Mobile app developer Felix Krause has revealed that the iOS is vulnerable to phishing.
In his personal blog, Krause detailed how attackers could use the pop-up dialogue boxes as a means of tricking a user into entering their Apple ID password voluntarily. While there seems to be no difference between the legitimate pop-up and the phishing attack pop-up, Krause made a proof-of-concept app to show the security vulnerability in iOS and explained that the only way to distinguish the fake from the real one is by pressing the device's home button.
According to Krause, pressing the home button would result in the closing of the fake pop-up along with whatever app it appears in. Hence, if a user is playing a game when the fake pop-up appears, pressing the home button will close the pop-up, along with the game he is playing with.
Krause also went to explain that a legitimate pop-up that asks for the user's password would not close even after the home button has been pressed. According to the mobile app developer, the reason for which is that a real system pop-up runs on a different process from that of a standard app.
Because of what he discovered, Krause suggested that it would be better if an app's icon is included in the pop-up dialogue boxes. This way, Krause believes, it would be easier for users to identify an app pop-up from a system pop-up or, more importantly, a fake pop-up from a real pop-up.
Krause also advises users of Apple devices to use 2-factor verification processes to increase the security of their devices. This way, if an attacker succeeds in obtaining one password, he will have to go through other security processes, which will limit his chances of carrying out his phishing attack successfully.
The mobile app developer also opines that iOS should not constantly ask Apple devices users for credentials so that they will not be prone to phishing activities.
"Initially I thought, faking those alerts requires the app developer to know your email. Turns out, some of those auth popups don't include the email address, making it even easier for phishing apps to ask for the password," Krause said.