Security Researcher Finds a Fundamental Flaw in iOS

Felix Krause writes: Do you want a user's Apple ID password to get access to their Apple account or to try the same email/password combination on different web services? Just ask your users politely, they'll probably just hand over their credentials, as they're trained to do so. This is just a proof of concept, phishing attacks are illegal! Don't use this in any of your apps. The goal of this blog post is to close the loophole that has been there for many years, and hasn't been addressed yet. For moral reasons, I decided not to include the actual source code of the popup, however it was shockingly easy to replicate the system dialog.

Terrible headline

Phishing attacks that are well crafted don't count as flaws.

Re:Terrible headline

[halivar]

As if this couldn't be done on ANY platform.

Re:Terrible headline

[gweihir]

Well, normally I would agree, but this one is not quite phishing anymore, it is more an OS dialog impersonation attack, and the user cannot really see what is going on. Make this dialog appear when it is reasonable to expect, and the user really does not have much of a chance.

Re:Terrible headline

[omnichad]

If the platform doesn't give you a way to distinguish, then it's still a platform security issue.

Re:Terrible headline

[Bing+Tsher+E]

Yes, it could be done on any platform.

However, the different platforms cultivate different sorts of users.

On a platform where an immense amount of handholding is part of the design and culture of the platform, compliant and obedient users are the norm.

Compare the effectiveness of this sort of phishing on:

- An iOS account holder.
- An OpenBSD account holder.

Clearly, the Fisher-Price interface coddles and encourages certain types of behavior. You can't really blame that on the developers, or the users. It's designed how the marketing folks want it, to develop the 'market' they wish to sell to.

Re:Terrible headline

[CaptainDork]

One word:

2FA

Re:Terrible headline

[UnknowingFool]

On a platform where an immense amount of handholding is part of the design and culture of the platform, compliant and obedient users are the norm.

Leave the 10 Windows Phone users out of this. Thanks, I'll be here all week. Tip your waitstaff.

Re:Terrible headline

[TheFakeTimCook]

Well, normally I would agree, but this one is not quite phishing anymore, it is more an OS dialog impersonation attack, and the user cannot really see what is going on. Make this dialog appear when it is reasonable to expect, and the user really does not have much of a chance.

Again, why is this even news?

Impersonation of a Login Dialog can be done on ANY OS, period. And with stuff like Text Substitutions in a Dialog, pretty much no amount of App-Scanning by %APP_APPROVER%
  is going to discover a cleverly-obsfucated Dialog creation function.

What Apple (and others) could POSSIBLY do, is to make a "Credentials" Dialog appear COMPLETELY different from any-other-Dialog, using baked-in UI elements that are simply not accessible to Apps. Kind of like building holograms and micro-printed ribbons into Currency.

Or, Apple can just change their policy and REQUIRE Biometric Authentication (TouchID/FaceID) if it available on-device, which just returns a "Pass/Fail" to the Application, rather than ever asking for something like an AppleID login.

My bank's App displays a screen at Launch that offers two options: TouchID or my BANK's PIN. Could it be spoofed? I guess; but there would not likely be enough people that would use the PIN to make it worthwhile, especially since they would have to repeat that engineering for multiple Banks (all with varying login processes), thus making their detection (and banning) a virtual certainty.

Re:Terrible headline

[UnknowingFool]

OS dialog impersonation attacks are nothing new. I remember there one that popped on a browser that looked like a Fisher-Price Windows XP dialog. The first time I was on a Mac so it was obvious. The second time, it popped up on an XP machine. But the user had set their colors to the olive green XP colors and not the default blue one or it might be convincing to the user.

Re:Terrible headline

[Dixie_Flatline]

I disagree in this case. Apple has had an annoying problem for a couple of years where it would pop up an anonymous dialog box asking you to log in for no discernible reason.

You should never be prompted to enter your password without some sort of justification and idea of where it's coming from. It used to pop up 6 or 8 times in a row and I'd dutifully enter my password, wondering what the heck was going on. Usually I'd press the cancel button before iOS stopped asking me.

Apple's crafted a system where you reflexively enter your password with no justification, and they could make that stop any time by including information about the process that's asking for it. It really is a problem in iOS that we've been complaining about for years. I'm surprised it took this long for someone to point out that it could be used for phishing.

Re:Terrible headline

[Paradise+Pete]

If the platform doesn't give you a way to distinguish, then it's still a platform security issue.

I agree. I think an authentication dialog box should include something that the app cannot know, such as some sort of user-selected image or phrase. If the dialog has a standard appearance an app can spoof it.

Re:Terrible headline

[TechyImmigrant]

>Clearly, the Fisher-Price interface coddles and encourages certain types of behavior.

Phisher-Price ?

Re:Terrible headline

[TechyImmigrant]

One word:

2FA

That's three words

Re:Terrible headline

[93+Escort+Wagon]

Or one.

Re:Terrible headline

[93+Escort+Wagon]

I agree with you entirely - but if Apple adds some sort of identifier regarding which process triggered the pop-up prompt, it’s not clear a malicious actor couldn’t fake that part of the pop-up as well.

I wonder whether the whole process should be redesigned somehow.

Re:Terrible headline

[houghi]

We already know that hacking is 95% social engineering (and still geeks can't social engineer girlfriends), but at least they could solve it like /. does where they show the password hidden like
Login:houghi
Pass:********

Re:Terrible headline

[edtice1559]

This cannot be done on Windows. If you put up a login screen, people have to press ctrl-alt-delete. If they see a login screen without having pressed this, they will know it's bogus. If they press ctrl-alt-delete, a real Windows screen will come up. So you can't put up a fake login screen. Mobile phones need something similar. i.e. you have to touch the "home" button for any password entry and if somebody touches the home button take them to the real home so they can't be fooled. Sorry but this is a platform issue.l

Re:Terrible headline

[edtice1559]

Windows solved this in the 1990s with ctrl-alt-del.

