iOS密码提示已经成熟到可以滥用

Apple’s policy to repeatedly ask users for their iTunes password needlessly exposes iOS device owners to possible phishing attacks, according a mobile app developer Felix Krause.
Krause’s beef with Apple is that too often and seemingly at random times, popups deliver a dialogue box for users to enter their Apple ID. The prompts have become so routine that users enter the personal data without considering popups could be malicious, he said.
Related Posts
“As a result, users are trained to just enter their Apple ID password whenever iOS prompts you to do so. However, those popups are not only shown on the lock screen, and the spring board, but also inside random apps, e.g. when they want to access iCloud, GameCenter or In-App-Purchases,” wrote Krause on Apple’s Open Radar community bug report posted Monday.
在设计并开始安全意识教育计划之前,应该先确定安全意识教育项目的目的。
His premise is that repeated password requests could be abused by a rogue app developer that utilizes the “UIAlertController” prompt that looks exactly like Apple’s system dialog popup that requests an Apple ID or password (see below).

“Even users who know a lot about technology, have a hard time detecting that those alerts are phishing attacks,” Krause said.
The app developer proposes several solutions. For example, when Apple requests an iTunes ID from the user it should require the user to open the iOS settings app to do so. Another solution includes requiring app dialog boxes to have a visual indicator alerting users the app is asking for the credentials and not the system.
Krause also gripes on his personal blog that Apple should “fix the root of the problem” and that “users shouldn’t constantly be asked for their credentials.”
“Initially I thought, faking those alerts requires the app developer to know your email. Turns out, some of those auth popups don’t include the email address, making it even easier for phishing apps to ask for the password,” he said.
Krause said he is unaware of any instances where this dialogue box has been abused.
If Apple doesn’t take any action, Krause suggests when users come across an iOS dialog box they should hit the Home button. If the box closes then it’s a phishing attack. “If the dialog and the app are still visible, then it’s a system dialog. The reason for that is that the system dialogs run on a different process, and not as part of any iOS app,” he wrote.
Another solution is to enable two factor authentication. But even then, he cautions: “Even with 2FA enabled accounts, what if the app asked you for your 2 step code? Most users would gladly request a 2FA-token and ask for it, and directly pipe it over to a remote server.”
He said users should be trained not to automatically enter their credentials in Apple dialog boxes in the same way they are trained not to follow links in emails.
“Showing a dialog that looks just like a system popup is super easy, there is no magic or secret code involved, it’s literally the examples provided in the Apple docs, with a custom text,” he wrote. “I decided not to open source the actual popup code, however, note that it’s less than 30 lines of code and every iOS engineer will be able to quickly build their own phishing code.”
苹果
克劳斯
相关文章
他的前提是重复的密码请求可能被滥用的流氓应用程序开发人员利用。
应用程序开发人员提出了几种解决方案。例如,当苹果从用户请求iTunes ID时,它应该要求用户打开iOS设置应用程序这样做。另一种解决方案包括要求应用程序对话框有一个可视指示器,提醒用户应用程序要求的是证书而不是系统。
克劳斯还表现在他的个人博客,苹果应该
克劳斯说,他不知道任何情况下,该对话框已被滥用。
如果苹果不
网络空间安全畅想
另一个办法是启用双因素认证。但即使如此,他警告说:
他说,应该训练用户不要在苹果对话框中自动输入他们的凭据,就像他们训练的那样,不要跟随电子邮件中的链接。
IT外包是个大方向,除了技术和市场销售之外,云服务商的IT服务管理也是核心竞争力,组织的信息安全人员需更多考虑IT外包服务中的IT服务安全管理。

猜您喜欢

保障移动设备安全的三大热点问题
中国企业如何与海外环境及当地的民族文化融合,海外安全知识:
网络安全法在线讲解-《网络安全法》的突出亮点 https://v.qq.com/x/page/u0514qmyllg.html
小学生写作文揭妈妈秘密 最后一个熊孩子亮了
PETROHP BATTERYWORLD
信息安全意识超短动漫