Apple ID password prompts can easily be replicated, phishing attacks easily possible

Originator:KrauseFx
Number:rdar://34885659 Date Originated:October 9 2017
Status:Open Resolved:Nope
Product:iCloud Product Version:iOS 11.0
Classification:Security Reproducible:Always
 
Summary:
iOS asks the user for their iTunes password for many reasons, the most common ones are recently installed iOS operating system updates, or iOS app that are stuck while installing them.

As a result, users are trained to just enter their Apple ID password whenever iOS prompts you to do so. However, those popups are not only shown on the lock screen, and the spring board, but also inside random apps, e.g. when they want to access iCloud, GameCenter or In-App-Purchases.

This could easily be abused by any app, just by showing an `UIAlertController`, that looks exactly like the system dialog.

Even users who know a lot about technology, have a hard time detecting that those alerts are phishing attacks.

Steps to Reproduce:
Check out the project attached, in particular the README, and the project itself in `M2GlobalState.m:222`

Expected Results:
Modern web browsers already do an excellent job protecting users from phishing attacks. Phishing within mobile apps is a rather new concept, and therefore still pretty unexplored.

- System dialogs should be indicated as such
- Dialogs from apps could contain the app icon on the top right of the dialog, to indicate the app is asking you
- When asking for the Apple ID from the user, instead of asking for the password directly, open the Settings app
- Fix the root of the problem, users shouldn't constantly be asked for their credentials. It doesn't affect all users, but I myself had this issue for many months, until it randomly disappeared.

Actual Results:
The dialog looks exactly like the system dialog, and users have no good way to check whether they're being phished. 

Version/Build:
iOS 11

Configuration:

Comments

@aviolito if an app has access to the user's photos, it's pretty easy to go through them and find a screenshot that could be used for faking an alert.

TouchID/FaceID is the solve

The real question here is why Settings.app can ever lose track of my iTunes credentials in the first place, and why I would ever be asked to enter them anywhere outside of Settings.app. Assuming they’re stored properly, additional verification that I’m authorized to use them should be handled by TouchID/FaceID and NOT by re-entry of my credentials.

By matthew.volenec at Oct. 11, 2017, 7:08 p.m. (reply...)

An alternative solution

An alternative solution would be to show a screenshot of the springboard when the system is requesting AppleID credentials.

Each usre's home screen is relatively unique, which will be visible long enough, while they are entering their password, giving them time to register, subconsciously, that a fake home screen is showing.

The "springboard" could slide from the top, left or right and not overtake the whole screen, so users will still be able to resume their app when the system credentials are provided or denied.

Anything that is overlaid in any app, could be engineered by any designer, but unique and complex elements like a user's wallpaper and home-screen icons is nearly impossible to recreate.

This is terrible phishing flaw

I have been worried about the same for a long time now. I am not sure if it is being used widespread at some application. This should be fixed!


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!