Re:Terrible headline

[AvitarX]

Yet when I go to reveal passwords in Chrome, it asks my Windows password.

I imagine that could be spoofed by an app.

Re:Terrible headline

[torkus]

This is nothing new by any stretch and applies to many platforms.

I remember back in college the computers were all linux terminals. Someone scripted a shell within their shell that let others log in. Equal to running a VM within a VM...and a handy keylogger in the middle.

And...it looked just like every other terminal. You could log in, do your thing, log out. It was slow as crap but...the whole computer system at the time was crap so no one suspected anything. He was eventually caught and expelled, but only after he used the credentials he collected for some nefarious (and hilarious) purposes.

Re: Terrible headline

[Type44Q]

Do you want a user's Apple ID password to get access...

Not just the headline; why would i want the password to have access?? Oh, wait; it was just another deficiency in basic English...

Re:Terrible headline

[Paradise+Pete]

Isn't what I said simpler and easier?

Re:Terrible headline

[Jake+Griffin]

What Apple (and others) could POSSIBLY do, is to make a "Credentials" Dialog appear COMPLETELY different from any-other-Dialog, using baked-in UI elements that are simply not accessible to Apps. Kind of like building holograms and micro-printed ribbons into Currency.

That wouldn't actually solve the problem, it would just make it slightly more difficult to mock. App developers have full control over the appearance of their apps. Sure, they wouldn't be able to use stock UI components to mimic the dialog, but they could still create custom dialogs that look identical to anything that Apple implements. Apple just needs to move away from prompting in a dialog, and tell the user that they need to go to settings to log in. Do away with a little bit of convenience to eliminate the security flaw.

Re:Terrible headline

[omnichad]

This is nothing new by any stretch and applies to many platforms.

I don't disagree with you there. But it's been ignored too long at this point. With the OS taking the primary role in security these days, it's time to address it.

Re:Terrible headline

[sexconker]

No, because you then have to ensure no app can grab a screenshot. You have to make sure no app can find the stored image / phrase. You have to make sure the user doesn't simply have it (or a copy of it) in their pictures / documents directory named "securitypicture" or "securityphrase", etc.

A secure attention key is the way to go. How many decades have we know this for?

Re:Terrible headline

It's bitztream the autism-hating, custom EpiPen-hating, Musk-hating, Qualcomm-hating, Firefox tabs-hating Slashdot troll!

Re:Terrible headline

[sexconker]

Actually, none.

Re: Terrible headline

[sexconker]

Yeah, but all we see is the *s because it's not our password.
When I type my password, **********, you see *s but I see the actual password.

Re:Terrible headline

[Anil]

Didn't MS Vista do something like this? ... so long ago, I only vaguely remember.

It had a lot of system pop-ups warning of permission escalation requests. It was a features everyone hated and disabled.

Re:Terrible headline

[Carewolf]

As if this couldn't be done on ANY platform.

It cant. There are reasons passwords fields don't popup like that in other operating systems without also doing something only the operating system can. The problem here is the lack of any indicators that this is trusted.

Re:Terrible headline

[Kristoph]

You have no experience with security do you? A trojan can pop-up a login dialog that only vaguely looks like authentication prompt and 9 times out of 10 a user will enter their credentials - on Windows, Mac OS X, whatever. A technically astute user (0.1%) will understand this should not happen in a given circumstance. A normal user ( 99.9% ) will just do what their told ( because their trained to take action X, when they see prompt Y ). Heck, I could probably create a prompt with a Gmail logo in a place totally unrelated to Gmail and I would still get Gmail credentials a high percentage of the time.

That said, iOS does make this worse. They have my biometrics but they still randomly show an iTunes/iCloud prompt, which is stupid.

Re:Terrible headline

[pr0fessor]

I believe they were pointing out was the users.

Re:Terrible headline

[AuMatar]

If you think the average user will think "Oh, I didn't press ctrl alt delete this must be a fake!!!", you have FAR too much faith in the average user. I don't think the average techie would think about the keypress combo, much less the average user. The techie is more likely to realize that there was no reason for a login screen to come up than think about the lack of a keypress.

Re:Terrible headline

[geoscodin]

HAHAHA!!! Oops! No! Aw, man!
Make that 9 Windows Phone users. I just dropped mine laughing at your post.

Re:Terrible headline

[Dixie_Flatline]

No, I saw this even on release versions with no beta profile installed. Same with my partner, who's never installed a dev or beta profile in her life. The frequency has dropped off quite a lot—I probably only see the popup once ever 3 or 4 months now—but for a while, it was a daily irritant.

Re: Terrible headline

[Brockmire]

I social engineer girlfriends so well, they don't even realize they're my girlfriend.

Re:Terrible headline

[Obfuscant]

If they see a login screen without having pressed this, they will know it's bogus.

Really? I don't press c-a-d when I click on an unmounted but mapped network drive, and I get a pretty clear request for a username and password.

Re:Terrible headline

[edtice1559]

Right. The fact that the OS provides the feature doesn't mean that all apps *use* the feature. The issue here is that iOS doesn't provide it. Chrome *ought* to be using UAC for this.

Re:Terrible headline

[parkinglot777]

I agree with you entirely - but if Apple adds some sort of identifier regarding which process triggered the pop-up prompt, it’s not clear a malicious actor couldn’t fake that part of the pop-up as well.

I wonder whether the whole process should be redesigned somehow.

