You are surfing the Internet with your iPhone or playing a game and suddenly, like so many other times, you will see a popup window asking you for the iTunes Store password. Almost by automatic instinct, you insert the password and you follow to yours. Why did you have your iOS password requested this time? Who knows, some app that requires the code to be installed or some system login. What you would never think of is that you just suffered a phishing attack.
Apple’s mania of asking its iOS users to check for almost any action that requires a certain level of security is not something that always plays to its advantage, it can prove to be counterproductive. IOS users have become so accustomed to the pop-up window that the password is required, they already put it without even thinking about why they do it. And this is incredibly easy to replicate by a third party.
As the developer Felix Krause points out, to mimic Apple’s verification system, only 30 lines of code are needed. What’s more, Apple itself offers them in its framework since UIAlertController is the method to display alerts in iOS using pop-up windows. The developer should just change the message that appears in the window to be the same as that put Apple to ask for the password. As you can see in the image, there is practically no difference between the actual window and phishing.
Who is to blame for all this and what is the solution?
If you type the password in one of these popup windows automatically the attacker will receive your data. Getting the email is not difficult because the app can access it without your permission. From here, it will depend on you whether or not you have two-factor authentication or other verification methods. The problem is that most users have the same password for more services that do not have to be from Apple.
Be that as it may, there are three involved in this problem: developers, users, and Apple. And it is everyone’s responsibility to avoid such attacks:
- Users: Differentiating this type of messages is not easy, but before putting a password, we should think about why we may be asking for the system. Also, if we leave the app and the window has disappeared, it is not part of the system.
- Developers: As simple as not playing with fire, just as it is easy to insert this type of attacks, it is also easy for Apple’s review system to detect it.
- Apple: Surely the biggest fault in all this is Apple, for offering a same interface and method for both passwords and any other message requiring user action. Creating a different popup for password forms or simply asking for passwords only in system settings would be a good solution.
And Android users?
On Android devices, because it does not have a universal interface, it is more difficult for attackers to create such a phishing attack. But this does not mean that it is impossible, especially in third-party applications. Using common sense and thinking twice before putting in the password should help us to avoid any attack. On the other hand, it is always convenient to have a two-step authentication system or two factors, so that any login requires a second validation.