14 DAY TRIAL // Stealing the Apple ID and password from an iPhone is not really rocket science despite Apple’s obsession for security, and developer Felix Krause has proved that it takes only 30 lines of codes to complete the first step of a phishing attack.
Basically, Krause has demonstrated that it takes only a couple of minutes to recreate the Apple ID password prompt that’s shown on iOS devices, making it super-easy for attackers to create a phishing attack that can then steal the credentials from an iPhone or iPad.
The developer explained that the malicious code could be injected into legitimate iOS apps, which allows an attacker to bypass the App Store security shield and reach thousands of devices.
“Showing a dialog that looks just like a system popup is super easy, there is no magic or secret code involved, it’s literally the examples provided in the Apple docs, with a custom text,” the dev explained, adding that he hasn’t published the code to recreate the popup because he’s now working with Apple to have this problem solved.
It can bypass 2-step verification
A pop-up dialog asking for Apple ID credentials can be further enhanced with other requests, including for a 2-step verification code should such an option be enabled on a specific account.
This basically means that no account is safe unless Apple blocks these attempts from taking place outside the App Store and Settings. In fact, this is one of the ways Apple could easily prevent phishing scams from happening, Krause pointed out, though there are several ways for users to protect themselves until the company comes up with a fix.
For example, the developer recommends users to simply press the home button on the iPhone to see if the app quits, and if it does and the password request is gone as well, then it was most likely a phishing attack. Furthermore, users could always avoid entering credentials in such popups, but instead go to the Settings app manually and log in with their Apple ID and password there.
As with everything Apple, Cupertino hasn’t yet provided a statement on this, so we can’t tell for sure if an update is coming or not, and this is why the tips mentioned above come in so handy.