Security researcher and founder of fastlane.tools Felix Krause has revealed just how easy is it to get hold of an iOS users Apple ID. The news will not only worry users of Apple devices but may have some of them wondering if they’ve fallen for this already.
In his blog, Krause has been careful to avoid giving too much away. He makes it clear that this is a proof of concept and that phishing attacks are illegal. He goes on to say: “Don’t use this in any of your apps. The goal of this blog post is to close the loophole that has been there for many years, and hasn’t been addressed yet.”
A simple but effective attack against iOS
For years now users have become accustomed to operating system security that regularly ask for their password. With mobile operating systems this happens when you want to buy something using a saved ID. With iOS the warning can appear when using certain apps on your iPad or when you open iTunes to download a track. Apple recently added support for fingerprint security which removes the need to keep re-entering a password.
Krause discovered that the popup dialog that asks for the users Apple ID could be easily faked. It is impossible to tell it from the real thing. It can be configured to open when the user visits a website, opens an application, makes an in-app or in-game purchase or at any time the developer chooses. All the developer needs to do is shows an UIAlertController configured to look like the system dialog.
This is not a sophisticated attack but it is very effective. It doesn’t require a huge degree of knowledge to create and execute. Krause says: “…there is no magic or secret code involved, it’s literally the examples provided in the Apple docs, with a custom text.” He also says that it takes less than 30 lines of code to deliver and that every iOS engineer could build their own attack.
Krause has reported this to Apple and filed a report with Open Radar. So far there has been no response from the Apple press office about the status of this problem. It will be interesting to see how quickly Apple issues a patch.
How can you protect yourself?
According to Krause, protecting yourself is simple. He suggests:
- Hit the home button, and see if the app quits:
- If it closes the app, and with it the dialog, then this was a phishing attack
- If the dialog and the app are still visible, then it’s a system dialog. The reason for that is that the system dialogs run on a different process, and not as part of any iOS app.
- Don’t enter your credentials into a popup, instead, dismiss it, and open the Settings app manually. This is the same concept, like you should never click on links on emails, but instead open the website manually
- If you hit the Cancel button on a dialog, the app still gets access to the content of the password field. Even after entering the first characters, the app probably already has your password.
What does this mean
Apple positions itself as doing a good job of testing its code and not having a lot of issues. For the most part that is true but over the last four years the number of vulnerabilities around its code have increased. For an attack like this to have been present in iOS and undetected for a long time will cause embarrassment and concern.
When Apple IDs have been breached in the past the company has been quick to blame third-parties and even users. In this case it has to take the blame itself. As Krause has demonstrated, this is not something that is easy for anyone to spot. Having talked to a number of iOS users today I have not found anyone who would press the “home” button when presented with this popup dialog.
The challenge is in knowing how successful this attack might have been over the years. As the code can easily be incorporated into an app on iOS, Apple might have to rethink some of its test and validation scripts. While there are valid uses for the code Apple needs to start looking at where and how it is executed.
For now, this is something that is getting a limited amount of coverage given the storm of other security announcements this week.