I don't think that the pop-up prompt that the phishing apps are using is the same as the iOS is using. The way it works, normally, is that a pop-up will be displayed when you attempt to start any of those phishing apps. There are some games in the App Store right now that will force you to enter your password before you could even start the game. Some of these apps have similar pop-up format (but not exactly) right when you load it up as well. So it doesn't matter whether Apple adds some sort of identifier to the pop-up prompt, it is the matter of how apple does with their own pop-up (e.g. redirect to their native app which is locked down by Apple itself before allow the password entering).

Re:Terrible headline

[TechyImmigrant]

2 -3 - 1 - 0

10
11
01
00

That's grey coded.

Re:Terrible headline

[gweihir]

The technical term here is "vulnerability" and it is a symptom of a failed security design.

Re:Terrible headline

[TheFakeTimCook]

Well, normally I would agree, but this one is not quite phishing anymore, it is more an OS dialog impersonation attack, and the user cannot really see what is going on. Make this dialog appear when it is reasonable to expect, and the user really does not have much of a chance.

Again, why is this even news?

Impersonation of a Login Dialog can be done on ANY OS, period

NOPE.. This is an old problem, and it is usually fixed or worked around a lot better in other OS.

And yet, no examples. And don't just rely on Ctrl-Alt-Del...

Re:Terrible headline

[Carewolf]

Try using a non-Crapple device. That is the example.

Re:Terrible headline

[Paradise+Pete]

First pop up is "authentication required, please press the home button."

You can do this now. Pressing the home button will make an app-generated prompt disappear, but a system-level prompt will remain.

Re:Terrible headline

[fortiustechnologies]

Do you think it was the simplest solution they can make

Re:Terrible headline

[TheFakeTimCook]

Try using a non-Crapple device. That is the example.

EXACTLY the Non-Response I expected!

Way to defend your point, Hater!

Re:Terrible headline

[pop+ebp]

If your browser would let any web site show https://myaccount.google.com/ in the address bar with the green padlock, is that not a security flaw?

Not saying this is exactly the same, but if a platform makes it very hard or impossible for the user to detect a phishing attack, it is a security flaw.

Re:Terrible headline

[pop+ebp]

You can't really compare this to desktop OSes like Windows or Mac OS.
The security model there is different. All "apps" you run on them are implicitly trusted; there is no security barrier between apps.

You don't need to fake a Gmail login prompt on Windows because you can simply read the memory of the browser or Gmail app and it will gladly give the memory contents including the password to you (if it still has it).

In iOS, each app is supposed to be isolated from each other and from the OS so this is a big(ger) deal.

Re:Terrible headline

[david_thornley]

Sure. Then an application pops up a authentication screen that doesn't say anything, and lots of users type in their password anyway. I have to type my password not only on Windows login, but when accessing other areas of the intranet. Therefore, I'm trained to enter my username and password on a prompt that doesn't follow the three-finger salute.

Re:Terrible headline

[AvitarX]

And if a proliferation of apps don't use the feature, it becomes de facto the same as not having it.

Perhaps MS could require proper use of UAC to for companies that sign their apps (for the not scary install).

Re:Terrible headline

[michael_wojcik]

Windows solved this in the 1990s with ctrl-alt-del.

And it was already an old idea then. The use of a Secure Attention Key or Secure Attention Sequence goes back at least to the 1970s.

The problem with SAKs, as usual, is users. A SAK is only a useful security feature for a vigilant user who knows to avoid any prompt for credentials that wasn't elicited by a SAK. It's also an awkward user experience when applications need to request credentials for cases where they can't inherit the OS authentication.

Personally, I keep the SAK enabled on my Windows systems. But it doesn't prune much of the credential-stealing attack tree.

A more-comprehensive solution is dedicated hardware (e.g. a smartcard reader), so the user's credentials are never exposed to a general-purpose computer at all. But that requires sweeping changes in how password-based authentication is currently used by popular OSes and applications.

Never an Apple user

[JackieBrown]

But this isn't a flaw in IOS. It's like saying Android is insecure because of fake emails I get asking me to reset my gmail password

Re:Never an Apple user

Nah, it's a fundamental flaw in iOS's UI. You will be asked for your Apple ID password ALL THE TIME on iOS. Worse, it can be triggered from inside an app by the app trying to use iCloud stuff.

And there's nothing "special" about the prompt. It's a regular dialog box with a regular password field. There is nothing that suggests any difference between a real "OS needs your password" and a fake "phisher is asking for your password."

There's a reason Microsoft used to make you press Ctrl-Alt-Del to enter your password in NT. It was to ensure that you pressed a key combination that no program could read, so that you could always be sure your password was going to the OS, not a phishing program. iOS has no similar thing, and does nothing else to make it clear your password is going to the OS and not some random app.

Re:Never an Apple user

[UnknowingFool]

No, it's always Apple's fault that all computer users could be susceptible to this kind of attack.

Re:Never an Apple user

[El+Cubano]

But this isn't a flaw in IOS. It's like saying Android is insecure because of fake emails I get asking me to reset my gmail password

That all depends. If the users are conditioned to respond to those sorts of pop-ups because of the OS itself or because of apps bundled by Apple, then it could be considered an iOS flaw at least in the sense that poor design choices condition the user to be more susceptible to this sort of exploitation.

It was like Microsoft's UAC in the early days. So many apps were written in such a way that they unnecessarily triggered the UAC pop-up. Users just wanted it to go away so they could get on with what they were doing. As a result, users just became conditioned to always allow it. Bad actors who wished to exploit users could count on the fact that the vast majority of users would just OK whatever it was to make the pop-up go away. Think about that for a minute. The goal was to stop unwanted changes to the system. If I double-click an installer then I want to change the system and there is no need to ask me. However, if something that I did not launch myself fires up in the background and wants to change my system, that is not OK. The way Microsoft executed UAC was such that the user could not easily distinguish between the two and the user in haste to make the pop-up go away will allow whatever.

