Phishing attacks can theoretically come from apps as well as messages and websites. It's been the subject of industry discussion for a long, long time. Now, it's in the spotlight again.
"How would you say would be the easiest way to take a weapon away from a Grammaton Cleric?"
"You ask him for it."
That quote, from the movie Equilibrium, echoes a longstanding issue with security. Namely, no system that includes humans is ever truly secure. We use the same passwords for multiple services. We write them down on our desks at home and at work. We tell our passwords to people who claim to be tech support on the phone or over email.
Even a bad website with a ridiculous looking prompt can still trick some people into entering credentials.
Because passwords are horrible. We have to remember a bunch of them. Some policies require we change them constantly. And we're often asked for them over and over and over again. It's annoying and exhausting.
So, if a "phishing" email or direct message asks for our password, or a bogus website prompts for it, we often simply enter it out of habit. Out of dialog fatigue. Out of surrender to the inhumanity of the system.
The same can happen with apps. It's been the subject of industry discussion for a long, long time. Now, it's getting attention again thanks to Felix Krause:
iOS asks the user for their iTunes password for many reasons, the most common ones are recently installed iOS operating system updates, or iOS apps that are stuck during installation.
As a result, users are trained to just enter their Apple ID password whenever iOS prompts you to do so. However, those popups are not only shown on the lock screen, and the home screen, but also inside random apps, e.g. when they want to access iCloud, GameCenter or In-App-Purchases.
This could easily be abused by any app, just by showing an UIAlertController, that looks exactly like the system dialog.
Even users who know a lot about technology have a hard time detecting that those alerts are phishing attacks.
Here's the ID for the bug report Krause filed with Apple: rdar://34885659.
In order for a malicious phishing app to work on iOS, it would have to be side-loaded from an unofficial source, like a cracked app store, which can only happen after all of Apple's iOS security measures are deliberately stripped away, or if an app was snuck through App Store Review and then had malicious code enabled afterwards.
Firstly, don't ever disable Apple's iOS security measures or use cracked app stores. Secondly, always be careful about where you enter your passwords, be it in messaging, on the web, or in apps. (Increasingly, messaging apps are becoming platforms — and attack targets — all their own.)
I'm paranoid about this type of stuff. I use long, strong, unique passwords. I use a password manager. I use 2-factor authentication. I never click any links I don't 100% trust on the web or through DMs, and I never fill any dialogs I don't 100% trust in apps either. Instead, I:
- Only download apps and games from developers I know and trust or are recommended by sites and people I know and trust. (Even on the App Store.)
- When I see a request for my password in an app, I hit the Home button to make sure it persists beyond the app.
- If in doubt, hit Cancel on random requesters and go to Settings.app or App Store.app and see if I really do need to log back in.
I do the same is true for my Google, Amazon, and other accounts. Apps could ask you for any password to any service and try to fake any dialog to do so. This isn't an Apple-specific or iPhone/iOS-specific issue. It's a general security issue and one that every vendor and service faces attackers continue to try to target us in increasingly deceptive ways.
Krause's post contains some recommendations for how Apple could help curb the issue as well:
- When asking for the Apple ID from the user, instead of asking for the password directly, ask them to open the settings app
- Fix the root of the problem, users shouldn't constantly be asked for their credentials. It doesn't affect all users, but I myself had this issue for many months, until it randomly disappeared.
- Dialogs from apps could contain the app icon on the top right of the dialog, to indicate an app is asking you, and not the system. This approach is used by push notifications also, this way, an app can't just send push notifications as the iTunes app.
I like all of these. I hope Apple is considering them and coming up with ideas and implementations all their own. We live in the age of biometrics and machine learning. The system has ways of getting us to prove who we ware. We need better ways to making sure the system has proven it's what it claims to be as well.
"You've given me yourself... calmly... coolly... entirely without incident."
"No. Not without incident."