It is rare to find trust these days that’s why Apply alerted its users to be extra careful when giving out information especially Apple ID and passwords.
A new trick alarmed iPhones users when Felix Krause, a mobile app developer, wrote a proof-of-concept on his blog that showed how easy it is to copy and identify Apple’s ‘Sign In to iTunes Store’ prompt to take a user’s password.
While using a simple bit of code, less than 30 lines of code to be exact, scammers can easily turn on alerts in apps that look almost identical to Apple’s prompt pop-ups that can subsequently log the Apple ID and password.
In Krause’s blog, he wrote “’Users are trained to just enter their Apple ID password whenever iOS prompts you to do so. However, those popups are not only shown on the lock screen, and the home screen, but also inside random apps, e.g. when they want to access iCloud, GameCenter or In-App-Purchases. This could easily be abused by any app.”
Krause notes how this has been going on in desktop browsers for a long time with almost every website having a fake pop-up that is similar to the usual system notifications.
HOW TO KNOW IF IT’S A SCAM OR NOT ACCORDING TO KLAUSE’S BLOG:
• Hit the home button, and see if the app quits:
• If it closes the app, and with it the dialog, then this was a phishing attack
• If the dialog and the app are still visible, then it’s a system dialog. The reason for that is that the system dialogs run on a different process, and not as part of any iOS app.
• Don’t enter your credentials into a popup, instead, dismiss it, and open the Settings app manually. This is the same concept like you should never click on links on emails, but instead open the website manually
• If you hit the Cancel button on a dialog, the app still gets access to the content of the password field. Even after entering the first characters, the app probably already has your password.