In the past one month how many times has your iPhone asked you for your Apple ID password? If you have upgraded to iOS 11 and several other software updates released in the past few weeks, then chances are several times. iOS asks users to reenter their Apple ID password when it is trying to download apps or app updates, when downloading software updates, to re-authenticate user’s iCloud account etc. Due to this being a normal behavior our brains are trained to enter our Apple ID passwords as soon as we see this popup without thinking twice.
As it turns out it is a pretty big vulnerability that hackers can take advantage of using Phishing attacks. As detailed by developer Felix Krause in a detailed blog post, rogue apps can display a dialog box that looks very similar to system dialog box iOS displays when asking for password. This fake dialog box will display user’s Apple ID and ask them to enter their password.
Since user is used to of getting this dialog box often, he or she will enter the password, unknowingly sharing their password with the hacker who will then get access to your whole Apple ID. This can be fatal as when they get access to your Apple ID password they can access the iCloud account and read your emails, get access to your contacts, photos, calendar, messages and much more.
How to protect yourself from such phishing attacks
Good news is it is fairly easy to protect yourself from such phishing attacks. The most important step that you can take is to enable two-factor authentication on your Apple ID. This way no one can get access to your Apple ID without having physical access to one of your Apple devices.
While getting password dialogs on the lockscreen, homescreen and any stock iOS app should not raise concerns, be extra careful when such popups appear in a third-party app.
Here are some of the tips shared by Felix Krause that can protect you from such attacks.
Hit the home button, and see if the app quits:
If it closes the app, and with it the dialog, then this was a phishing attack
If the dialog and the app are still visible, then it’s a system dialog. The reason for that is that the system dialogs run on a different process, and not as part of any iOS app.
Don’t enter your credentials into a popup, instead, dismiss it, and open the Settings app manually. This is the same concept, like you should never click on links on emails, but instead open the website manually
If you hit the Cancel button on a dialog, the app still gets access to the content of the password field. Even after entering the first characters, the app probably already has your password.