Back to Apple. If the user cannot distinguish between something like the two use cases I have described then there may be a flaw to be addressed. It may also just be a problem with the application ecosystem itself or a manifestation of the user community's predisposition for convenience. In any case, I think that calling it a "fundamental flaw in iOS" is hyperbole.

Re:Never an Apple user

[Tomahawk]

No, it would be like saying android is insecure because Google regularly send emails asking to reset your gmail password. So when you get an email that looks similar you'll just click the link and enter your password.

On Android, I'm trying to remember any time I'm asked to enter my account password. When I add my account to the phone initially, and when I purchase something from the play store. I don't recall ever seeing a popup asking for my google account password in any other circumstance.

So the issue here is that by being asked for your password a lot (relatively, at least), then a user won't think twice when asked at any random time and will just enter it.

Re:Never an Apple user

[Chris+Mattern]

Yes, it is, because it shouldn't be possible for a trojan to impersonate the system log in screen. That's why Windows boxes make you use ctrl-alt-del--user programs can't catch that key sequence and make it look like you're logging in.

Re:Never an Apple user

But this isn't a flaw in IOS.

It's a flaw when the operating system allows an application to trivially impersonate the operating system, and the operating system doesn't have any way for the user to determine that the UI element is part of the operating system and not an application.

Re:Never an Apple user

[TheFakeTimCook]

Nah, it's a fundamental flaw in iOS's UI. You will be asked for your Apple ID password ALL THE TIME on iOS. Worse, it can be triggered from inside an app by the app trying to use iCloud stuff.

And there's nothing "special" about the prompt. It's a regular dialog box with a regular password field. There is nothing that suggests any difference between a real "OS needs your password" and a fake "phisher is asking for your password."

There's a reason Microsoft used to make you press Ctrl-Alt-Del to enter your password in NT. It was to ensure that you pressed a key combination that no program could read, so that you could always be sure your password was going to the OS, not a phishing program. iOS has no similar thing, and does nothing else to make it clear your password is going to the OS and not some random app.

If something is asking for my AppleID, it needs to be displaying the "TouchID" "Dialog", or I'm not playing. And TouchID simply returns a Go/No-Go back to the App.

That's about as secure as it can get.

I do agree, however, that there should be something to distinguish a System-Generated Password Dialog from ANY other Dialog.

Re:Never an Apple user

[JackieBrown]

When I get a popup in kde asking for my root password, it doesn't look different than any other prompt that pops up.

Sure, there are ways that apple could change this but as someone mentioned above, I get a standard google password pop up for micro-transactions. I also get one if I use the "Find my Phone" android app.

Really, if the user is entering their password on any prompt - especially one that comes up for no reason - this is a user issue.

When I click on an email to reset my password and it takes me to a cloned version of my bank's site, it's not my bank's fault that their site was cloned and I mindlessly entered my password.

And the ones that state that windows makes you enter control-alt-delte to enter your password, I really don't think that's true for windows mobile.

Re:Never an Apple user

[TheFakeTimCook]

But this isn't a flaw in IOS. It's like saying Android is insecure because of fake emails I get asking me to reset my gmail password

That all depends. If the users are conditioned to respond to those sorts of pop-ups because of the OS itself or because of apps bundled by Apple, then it could be considered an iOS flaw at least in the sense that poor design choices condition the user to be more susceptible to this sort of exploitation.

It was like Microsoft's UAC in the early days. So many apps were written in such a way that they unnecessarily triggered the UAC pop-up. Users just wanted it to go away so they could get on with what they were doing. As a result, users just became conditioned to always allow it. Bad actors who wished to exploit users could count on the fact that the vast majority of users would just OK whatever it was to make the pop-up go away. Think about that for a minute. The goal was to stop unwanted changes to the system. If I double-click an installer then I want to change the system and there is no need to ask me. However, if something that I did not launch myself fires up in the background and wants to change my system, that is not OK. The way Microsoft executed UAC was such that the user could not easily distinguish between the two and the user in haste to make the pop-up go away will allow whatever.

Back to Apple. If the user cannot distinguish between something like the two use cases I have described then there may be a flaw to be addressed. It may also just be a problem with the application ecosystem itself or a manifestation of the user community's predisposition for convenience. In any case, I think that calling it a "fundamental flaw in iOS" is hyperbole.

The iOS experience is NOT filled with UAC-like Permission Challenges. Never has (hopefully) never will.

The typical iOS User will ONLY be challenged in a very few situations:

1. Doing an OS Update.
2. Doing a Backup/Restore of their Device.
3. Downloading an App from the App Store.
4. iTunes Store Purchases/Rentals.
5. Creating/Changing your AppleID login credentials.

There MIGHT be a few others; but they are rare enough that I can't remember ever seeing them personally.

Notice that ALL of those are ONLY initiated by interactions with APPLE Services. If ANY NON-Apple App asks for your AppleID login, DELETE IT IMMEDIATELY!

And in devices with TouchID/FaceID, it BETTER be displaying the TouchID "dialog" (which DOESN'T pass CREDENTIALS), or it gets CANCELLED. In fact, I can't remember the last time I had to actually type-in my AppleID.

Re:Never an Apple user

[TheFakeTimCook]

No, it would be like saying android is insecure because Google regularly send emails asking to reset your gmail password. So when you get an email that looks similar you'll just click the link and enter your password.

