MobilitySecuritySoftware

iOS Vulnerable To ‘Shockingly Easy’ Phishing Attack

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Follow on: Google +

iOS’ frequent authentication pop-ups, together with developers’ ability to create authentic-looking dialogue boxes, spells phishing trouble

The Apple iOS operating system that powers the iPhone can “easily” be hacked to obtain users’ Apple ID passwords due to the system’s frequent use of genuine authentication messages, a developer has warned.

Users are so accustomed to entering their Apple ID password when asked to do so while using applications that it’s likely they wouldn’t hesitate to enter it into a false prompt, said iOS developer Felix Krause.

Malicious prompts

What’s more, iOS doesn’t have a built-in way of distinguishing system prompts from those generated by apps, meaning a malicious prompt would be visually identical to a genuine one, he said.

“Those popups are not only shown on the lock screen, and the home screen, but also inside random apps, e.g. when they want to access iCloud, GameCenter or In-App-Purchases,” Krause wrote in a blog post. “As a result, users are trained to just enter their Apple ID password whenever iOS prompts you to do so.”

Malicious pop-ups can appear identical to those generated by the system. Credit: Felix Krause
Malicious pop-ups can appear identical to those generated by the system. Credit: Felix Krause

He said even users “who know a lot about technology” would find it difficult to detect a prompt generated by a phishing attack.

Krause created proof-of-concept code to demonstrate the issue, but chose not to release it publicly for security reasons. But he said the demonstration consisted of less than 30 lines of code.

“Showing a dialog that looks just like a system popup is super easy, there is no magic or secret code involved,” he wrote. “It was shockingly easy to replicate the system dialogue.”

Phishing risk

He said most iOS developers are aware of the issue and the fact that it isn’t yet known to have been exploited is down to the fact that mobile app phishing is still a new area.

“This area will become more and more relevant, with users being uninformed, and the mobile operating systems not yet clearly separating system UI and app UI,” Krause wrote.

Desktop-based phishing attacks have become a routine way for criminals to infiltrate even the most high-security systems.

Earlier this week, for instance, researchers detailed how banks in former Soviet and eastern European countries had been robbed of $100 million (£75m) in recent months through a series of linked scams that involved gaining access to systems used to manipulate overdrafts. The criminals gained access using targeted phishing emails.

Krause said the issue has been present in iOS for “many years” and that he’s looking to “close the loophole”.

iOS displays the genuine prompt when an app needs to access iCloud or GameCenter or to authorise in-app purchases.

The real prompts are generated by the system itself, and not individual apps, which means users can spot a fake by pressing the iPhone’s home button.

Asking the user to enter their password in Settings is more secure. Credit: Felix Krause
Krause argues asking the user to enter their password in Settings is more secure. Credit: Felix Krause

Only the iOS system itself can respond to that prompt. That means a genuine authentication pop-up generated by the system will continue to be displayed after the home button is pressed, while a fake will close along with the application.

“The system dialogues run on a different process, and not as part of any iOS app,” Krause wrote.

Fix needed

Users can also get around fake prompts by dismissing any authenticaion pop-up and entering the required permissions into the Settings app.

Apple could address the issue by changing iOS so that users aren’t constantly asked for their credentials, Krause said.

Other possible fixes could include distinguishing app dialogue boxes from those generated by the system by displaying the app icon in one corner, or opening the iCloud Settings screen instead of simply asking for the user’s password.

An in-app phishing attack would require malicious code to make it past Apple’s App Store review, but malware has appeared in the App Store in the past.

Krause said developers have recourse to a number of ways to slip malicious code through App Store screening, such as triggering the code to activate only after the review has been completed, or loading code from a remote location.

Apple declined to comment.

Do you know all about security in 2017? Try our quiz!