iOS Password Prompts are Ripe for Abuse

Apple’s policy to repeatedly ask users for their iTunes password needlessly exposes iOS device owners to possible phishing attacks, according a mobile app developer Felix Krause.
Krause’s beef with Apple is that too often and seemingly at random times, popups deliver a dialogue box for users to enter their Apple ID. The prompts have become so routine that users enter the personal data without considering popups could be malicious, he said.
Related Posts
“As a result, users are trained to just enter their Apple ID password whenever iOS prompts you to do so. However, those popups are not only shown on the lock screen, and the spring board, but also inside random apps, e.g. when they want to access iCloud, GameCenter or In-App-Purchases,” wrote Krause on Apple’s Open Radar community bug report posted Monday.
公司应该根据国家与监管部门有关外包与采购规定,结合风险控制和实际需要,建立有效的外包和采购内部评估审核流程与监督管理机制。
让物联网信息安全走出“先污染后治理”的老路
His premise is that repeated password requests could be abused by a rogue app developer that utilizes the “UIAlertController” prompt that looks exactly like Apple’s system dialog popup that requests an Apple ID or password (see below).
“Even users who know a lot about technology, have a hard time detecting that those alerts are phishing attacks,” Krause said.
The app developer proposes several solutions. For example, when Apple requests an iTunes ID from the user it should require the user to open the iOS settings app to do so. Another solution includes requiring app dialog boxes to have a visual indicator alerting users the app is asking for the credentials and not the system.
Krause also gripes on his personal blog that Apple should “fix the root of the problem” and that “users shouldn’t constantly be asked for their credentials.”
“Initially I thought, faking those alerts requires the app developer to know your email. Turns out, some of those auth popups don’t include the email address, making it even easier for phishing apps to ask for the password,” he said.
Krause said he is unaware of any instances where this dialogue box has been abused.
If Apple doesn’t take any action, Krause suggests when users come across an iOS dialog box they should hit the Home button. If the box closes then it’s a phishing attack. “If the dialog and the app are still visible, then it’s a system dialog. The reason for that is that the system dialogs run on a different process, and not as part of any iOS app,” he wrote.
Another solution is to enable two factor authentication. But even then, he cautions: “Even with 2FA enabled accounts, what if the app asked you for your 2 step code? Most users would gladly request a 2FA-token and ask for it, and directly pipe it over to a remote server.”
He said users should be trained not to automatically enter their credentials in Apple dialog boxes in the same way they are trained not to follow links in emails.
“Showing a dialog that looks just like a system popup is super easy, there is no magic or secret code involved, it’s literally the examples provided in the Apple docs, with a custom text,” he wrote. “I decided not to open source the actual popup code, however, note that it’s less than 30 lines of code and every iOS engineer will be able to quickly build their own phishing code.”
云计算和社交网络等应用的普及让我们的数据开始大规模逃离传统的物理安全控制范围,伴随着数据中心的逐渐没落,我们开始转而加强这些数据使用人员的安全意识教育,并且集中精力在关键的业务系统和核心的机密数据的安全保护上。

猜您喜欢

美英澳诸国为啥大搞国民信息安全意识教育?
十招进行有效的信息安全意识教育
网络安全法在线讲解-《网络安全法》的突出亮点 https://v.qq.com/x/page/u0514qmyllg.html
全国检察已提起公益诉讼15件
URFAHABER63 NICOLEKWON
针对普通员工的环境和职业健康安全管理体系在线教程