On Android, I'm trying to remember any time I'm asked to enter my account password. When I add my account to the phone initially, and when I purchase something from the play store. I don't recall ever seeing a popup asking for my google account password in any other circumstance.

So the issue here is that by being asked for your password a lot (relatively, at least), then a user won't think twice when asked at any random time and will just enter it.

As I said, fortunately, iOS doesn't ask for your login every whipstitch, either. Only during certain specific APPLE tasks.

See: https://it.slashdot.org/commen...

Re:Never an Apple user

[hcs_$reboot]

Ok but how long would survive such app having such a bad behavior? ( let alone be approved by Apple in the 1 st place)

Re:Never an Apple user

[UnknowingFool]

Nah, it's a fundamental flaw in iOS's UI. You will be asked for your Apple ID password ALL THE TIME on iOS. Worse, it can be triggered from inside an app by the app trying to use iCloud stuff.

Sounds like someone who's never used iOS. I'm not asked "ALL THE TIME" for my Apple ID especially if I've already set my settings. The times I'm asked for my authentication for my Apple ID, it's for my fingerprint. If I turn it off, it would ask if I purchase something (because my settings are set to this).

And there's nothing "special" about the prompt. It's a regular dialog box with a regular password field. There is nothing that suggests any difference between a real "OS needs your password" and a fake "phisher is asking for your password."

And what determines an authentic password request on Windows or Android? And that request can't be faked?

There's a reason Microsoft used to make you press Ctrl-Alt-Del to enter your password in NT. It was to ensure that you pressed a key combination that no program could read, so that you could always be sure your password was going to the OS, not a phishing program. iOS has no similar thing, and does nothing else to make it clear your password is going to the OS and not some random app.

Er what? You've confused many things. Ctrl-Alt-Del originally had nothing to do with passwords. They were on the first PCs to interrupt and reboot especially in the DOS days. Windows kept it as an interrupt and reboot confirmation in addition to being used to enter in your password the first time. However you didn't need the combination to trigger a password request as far as I remember. If your screen saver kicked in for example, you'd have to re-enter your password. it was easy enough for a program to fake a screen saver then a password dialog box.

Re:Never an Apple user

[AvitarX]

It seems like a case of trying to improve security (require a password to give higher privilege) actually reducing security (making entering password a thoughtless process).

The simplest fix from Apple I'd think would be to remove all entry of password by default (except for specific cases), then have the dialog pop to request more access be a simple Yes/No with a reminder that Apple will only ask for your password in [list specific cases].

Re:Never an Apple user

[UnknowingFool]

Windows NT would ALWAYS require you press Ctrl-Alt-Del before entering your login password.

Um. Not ALWAYS. It could be disabled by settings. And the fact of the matter is that any program could spoof the password dialog visually. For the average NT user, would they automatically remember that the had to press Ctrl-Alt-Delete before entering a password (if that settings was enabled)? Not always.

Re:Never an Apple user

[mark-t]

The fact that you'd only be asked for password in those situations is not sufficient to be sure it would not be a problem.

If I were the so inclined to try and exploit this so-called "flaw", I would write my application so that the malicious code does not execute for the first 30 days (and thus should not be noticed by those that are performing an app-store eligibility review), and then one day after that, and entirely at random, upon invoking some in-app purchase, the faked dialog pops up instead of the real one. The user enters their credentials, and a brief moment later, they are given the same message that would show up if a user happened to lose their network connectivity just after they got the dialog (I don't know what sort of notification this is for the iphone, so I can't say for sure that I know what it would it would be... maybe the app just says it lost connection to the store, or whatnot. I don't know). Anyways, after is has done this exactly once for a given user, it would not ever do it again.

I expect that most users would retry, and at this point the app would proceed normally via a real itunes purchase, while their password was still stored by the app in the first popup.

At some later point, this username and password combo could be sent to some home base by the application, perhaps as part of a request that retrieves high scores for other players, and the user would not necessarily ever know about it unless they were practically being voyeurs for every network packet their device sends and receives.

I'm honestly not sure what it says about my ethical standards that I would have taken the time to even think of this.

Re:Never an Apple user

[TheFakeTimCook]

The fact that you'd only be asked for password in those situations is not sufficient to be sure it would not be a problem.

If I were the so inclined to try and exploit this so-called "flaw", I would write my application so that the malicious code does not execute for the first 30 days (and thus should not be noticed by those that are performing an app-store eligibility review), and then one day after that, and entirely at random, upon invoking some in-app purchase, the faked dialog pops up instead of the real one. The user enters their credentials, and a brief moment later, they are given the same message that would show up if a user happened to lose their network connectivity just after they got the dialog (I don't know what sort of notification this is for the iphone, so I can't say for sure that I know what it would it would be... maybe the app just says it lost connection to the store, or whatnot. I don't know). Anyways, after is has done this exactly once for a given user, it would not ever do it again.

I expect that most users would retry, and at this point the app would proceed normally via a real itunes purchase, while their password was still stored by the app in the first popup.

At some later point, this username and password combo could be sent to some home base by the application, perhaps as part of a request that retrieves high scores for other players, and the user would not necessarily ever know about it unless they were practically being voyeurs for every network packet their device sends and receives.

I'm honestly not sure what it says about my ethical standards that I would have taken the time to even think of this.

Pretty sure that iOS sandboxing would make those kinds of inter-app shenanigans impossible.

Re:Never an Apple user

[pop+ebp]

From what I've read (can't confirm since I don't use iOS), the system sometimes asks for your password even if you use TouchID for authentication. If so, there's the flaw.

