By Dan Goodin
One of iOS’ rougher edges are the popups it produces on a regular but seemingly random basis. These popups require users to enter their Apple ID before they can install or update an app or complete some other mundane task. The prompts have grown so common most people don’t think twice about them.
Mobile app developer Felix Krause makes a compelling case that these popups represent a potential security hole through which attackers can steal user credentials. In a blog post published Tuesday, he showed side-by-side comparisons, pictured above, of an official popup produced by iOS and a proof-of-concept phishing popup. The lookalike popups require less than 30 lines of code and could be sneaked into an otherwise legitimate app that has already found its way into Apple’s App Store.
The popups are a common part of the iOS experience for many users, this author included. They can present themselves at a variety of times, including when people want to make an in-app purchase, after they’ve recently installed an iOS update, or when an app gets stuck installing. The root of the problem is that many of Apple’s official password prompts are indistinguishable from ones generated by apps. Most users respond by blindly trusting their password with either one.