Industry News

Can you trust that “Sign in to iTunes Store” dialog on your iPhone?

It’s all too easy for a malicious app developer to determine a user’s Apple ID password – just by asking for it.

Developer Felix Krause warns users to be on their guard against password-stealing apps that dupe users into entering their sensitive passwords by using fake login dialogs disguised as legitimate requests from the underlying iOS operating system.

The problem lies in the fact that with just a few lines of code, a third-party app developer can pop up a password prompt that looks identical to a legitimate one created by iOS.

The problem, says Krause, is compounded by the regularity that iOS users can be asked to enter their passwords for legitimate reasons – such as installing an operating system update:

“As a result, users are trained to just enter their Apple ID password whenever iOS prompts you to do so. However, those popups are not only shown on the lock screen, and the home screen, but also inside random apps, e.g. when they want to access iCloud, GameCenter or In-App-Purchases.”

“This could easily be abused by any app, just by showing an UIAlertController, that looks exactly like the system dialog.”

So there’s the problem. How are you supposed to tell the difference between a genuine pop-up and one initiated by a password thief?

One approach is to give users a way to uniquely customise iOS’s password dialogs.

That’s an approach taken by some banking apps, which give account owners the option of choosing their own “Welcome” message that will be displayed alongside the login screen in an attempt to make it less likely that they will enter their credentials into a malicious app.

So, rather than your app saying “Hi” or “Welcome” you could change it to something that malicious hackers would find less predictable like “Greetings Galactic Lord President” or “Beetroot!”.

If you didn’t see the custom message you normally expect to see, you know something fishy (phishy?) is afoot.

Alternatively some banking apps allow you to add a personal photograph to the login page. If it’s not displayed (or if the photo is not the one you chose) then you know not to enter yoru credentials.

Wouldn’t it be possible for iOS to implement something similar to this?

The good news is, as Krause told The Register, there don’t seem to be any reports that any apps have been using the phishing technique in the wild.

However, it does strike me that we are reliant on Apple spotting any offending apps which attempt this phishing trick before they manage to get into the official App Store. Wouldn’t we all feel a little more safer if the operating system itself made it trickier to forge a convincing-looking password prompt?

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

2 Comments

Click here to post a comment

  • I see the real problem here not in apps, but in WEBSITES that can just as easily display a screen that looks like an iOS login dialog. So you wouldn't even have to write an app, get it into app store etc…

  • I believe a good way to check would be to enter something other than your actual password. Then if it doesn't prompt saying it was the incorrect password, you know it was a phishing attempt. Because the phishing program doesn't have any way of knowing if it was your correct password or not.