Re:Never an Apple user

[TheFakeTimCook]

From what I've read (can't confirm since I don't use iOS), the system sometimes asks for your password even if you use TouchID for authentication. If so, there's the flaw.

The only time that is true is the initial Lock-Screen (wherein it will ask for a PW under certain conditions, e.g. not logging-in for 48 hours, etc.), and I double-dog-dare anyone to do a MITM attack on THAT process! ;-)

Re:Never an Apple user

[pop+ebp]

Nah, not that. The lock screen asks for the passcode. This article is about the Apple ID password. (Again, I can't confirm how exactly it works - maybe it only asks for that when you use iCloud)

Re:Never an Apple user

[TheFakeTimCook]

Nah, not that. The lock screen asks for the passcode. This article is about the Apple ID password. (Again, I can't confirm how exactly it works - maybe it only asks for that when you use iCloud)

AppleID Passwords are asked for only when Making Purchases in the App Store, or iTunes Purchases. And if you have TouchID, you can use that, which is more secure (no authentication info leaves the device).

I avoid iCloud; but the iCloud sign-in Dialog asks for an "iCloud PW", (NOT the AppleID one); so I think they at least CAN be different.

DUMB

This article is the stupid.

Avatar or user only knowledge

[Midnight+Thunder]

This is where having a visual indicator that only the OS and user know about could help? It could be an image or a phrase, but the idea is that an application couldnâ(TM)t forge the OS dialogue, because it doesnâ(TM)t have access to that info.

At the same time, there are probably still limitations arising from an app asking for permissions it shouldnâ(TM)t need. This easier to vet for anything going through the App Store and possibly signed applications, but for anything else it is still user beware.

Re:Avatar or user only knowledge

[TheFakeTimCook]

This is where having a visual indicator that only the OS and user know about could help? It could be an image or a phrase, but the idea is that an application couldnâ(TM)t forge the OS dialogue, because it doesnâ(TM)t have access to that info.

At the same time, there are probably still limitations arising from an app asking for permissions it shouldnâ(TM)t need. This easier to vet for anything going through the App Store and possibly signed applications, but for anything else it is still user beware.

Apple did the "Permissions" the other way-around. The App can install; but it has to ask Permission when it goes to USE the Service for the first time, and the Permission can ALWAYS be revoked from the Settings "App". I think Android FINALLY changed to a similar security model; but it took 'em long enough!

Re:Not "fundamental"

Is that true? I've had Android phone for 6+ years and can't ever remember a 'system' popup asking for a password. There's no equivalent to an iTunes account. If I'm asked for my Google Play account password I'm very wary. I'm genuinely curious if this sort of phishing has been tried on Android?

Try the enterprise environment...

[iprayfatcashewd]

If you tell someone that you're from the IT department, most users will gladly tell you their password even though corporate policy says not to tell anyone your password. Some people have their password on a Post-It note underneath their keyboard or on the side of their monitor.

Re:Not "fundamental"

[halivar]

There's no equivalent to an iTunes account. If I'm asked for my Google Play account password I'm very wary.

You said there was no equivalent, and then listed the equivalent.

This is everywhere...

[bradley13]

Lots of people use their Google account, or their Facebook account, to log into various sites and services. I'm not sure how Facebook works, because I rarely use it. Google makes you type in your password once per month, so Google users are also trained to enter their password more-or-less at random, when asked. It would be dead easy to fake the password dialog.

Users trading of security for convenience, yet again. The stupid thing is that companies encourage this behavior. If some service really wants you to login again, it should ask you to go log in, not present you with some dialog to type in your password.

Re:This is everywhere...

[Zocalo]

This is supposedly using some kind of federated authentication system like OAuth that doesn't require the password be exposed, but the idea is absolutely horrible from a phishing standpoint precisely because too many users are conditioned to blindly enter passwords on demand when confronted by an authentic enough looking prompt on what they consider to be a legit site. (In many cases, they'll even do it on a decidedly sketchy looking prompt on a highly suspect site as well, but that's kind of by the by.) The major flaw here is that there are far too many malicious sites, either deliberately so or through compromise and script injection, that could fake an OAuth style login then follow through with a request for the actual password. When even "trusted" companies that you'd expect to have near bulletproof security like Equifax are getting completely owned, how can you be sure that some random site claiming to use OAuth for your convenience is secure?

I say we get a password manager, and for each site have a unique strong password. It's the only way to be secure! :)

Re:This is everywhere...

[phorm]

Except with oauth, you should not be entering your credentials anywhere except Google/FB's site. That's part of the point of it.

If you're not on google.com or facebook.com, don't enter the password.

Re:This is everywhere...

[Zocalo]

Yeah, I know that. You know that. The average Joe who is used to Google/Facebook asking for their password to be re-entered (legitimately) at apparently random points in time though? Unless they've paid particular attention to blurb from Google/Facebook, or looked into how OAuth works, I can't imagine too many of them are going to think twice on the spur of the moment if the faked prompt is suitably convincing.

login:

This is old as stones. We used this ages ago to make fun of unsuspecting uni dinosaurs. Just run a program printing "login:" and you're done.

So ,what's new?

Gonna be tough

[Chris+Mattern]

Will they install control, alt and delete keys on iPhones?

'Security Researcher'

[Fly+Swatter]

Am I the only one that shakes my head every time I see this term used to describe a hacker/cracker/black hat that doesn't actually do research except to unlawfully break into other peoples stuff just to brag about it?

And to stay slightly on topic, this is just social engineering, not an OS flaw. Clickbait garbage.

Re:'Security Researcher'

[TheFakeTimCook]

Am I the only one that shakes my head every time I see this term used to describe a hacker/cracker/black hat that doesn't actually do research except to unlawfully break into other peoples stuff just to brag about it?

