Security Researcher Finds a Fundamental Flaw in iOS

Felix Krause writes: Do you want a user's Apple ID password to get access to their Apple account or to try the same email/password combination on different web services? Just ask your users politely, they'll probably just hand over their credentials, as they're trained to do so. This is just a proof of concept, phishing attacks are illegal! Don't use this in any of your apps. The goal of this blog post is to close the loophole that has been there for many years, and hasn't been addressed yet. For moral reasons, I decided not to include the actual source code of the popup, however it was shockingly easy to replicate the system dialog.

Avatar or user only knowledge

[Midnight+Thunder]

This is where having a visual indicator that only the OS and user know about could help? It could be an image or a phrase, but the idea is that an application couldnâ(TM)t forge the OS dialogue, because it doesnâ(TM)t have access to that info.

At the same time, there are probably still limitations arising from an app asking for permissions it shouldnâ(TM)t need. This easier to vet for anything going through the App Store and possibly signed applications, but for anything else it is still user beware.