Dear Visitor,

Our system has found that you are using an ad-blocking browser add-on.

We just wanted to let you know that our site content is, of course, available to you absolutely free of charge.

Our ads are the only way we have to be able to bring you the latest high-quality content, which is written by professional journalists, with the help of editors, graphic designers, and our site production and I.T. staff, as well as many other talented people who work around the clock for this site.

So, we ask you to add this site to your Ad Blocker’s "white list" or to simply disable your Ad Blocker while visiting this site.

Continue on this site freely
  HOME     MENU     SEARCH     NEWSLETTER    
THE ENTERPRISE SECURITY SUPERSITE. UPDATED 9 MINUTES AGO.
You are here: Home / Mobile Security / iPhone's Apple ID Demands a Danger
iPhone's Apple ID Demands: Annoying or Security Flaw?
iPhone's Apple ID Demands: Annoying or Security Flaw?
By Alex Hern Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
PUBLISHED:
OCTOBER
16
2017
The iPhone's habit of repeatedly requesting your Apple ID password with little explanation or warning isn't just annoying -- it's also a security flaw that could allow attackers to craft extremely convincing phishing attacks, an iOS developer has warned.

Regular users of iPhones or iPads will be used to sporadic requests from the operating system to enter their Apple ID password, popping up in the middle of other activities and preventing them from continuing until they accede to the request.

It can be frustrating, particularly if the password is long and complex, and it can often be hard to work out why, precisely, the device needs your credentials. But according to developer Felix Krause, the incessant requests are more than just an irritation.

"Users are trained to just enter their Apple ID password whenever iOS prompts you to do so. However, those popups are not only shown on the lock screen, and the home screen, but also inside random apps, eg when they want to access iCloud, GameCenter or in-app purchases," Krause said.

"This could easily be abused by any app, just by showing [an alert] that looks exactly like the system dialogue. Even users who know a lot about technology have a hard time detecting that those alerts are phishing attacks."

Apple's standard alerts look identical to those that normal developers can present, Krause noted, which means a well-crafted phishing pop-up could present absolutely no visual warnings that something "phishy" was afoot.

Apple declined to comment.

As currently constituted, there is only one way a user can be certain that the request for a password comes from Apple and not a rogue app, Krause said: hit the home button before entering the password. That's because only Apple itself can respond to home button inputs. Any other app will be forced to close, and with it, the fake pop up.

There is no evidence Krause's suggestion has been implemented in practice by any unscrupulous developer, and to use it for an effective phishing attack still has two further hurdles to overcome: the app must make it past Apple's reviewers to get on the App Store, and the developer must convince users to install it.

Nonetheless, the problem faced by Apple is one that many other software developers have had to tackle over the years. “Security overload”, or the risk that users become so overwhelmed by security features that they actually create insecurity, is a long-running problem.

Famously, Windows Vista launched with a feature called User Account Control, which was intended to prevent rogue programs from taking over an infected computer. But in practice, it meant that the operating system interrupted the user to ask permission almost every time any program wanted to do anything. That meant users rapidly learned to simply click continue without reading the dialogue, undoing any security progress and eventually forcing Microsoft to replace the feature entirely in Windows 7.

Even before then, however, Microsoft had solved one of the problems that currently affects iOS. In its versions of Windows for business customers, it came up with an ingenious way to ensure that malware couldn't ask for a user's password: the real login screen on those versions of Windows can only be accessed by using a keyboard command, control-alt-Delete, that only Microsoft is able to respond to.

It's the same idea as Felix Krause's suggestion to hit the home button before entering passwords, except it was implemented almost 20 years ago. The more things change, the more they stay the same.

© 2017 Guardian Web under contract with NewsEdge/Acquire Media. All rights reserved.
Tell Us What You Think
Comment:

Name:

Tom O'Neil:
Posted: 2017-10-20 @ 9:49am PT
There are so any scams online today, it is a wonder anything gets done. It seems that developers should be able to make a program that can't be hacked.

Like Us on FacebookFollow Us on Twitter
MORE IN MOBILE SECURITY

NETWORK SECURITY SPOTLIGHT
China-based Vivo will be the first company to come out with a smartphone featuring an in-display sensor for fingerprint security, beating Apple, Samsung, and other device makers to the punch.

ENTERPRISE SECURITY TODAY
NEWSFACTOR NETWORK SITES
NEWSFACTOR SERVICES
© Copyright 2017 NewsFactor Network. All rights reserved. Member of Accuserve Ad Network.