And to stay slightly on topic, this is just social engineering, not an OS flaw. Clickbait garbage.

Exactly!

Re:'Security Researcher'

Am I the only one that shakes my head every time I see this term used to describe a hacker/cracker/black hat that doesn't actually do research except to unlawfully break into other peoples stuff just to brag about it?

The person who wrote the article is a well-known iOS developer, there's nothing illegal or immoral about this, and writing about a flaw isn't bragging. Besides, the "security researcher" seems to be an invention of the submitter; the person who wrote the article doesn't call himself that.

Terrible flaw in the human mind

[GeekWithAKnife]

I can simulate a real terror threat and people will believe it! -get a new brain?!

How the fuck is this a flaw in iOS? What a load of rubbish.

Turns out you can call yourself anything

[MinaInerz]

Why title it "Security Researcher" when you clearly submitted a post about yourself? Why not instead title it "I find what I personally think is a fundamental flaw in iOS"?

Re:Not "fundamental"

[omnichad]

Did they? All they said is that they'd be wary if they were asked for their Google Play password. They did not say that the request was ever legitimate. I imagine that if I was asked for the password, the phone would switch over to the Play store app before popping up the dialog - but I also can't remember ever being asked.

Keyword: Trained

I'm asked for my Apple password at least once a week, and it happens absolutely randomly. I might be doing anything, and suddenly "hey re-authenticate please!". I've absolutely been trained to not question it and just punch the password in so my phone continues to work. This is even worse than the whole "constant UAC prompt trains users to just say yes", because it has absolutely zero context. I don't know what triggered it, I don't know how not putting the password in limits me exactly, I have no way of knowing it's really the system asking for the credential, and I'm not just pressing yes, I'm inputting my golden key. Just bad design all around.

Re:Keyword: Trained

[smartr]

I find this odd. I've been using iOS for probably 10 years now and don't have this experience. Maybe on some very old version? Is your phone jailbroken by someone who has your password?

Re:Keyword: Trained

[Gilgaron]

Do you use iCloud for anything? That seems to be the most common culprit as far as I can tell, but as the article notes, it is hard to tell sometimes why you're being pestered for it. It may be akin to how if an email server is down your client will think you failed to log in and pester you a lot with a prompt. If you don't use the relevant services or never have connectivity issues it may leave you alone for the most part.

Re:Keyword: Trained

[dunkindave]

When he says "password", I think he may mean "passcode". After the passcode is entered to unlock the phone, it will then unlock using only TouchID for a week before requiring the passcode again be entered (unless two days go by without being unlocked). The passcode prompt often appears to be random since you keep unlocking the phone with a finger, then suddenly it says no, give me the passcode instead (often at a rather inconvenient time).

Like you, I don't get Apple/iCloud password prompts unless performing very specific actions where it makes sense. If I did, I would know since my Apple password is long, complex, and a pain in the ass to enter.

Re:Keyword: Trained

[dunkindave]

You're holding it wrong. :)

Re:Keyword: Trained

[david_thornley]

I never get prompted for my iCloud password. I'm prompted for my iTunes/Apple/whatever password at the times I'd expect to be prompted.

Re:Not "fundamental"

[halivar]

Many apps pop up the Google Play app for authentication. There is 0% chance that it cannot be faked as well as an iOS authentication pop up.

Re:Not "fundamental"

[TheFakeTimCook]

Is that true? I've had Android phone for 6+ years and can't ever remember a 'system' popup asking for a password. There's no equivalent to an iTunes account. If I'm asked for my Google Play account password I'm very wary. I'm genuinely curious if this sort of phishing has been tried on Android?

No. On Android, they just pull the stuff out WITHOUT User Intervention...

I think it counts as a flaw.

[w3woody]

Honestly I think this does count as a fundamental flaw--but a flaw in the design of the user interface flow used to obtain credentials for iTunes (or for other applications).

It's a flaw for two reasons. First, any process which interrupts your current actions with a modal dialog is a flaw in that if you are not paying attention, you may accidentally tap the accept or cancel button without realizing what you are doing. (This is worse on a desktop environment, where a pop-up may appear while you are typing. If you are a fast touch-typest like I am, you may accidentally press 'enter' or 'space' before realizing what you're typing has gone into the dialog box that just randomly appeared.)

Second, the design is a flaw because it does not give a mechanism by which the context of the dialog box cannot be brought forward and examined for validity. That is, with the iTunes login prompt, all you are permitted to do is to enter the password or not--but you have no way to know that it indeed is coming from iTunes.

I personally would consider fixing this user interface flaw by doing three things.

First, provide a notification mechanism which is clearly visible to the user (such as a flashing bar at the top of the screen), but which does not directly interrupt the user's interaction with the device. If, for some reason a password is necessary before the user can continue his interaction with the device, I would propose a dialog box come up with stops the user interaction with an accept/cancel button but which does not ask for information.

Second, in response to the notification mechanism, I would switch to the application that is asking for the information. (This is easier now that iOS supports multiple concurrent applications and a method for going 'back' in the upper-left corner of the screen.) This gives the user the opportunity to examine the application which is asking for the information. (If this is in response for an iTunes password prompt, I would switch to the Settings app and to the iTunes password screen within settings.)

Third, I would explicitly prohibit (either by changing the OS or through the review process) modal dialogs not belonging to an application from appearing over another application. This includes built-in OS modal dialogs.

All of this is designed to force the user to examine the context in which their sensitive information is being requested, rather than blindly handing it over. Because this sort of interaction is relatively rare, forcing the user to switch to the settings page (rather than just grabbing the password on the go) is not an unreasonable price to pay here.

