Researchers warn Apple users are being trained to fall for simple phishing attacks from the platform's use of seemingly random prompts to sign into the iTunes store.
Apple iOS often asks users to enter their passwords, often after system updates or for applications that get stuck during installation, bur researchers warn Apple's unfettered use of the prompts are conditioning users to foolhardily enter their passwords whenever prompted by the familiar box.
Independent researcher Felix Krause created a proof-of-concept phishing prompt to demonstrate how easily an attacker could create an identical prompt that could be pushed onto an unsuspecting user's device in an Oct. 10, blog post.
Krause said Apple should look to combat future attacks by prompting users to reenter their passwords through the settings app instead of constantly asking users to reenter credentials, and use symbols to indicate if prompts are coming from apps and not from the operating system.
In the meantime, users can protect themselves by hitting the home button to see if the app and prompt closes as well, which would signal a phishing attempt, and not enter credentials in pop-up prompts but instead in the device's settings.
Krause also warned there are several ways to run malicious code on Apps that have already been approved on the App store and predicts mobile phishing attack will become more popular.
“This area will become more and more relevant, with users being uninformed, and the mobile operating systems not yet clearly separating system UI and app UI,” he said. “This is kind of related to detect.location, where apps would write their own, custom image picker to provide a better "experience", but in reality, with that, they also get full access to your image library, and optionally also your camera (related to watch.user).”
As a result Krause said iOS should more clearly distinguish between system user interface and app user interface elements.