The iPhone’s habit of repeatedly requesting your Apple ID password with little explanation or warning isn’t just annoying – it’s also a security flaw which could allow attackers to craft extremely convincing phishing attacks, an iOS developer has warned (TheGuardian).

 

Apple IDs are accounts users create to do everything from buy apps to subscribe to the company’s many online services, including Apple Music and iCloud. Accessing a person’s Apple ID would allow malicious hackers to make fraudulent purchases, change passwords, and ultimately use the account’s associated credit card to buy digital goods. And if users make the mistake of using the same password for other services, like banks, sophisticated hackers could target accounts elsewhere (Fortune).

Developer Felix Kraus reported “iOS asks the user for their iTunes password for many reasons, the most common ones are recently installed iOS operating system updates, or iOS apps that are stuck during installation.”

 

“As a result, users are trained to just enter their Apple ID password whenever iOS prompts you to do so. However, those popups are not only shown on the lock screen, and the home screen, but also inside random apps, e.g. when they want to access iCloud, GameCenter or In-App-Purchases.”

 

“This could easily be abused by any app, just by showing an UIAlertController, that looks exactly like the system dialog.”

 

“Even users who know a lot about technology have a hard time detecting that those alerts are phishing attacks.” His full write-up can be seen here.

 

How do you know if the pop-up request is legit or part of a phishing scheme? Krause says to hit the home button before you enter the password. Only Apple itself can respond to the home button; any other app will be forced to closed, along with the fake pop-up.

 

Krause also recommends the following:

 

  • Don’t enter your credentials into a popup, instead, dismiss it, and open the Settings app manually. This is the same concept, like you should never click on links on emails, but instead open the website manually.
  • If you hit the Cancel button on a dialog, the app still gets access to the content of the password field. Even after entering the first characters, the app probably already has your password.