There is a potential design flaw in iOS, Apple's mobile operating system, that allows any developer to recreate a genuine-looking password pop-up menu in their apps, as per s security researcher. The problem? iOS users are accustomed to seeing that pop-up menu at random times, a fact that a rogue developer could abuse. Since there is no way to tell the password dialog created by an app from the system-level pop-up, a user can easily be tricked into sharing their most sensitive information with the fraudulent agent thanks to the spoofing.
The flaw, which has existed for years, was spotted by Felix Krause, an iOS developer. According to Krause, it is very easy to replicate the dialog box. On its part, Apple has over the years done a poor job with how it asks users to interact with the dialog box. Users are used to seeing the box at random hours and entering their details, he said.
Spot the difference. There isn't one.
Photo Credit: Felix Krause
There is no evidence that a developer has ever tried to abuse this flaw, but one can't really tell even if it has happened. The only company that may have some information is Apple, which as usual remains tightlipped. "It is concerning to think that is all it would take to display a convincing dialog," Will Strafach, an iOS hacker and developer, tweeted.
"It's long past time that Apple removes the random password popups that plague iOS. They're a security flaw that should not exist in 2017," Marco Arment, a prominent iOS developer tweeted. "I'm sure whoever's responsible for them has some reasons they think are good for why they need to be there. They're not, and they don't."
As we wait for Apple to do something, Krause has found a stopgap solution that users can use to know when the password dialog they are seeing is genuine. Hit the home button. If it's a system-level dialog, it will stick around. If it's generated by an app, it would go away.
Additionally, "always close the dialog, and open the iCloud settings manually, and only enter [the password] there," Krause said.