app, just by showing an UIAlertController, that looks exactly like the system dialog.
In most instances, the hacker/attacker will need the email address of the users to gain access to their password. However, there are some cases where the attacker can gain access to the password without any need of the email address.
Krause just wanted to warn iOS users about the possibility of such phishing attacks. He suggests that if you see a popup like this asking for your username/password and there is some uncertainty towards it, simply press the Home button. If the popup does not disappear, it means it is tied to Apple system and is supposed to be their officially. However, if the pop-up disappears after pressing the Home button, then it is tied to an app, and therefore you should be cautious while inputting your login details.
It is worth noting that Apple has its own application approval process in place to look for similar issues before the app hit the App Store. However, it’s a good thing to know more about how things work. The developer has also informed Apple about his proof-of-concept.