If you are an iOS user, you are probably used to all those random popups your device produces on a regular basis. These popups require you to enter your Apple ID and the password before you can install an app. Turns out, the same prompts can be turned in to a huge data security risk.
Felix Krause, a mobile app developer, gives a demonstration on how such popups can be a potential security hole through which attackers can steal user credentials. In his blog post published Tuesday, he showed side-by-side comparisons of an official popup and a phishing popup, and one can’t tell any difference by just looking at them.
“iOS should very clearly distinguish between system UI and app UI elements, so that ideally it’s… obvious for the average smartphone user that something seems off,” Krause wrote. “This is a tricky problem to solve, and Web browsers are still tackling it; you still have websites that make popups look like macOS/iOS popups so that many users think [they are] system message[s].”
To encounter this serious problem, Krause suggested Apple to create a uniform look for official iOS password prompts that can’t be easily mimicked by apps.
In the meantime, Apple users, to protect themselves, can do the following whenever they encounter a password prompt. Hit the home button when popup appears. If the app quits with its dialog, then it is a phishing attack and if the dialog and the app stay visible, then it’s a system dialog.
Krause also suggested that you shouldn’t enter credentials into a popup, instead, dismiss it, manually open the settings window, and enter the password there.
Follow us on Twitter to stay updated: @compgeek_