Can apps steal your passwords? What you need to know!
"How would you say would be the easiest way to take a weapon away from a Grammaton Cleric?"
"You ask him for it."
That quote, from the movie Equilibrium (opens in new tab), echoes a longstanding issue with security. Namely, no system that includes humans is ever truly secure. We use the same passwords for multiple services. We write them down on our desks at home and at work. We tell our passwords to people who claim to be tech support on the phone or over email.
Even a bad website with a ridiculous looking prompt can still trick some people into entering credentials.
Because passwords are horrible. We have to remember a bunch of them. Some policies require we change them constantly. And we're often asked for them over and over and over again. It's annoying and exhausting.
So, if a "phishing" email or direct message asks for our password, or a bogus website prompts for it, we often simply enter it out of habit. Out of dialog fatigue. Out of surrender to the inhumanity of the system.
The same can happen with apps. It's been the subject of industry discussion for a long, long time. Now, it's getting attention again thanks to Felix Krause:
Here's the ID for the bug report Krause filed with Apple: rdar://34885659.
In order for a malicious phishing app to work on iOS, it would have to be side-loaded from an unofficial source, like a cracked app store, which can only happen after all of Apple's iOS security measures are deliberately stripped away, or if an app was snuck through App Store Review and then had malicious code enabled afterwards.
Firstly, don't ever disable Apple's iOS security measures or use cracked app stores. Secondly, always be careful about where you enter your passwords, be it in messaging, on the web, or in apps. (Increasingly, messaging apps are becoming platforms — and attack targets — all their own.)
I'm paranoid about this type of stuff. I use long, strong, unique passwords. I use a password manager. I use 2-factor authentication. I never click any links I don't 100% trust on the web or through DMs, and I never fill any dialogs I don't 100% trust in apps either. Instead, I:
- Only download apps and games from developers I know and trust or are recommended by sites and people I know and trust. (Even on the App Store.)
- When I see a request for my password in an app, I hit the Home button to make sure it persists beyond the app.
- If in doubt, hit Cancel on random requesters and go to Settings.app or App Store.app and see if I really do need to log back in.
I do the same is true for my Google, Amazon, and other accounts. Apps could ask you for any password to any service and try to fake any dialog to do so. This isn't an Apple-specific or iPhone/iOS-specific issue. It's a general security issue and one that every vendor and service faces attackers continue to try to target us in increasingly deceptive ways.
Krause's post contains some recommendations for how Apple could help curb the issue as well:
- When asking for the Apple ID from the user, instead of asking for the password directly, ask them to open the settings app
- Fix the root of the problem, users shouldn't constantly be asked for their credentials. It doesn't affect all users, but I myself had this issue for many months, until it randomly disappeared.
- Dialogs from apps could contain the app icon on the top right of the dialog, to indicate an app is asking you, and not the system. This approach is used by push notifications also, this way, an app can't just send push notifications as the iTunes app.
I like all of these. I hope Apple is considering them and coming up with ideas and implementations all their own. We live in the age of biometrics and machine learning. The system has ways of getting us to prove who we ware. We need better ways to making sure the system has proven it's what it claims to be as well.
"You've given me yourself... calmly... coolly... entirely without incident."
"No. Not without incident."
Get the best of iMore in your inbox, every day!
Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.
And this is why I am against Apple supporting side loading. I know people (Grubber) want it so that they can load VPNs in China, but those apps can easily have Shedun or HummingBad malware… or worse. (Besides, you can load anything with source code on iOS with Xcode for 3 months, like Provenance.)
Non developer side loading is only 7 days now
Good to know. That's a hassle, but still doable.
You know, Apple could win a lot of favor if they made it 3 months for all in China and Russia and alike. I'd imagine they could even make a "forever" version, that walls off certain APIs. Like PS3 did with OtherOS. Somehow target it for making VPNs easy to setup.
Nice movie reference. I also appreciate the best practices being reiterated.