Re:I think it counts as a flaw.

[w3woody]

As an aside, on iOS we already force applications to switch to the Settings app to turn on or off notifications and location settings; there is no API within iOS which can programmatically change these settings.

Doing the same for iTunes passwords doesn't seem unreasonable to me.

Re:I think it counts as a flaw.

[michael_wojcik]

I would explicitly prohibit (either by changing the OS or through the review process) modal dialogs not belonging to an application from appearing over another application. This includes built-in OS modal dialogs.

Yes. The focus-stealing modal dialog is one of the dumbest, most egregious UX flaws in common implementations of the WIMP interface. It assumes the user is always looking at the screen and able to immediately shift from interacting with one application to interacting with another. It's a gaping security hole and a patent error in the user interaction model.

I get it...

[ttimes]

...the article title was a kind of phishing itself. When will you learn there is a difference between bait and chum? In the least iOS should be removed from the title - the issues described can happen to most any device OS.

Social Engineering

[zifn4b]

Wow, congratulations on discovering social engineering! Seriously slashdot, we've had posts where people supposedly discover things that have been around for years. The other day it was vending machines, now it's social engineering.

Re:Social Engineering

[epine]

Wow, congratulations on discovering social engineering!

Yeah, no. Whoosh. What we're debating here is social engineering engineering, the kind of engineering a responsible corporation engages in if they're up to speed with the former.

I'm pretty sure this is why Apple wants to include a living retina eye scanner in every phone.

Personally, if I had the option (and an iPhone), I'd set things up so my smart watch's accelerometer first had to detect my left hand performing a sinister Catholic cross before the official password dialog accepted any secure input.

Re:Social Engineering

[zifn4b]

Your snark suggests that either:

1). You don't think a social engineering attack is a "real" attack; 2). You don't think that social engineering has any meaningful defense, because stupid users, right?

Wrong on both counts.

Your presumptions make you stupid. I merely suggested it is being REPORTED as something new when in fact it's OLD. Now on the other hand, if we were presented with some new means of defending ourselves against social engineering, that would be news.

Re:How about Ctrl-Alt-Del?

[Junta]

Well not over 30 years ago, Ctrl-Alt-Del as a Secure Attention Key until 1994 in Windows NT. Other than that it was a reboot sequence.

But the concept has been out of fashion for years, but warrants a reminder of the value of something the OS can hook and unconditionally react to to discourage OS dialog phishing.

It *is* a flaw.

[hey!]

It's a *design* flaw though, not the usual half-assed implementation flaw. Yes, there's a social engineering component, but the design of the OS makes the job of the social engineer all too easy.

This attack is like a hybrid Trojan/phishing/MITM attack: your evil app puts up a bogus dialog box that looks like an iOS dialog box asking for Apple credentials. It then harvests this information and transmits it to the bad actor. And it isn't just Apple that's vulnerable to this; Windows does this so often that users are effectively trained to hand over their credentials without thinking.

I've been concerned about this mode of attack for years; which is why when I do run Windows I always do so from an unprivileged account. This also, by the way, keeps the administrator credentials for my machine firmly on my hardware; Microsoft really wants you to log in using your Microsoft credentials and does its best to encourage (sometimes trick) you into doing this when you install, for example, Skype. This is a perfect storm scenario for this kind of attack: users are trained that handing over the credentials to both their network and administrator accounts is a normal part of operating their computers.

I've often thought there should be a hardware solution to this. The obvious solution is some kind of hardware token; but it could be as simple as an LED on the device that can only be lit by the genuine OS routine for asking the user for his credentials; this routine would insulate those credentials from any unprivileged process.

Research, seriously??

[hcs_$reboot]

Anyone with a minimum of dev background ( hopefully that means a lot of people here ) knows that kind of "trick".

Re: Did you know...

[saloomy]

Itâ(TM)s not a real attack unless you can get it onto the phone. Has an app with this dialog code made it past the app review process? Can you pop it up on safari? If so, then a simple change to that one dialog box (like making it a different color to indicate secure) will fix that. If not, then nothing to see here. Just developers playing in a sandbox justifying the app review process.

This exploit is live in the wild

[mr_diags]

This is not theoretical, these exploits are live and active. A week ago my not-so tech savvy father-in-law was visiting me in the USA and asked me to help "clean up" his iPhone 6. He kept getting these "please enter you apple ID" credential popups for no known reason. Also, he was getting odd printer setup popups and knew of no printer software on his phone. He lives in Switzerland travels the world and had installed several apps to communicate with friends in China and various European countries. A couple of the China pointing apps I researched looked to be created by "China, Inc" which I immediately told him to purge from the phone and from use - forever. There were a couple of communication apps installed on his phone which he was unaware of how they got there and I could not find reference to them anywhere in the Apple Store - so much for the myth that only Apple-certified/Apple-Store approved apps can be installed on your iPhone. After deleting about 10 suspect apps off his phone and power cycling twice the popups ceased.

Score:-5, Pwned

Witness BitZtream getting pwned!... twice.....three times!

Re: Not "fundamental"

[Brockmire]

You need to learn the history of iCloud and the sipping of ALL your data without user knowledge before you go throwing stones from your fucking glass house. Another Apple story where your butthurt is visible for everyone to see.

So...

[BitztreamNotARealNam]

How's life in the hypocrite lane?

Re: Not "fundamental"

[TheFakeTimCook]

You need to learn the history of iCloud and the sipping of ALL your data without user knowledge before you go throwing stones from your fucking glass house.

Another Apple story where your butthurt is visible for everyone to see.

Citation, please.

And was this an early version of iCloud, Long-since fixed?