Not every pop-up window on your iPhone that looks like an official Apple pop-up actually is! Yesterday, developer Felix Krause published a proof-of-concept for a phishing attack where he demonstrated how app developers could misuse these pop-ups to gain the user’s Apple ID and the password. To find out more about phishing attacks look at our threat glossary.
Can you see the difference in these pop-ups?
iPhone and iPad users have already gotten used to the common Apple pop-ups, asking for their login credentials to iCloud or when they want to buy something. These pop-ups also appear, even if the users don’t use the normal App Store or iTunes.
With the use of the UIAlertController (an element that defines notifications appearing on your screen) developers are able to replicate the design of such a system notification to ask for your login data. Many iOS users won’t notice the small differences between the two and would be fooled into providing their login credentials.
Showing a dialog that looks just like a system popup is super easy, there is no magic or secret code involved, it’s literally the examples provided in the Apple docs, with a custom text.
I decided not to open source the actual popup code, however, note that it’s less than 30 lines of code and every iOS engineer will be able to quickly build their own phishing code. — Felix Krause on krausfx.com
While some of the system notifications require the developer to know the individual user’s Apple ID — some others simply don’t.
The phishing method described by Krause isn’t quite new. Apple reviews all the apps on the App Store for this but can’t detect them all. In addition, not all iOS users even know about the possibility of such a phishing attack on their iPhone or iPad.
You can protect yourself against such phishing attacks
As you can see, you should watch out for such pop-up dialogs. If such a pop-up appears while you’re using an app, there is one quick way to check if it’s a phishing attack or not. Close the app and if the pop-up disappears, then it is linked to the app and it might potentially be a phishing attack. If the pop-up doesn’t disappear, it should be a common system pop-up from Apple. Of course, another way to avoid such situations is to add your login credentials only in the app settings.
As an additional protection layer against such attacks, you should activate the two-factor-authentification. With this option enabled, you prevent attackers from logging into your Apple account with your ID. As part of using two-factor-authentication, you’ll receive the code to a (verified) device of your choice and with this, you can ensure that no one will mess around with your Apple account.
If you think someone has access to your Apple account, follow this manual. Have you already experienced such a fake pop-up?