Apple iOS system dialogs easily spoofed for phishing

System dialogs that request Apple account credentials are easily copied and can be used to trick users into handing over their passwords for mobile phishing attacks. 

The issue was outlined by development automation tool coder Felix Krause, who said "it was shockingly easy to replicate the system dialog" pop-up on Apple devices.

Krause decided against publishing the code for his proof of concept because it's very easy to abuse - "it's less than 30 lines of code, and every iOS engineer will be able to quickly build their own phishing code," he wrote.

He said that as iOS asks users for Apple ID credentials in order to sign into the iTunes Store frequently, and in multiple areas of the operating system as well as over apps, users are conditioned to enter their passwords without questioning.

This conditioning could be easily abused by apps, Krause said. Even users "who know a lot about technology [would] have a hard time" detecting phishing attempts using a fake Apple system dialog, he said.

To protect against mobile phishing attacks, Krause suggested users press the Home button, to see if the app quits and closes the dialog. If this happens, it was a phishing attack, he said.

Krause advised never entering credentials into an iOS popup.

Instead, users should dismiss the dialogs, go to Settings and enter the credentials there.

He warned that even when people hit the cancel button in dialogs, apps still get the content of the password field and will be able to snag the credential after the first few characters have been entered.

Apple has been notified of the problem, Krause said.

To fix the issue, Apple shouldn't ask users shouldn't constantly be asked to enter their credentials, and when this is necessary, the entry should be done in the Settings app only, Krause said.

Krause isn't the first to notice the problem with easily spoofed system dialogs.

Last year, developer Jake Mor published a Medium post that detailed how attackers could steal Apple ID and iCloud passwords with decoy apps that abused an API to discover and display email addresses associated with users' accounts.