In the early age of the internet, phishing scams were common. Because the internet was new at the time, not many people knew about them and fell victim. That’s changed now but scammers have also evolved with time. The technique is the same; try to look official and fool the unsuspecting user. The difference is how and where they try to get you. Take the example of the Google Docs phishing scam and the Plex media VPN phishing scam that was going around earlier this year. The latest victim of these types of scams could be an iOS device. A malicious app can choose to send users a fake Apple sign in prompt that is indistinguishable from the real thing. If you enter your password, you’ve been successfully phished.
This problem was identified by security researcher Felix Krause who also has a pretty simple solution that you can use to check if you’re seeing a fake Apple sign in prompt, or a legit one.
Fake Apple Sign In Prompt
When Apple prompts you enter your password, you only have two choices; enter the password, or tap Cancel to abort an action. If you suspect a prompt you’re seeing is fake, tap/press the Home button. A fake Apple sign in prompt will disappear when you tap the home button. If the prompt is real, it will remain on your screen.
Does Apple Need To Intervene?
Krause points out that Apple is very good at vetting the apps that are submitted to the App Store. It’s so diligent that a few years ago the approval time for an app was pretty long and Apple refused to shorten it for the sake of convenience. The company eventually reduced it but not until it knew it could reliably check apps in that shorter time frame. They’re doing reasonably well in terms of keeping malicious apps out of the App Store. That said, Krause has a list of improvements that Apple can make and enforce to keep users safe from these scams. You can read the full list on Krause’s personal blog where details of how such a scam can go undetected.
For my part, I find Krause’s suggestion to have Apple force developers to add an icon for the app that’s asking you to enter your password pretty reasonable. It’s easy to implement and a visual indicator is always better in cases like this.
To our knowledge, there is no app at present in the App Store that is trying to phish users like this but if there were you wouldn’t suspect it, let alone be able to identify it with a cursory look. This is basically Krause giving everyone a heads-up.