Malicious iPhone apps can steal users’s personal information through fake login pop-ups, an Apple iOS app developer has revealed.
The vulnerability, which could potentially allow criminals to gain access to an iPhone owner’s Apple account, was demonstrated by mobile app developer Felix Krause in a blog post Tuesday.
Krause said the security loophole has been in place for many years and has yet to be addressed. A spokesperson for Apple did not immediately respond to a request for comment.
The password phishing scam is relatively simple for app developers to activate, and iPhone users may not even realize that they have been targeted.
The “Sign in to iTunes Store” popup that appears as a prompt from Apple in some apps can be replicated by developers and placed into the app’s code as an alert.
“Users are trained to just enter their Apple ID password whenever iOS prompts you to do so,” Krause wrote in his blog describing the issue. “Those popups are not only shown on the lock screen, and the home screen, but also inside random apps.
“This could easily be abused by any app…Even users who know a lot about technology have a hard time detecting that those alerts are phishing attacks.”
Krause says users can protect themselves by hitting the home button on their iPhone if they suspect the login pop-up is fake. If pushing the button closes the app, and with it the pop-up, then it was a phishing attack.
So far this is just a proof-of-concept and no instances of the vulnerability have been discovered within iOS apps. In order for it to be remedied, Krause says that Apple could make adjustments to the way apps request Apple ID passwords.
For example, rather than use a login pop-up, Apple could request iPhone users to input their username and password into the “settings” section of their phone.
iPhone owners can also enable two-factor authentication in order to access their Apple account.
Krause’s blog comes less than a week after an undocumented feature in the Uber app was uncovered that allowed the ride-hailing company to secretly record the screen of iPhone users.
Mobile security researcher Will Strafach posted the capability—known as “entitlement”—to Twitter, describing its presence in the app’s code as “very unusual.”
“It looks like no other third-party developer has been able to get Apple to grant them a private sensitive entitlement of this nature,” Strafach said. “Considering Uber’s past privacy issues I am very curious how they convinced Apple to allow this.”