Anyone who’s owned an iOS powered device like an iPhone or iPad has probably seen the little pop-up dialog that asks you for your Apple account password. This dialog commonly occurs when doing things like system updates but can even appear in various apps that require access to things like In-App purchases or access to your iCloud storage. But is the dialog that you’re entering your password into legitimate? Felix Krause of fastlane.tools has published an article today detailing that an attack can easily gain access to your Apple account simply by ‘asking’ for your password using an identical looking dialog contained in a rouge app.
While Apple generally does a good job at keeping rouge apps out of it’s App Store, it only takes one to affect thousands of users. Fortunately, Felix also lists several stops you can take to ensure that each dialog box is legitimate including:
- Press the ‘Home’ button when the dialog is on your screen. A legitimate dialog will not disappear, however an illegitimate one will usually close with the app.
- Don’t enter your password into the dialog. Instead, just press cancel and then go into your Settings app and authenticate from there. This way, you can always be sure that you are entering your password into a legitimate place.
- Enable 2 factor authentication on your Apple account. While doing this won’t save you from having divulged your password, it will keep your account secure enough to allow you to change your password before an attacker can gain hold of your account.
While there haven’t been any known rouge apps that have used this attack method yet, it is important to realize the implications here now and ensure you take the proper steps to protect yourself as preventing a leak is always better than trying to fix it after it’s occurred.