Last weekend, I needed to figure out a recipe to cook a bunch of squid that was about to go bad. Naturally, as an Italian, I tapped on my trusted Italian cooking app Giallo Zafferano on my iPhone. For no reason, a pop up box asked for my Apple ID password.
Being paranoid, I dismissed it. But I also thought: this is bad, users shouldn't be asked to enter one of their most sensitive, important, passwords at random times.
Felix Krause, an iOS developer, discovered that it's actually incredibly easy to recreate this dialog box in an attempt to trick users into giving away their passwords.
"It's literally less than 30 lines of code," Krause, who's the founder of Fastlane, a tool that helps developers create apps, told Motherboard in a Twitter direct message.
In a lengthy blog post published on Tuesday, Krause warned of of how easy it is to mimic the boxes, and users are likely to fall for it since they've been trained for years to type their Apple ID password at seemingly random times. There's no evidence that malicious hackers or developers have ever tried this trick, but nobody really knows. Here's a comparison between a legitimate, real dialog box and a malicious one, made by Krause for demo purposes.
There's no obvious way for a user to know which one is legitimate.
"It is concerning to think that is all it would take to display a convincing dialog," Will Strafach, a well-known iOS hacker and developer, tweeted.
If you see one of these boxes and you are suspicious, Krause suggests hitting the home button. If it appeared after you opened an app, and when you hit the home button the app quits and the dialog disappears, then it was a phishing attack. If the dialog and the app don't disappear, then it's a legitimate system dialog.
In any case, Krause says users should just always dismiss these and instead go to the Settings app and enter the credentials there, just in case. Apple should just get rid of these boxes and force users to go to Settings instead, Krause said. That would eliminate any risk of abuse.
"Always close the dialog, and open the iCloud settings manually, and only enter [the password] there," Krause said.
It's possible that an app that includes a malicious password popup would get caught by Apple. But Krause warns that there are ways around that.
"It's rather easy to run certain code only after the app is approved," he wrote, and then listed several ways a developer could make a box like this on their app. Apple's App Store is generally very good at keeping malware out of it, but the researcher suggested that generating a "system dialogue" is very common in iOS programming. "Showing a dialog that looks just like a system popup is super easy, there is no magic or secret code involved, it's literally the examples provided in the Apple docs, with a custom text."
"While the review process provides a basic safety filter, organisations with bad intent will always find a way to somehow work around the limitations of a platform," he added.
In any case, a good way to limit the risk of getting phished is to enable two-factor authentication on your Apple ID.
Apple did not respond to a request for comment.
Get six of our favorite Motherboard stories every day by signing up for our newsletter.