Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Researcher Finds a Fundamental Flaw in iOS (krausefx.com)

Posted by msmash on from the security-woes dept.

Felix Krause writes: Do you want a user's Apple ID password to get access to their Apple account or to try the same email/password combination on different web services? Just ask your users politely, they'll probably just hand over their credentials, as they're trained to do so. This is just a proof of concept, phishing attacks are illegal! Don't use this in any of your apps. The goal of this blog post is to close the loophole that has been there for many years, and hasn't been addressed yet. For moral reasons, I decided not to include the actual source code of the popup, however it was shockingly easy to replicate the system dialog.

26 of 162 comments (clear)

  1. Terrible headline by Anonymous Coward · · Score: 5, Insightful

    Phishing attacks that are well crafted don't count as flaws.

    1. Re:Terrible headline by halivar · · Score: 2

      As if this couldn't be done on ANY platform.

    2. Re:Terrible headline by gweihir · · Score: 3, Insightful

      Well, normally I would agree, but this one is not quite phishing anymore, it is more an OS dialog impersonation attack, and the user cannot really see what is going on. Make this dialog appear when it is reasonable to expect, and the user really does not have much of a chance.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    3. Re:Terrible headline by omnichad · · Score: 5, Insightful

      If the platform doesn't give you a way to distinguish, then it's still a platform security issue.

    4. Re:Terrible headline by Bing+Tsher+E · · Score: 2

      Yes, it could be done on any platform.

      However, the different platforms cultivate different sorts of users.

      On a platform where an immense amount of handholding is part of the design and culture of the platform, compliant and obedient users are the norm.

      Compare the effectiveness of this sort of phishing on:

      - An iOS account holder.
      - An OpenBSD account holder.

      Clearly, the Fisher-Price interface coddles and encourages certain types of behavior. You can't really blame that on the developers, or the users. It's designed how the marketing folks want it, to develop the 'market' they wish to sell to.

    5. Re:Terrible headline by UnknowingFool · · Score: 2

      On a platform where an immense amount of handholding is part of the design and culture of the platform, compliant and obedient users are the norm.

      Leave the 10 Windows Phone users out of this. Thanks, I'll be here all week. Tip your waitstaff.

      --
      Well, there's spam egg sausage and spam, that's not got much spam in it.
    6. Re:Terrible headline by TheFakeTimCook · · Score: 2

      Well, normally I would agree, but this one is not quite phishing anymore, it is more an OS dialog impersonation attack, and the user cannot really see what is going on. Make this dialog appear when it is reasonable to expect, and the user really does not have much of a chance.

      Again, why is this even news?

      Impersonation of a Login Dialog can be done on ANY OS, period. And with stuff like Text Substitutions in a Dialog, pretty much no amount of App-Scanning by %APP_APPROVER%
        is going to discover a cleverly-obsfucated Dialog creation function.

      What Apple (and others) could POSSIBLY do, is to make a "Credentials" Dialog appear COMPLETELY different from any-other-Dialog, using baked-in UI elements that are simply not accessible to Apps. Kind of like building holograms and micro-printed ribbons into Currency.

      Or, Apple can just change their policy and REQUIRE Biometric Authentication (TouchID/FaceID) if it available on-device, which just returns a "Pass/Fail" to the Application, rather than ever asking for something like an AppleID login.

      My bank's App displays a screen at Launch that offers two options: TouchID or my BANK's PIN. Could it be spoofed? I guess; but there would not likely be enough people that would use the PIN to make it worthwhile, especially since they would have to repeat that engineering for multiple Banks (all with varying login processes), thus making their detection (and banning) a virtual certainty.

    7. Re:Terrible headline by Dixie_Flatline · · Score: 5, Insightful

      I disagree in this case. Apple has had an annoying problem for a couple of years where it would pop up an anonymous dialog box asking you to log in for no discernible reason.

      You should never be prompted to enter your password without some sort of justification and idea of where it's coming from. It used to pop up 6 or 8 times in a row and I'd dutifully enter my password, wondering what the heck was going on. Usually I'd press the cancel button before iOS stopped asking me.

      Apple's crafted a system where you reflexively enter your password with no justification, and they could make that stop any time by including information about the process that's asking for it. It really is a problem in iOS that we've been complaining about for years. I'm surprised it took this long for someone to point out that it could be used for phishing.

    8. Re:Terrible headline by TechyImmigrant · · Score: 5, Funny

      >Clearly, the Fisher-Price interface coddles and encourages certain types of behavior.

      Phisher-Price ?

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    9. Re: Terrible headline by sexconker · · Score: 2

      Yeah, but all we see is the *s because it's not our password.
      When I type my password, **********, you see *s but I see the actual password.

    10. Re:Terrible headline by Kristoph · · Score: 3, Insightful

      You have no experience with security do you? A trojan can pop-up a login dialog that only vaguely looks like authentication prompt and 9 times out of 10 a user will enter their credentials - on Windows, Mac OS X, whatever. A technically astute user (0.1%) will understand this should not happen in a given circumstance. A normal user ( 99.9% ) will just do what their told ( because their trained to take action X, when they see prompt Y ). Heck, I could probably create a prompt with a Gmail logo in a place totally unrelated to Gmail and I would still get Gmail credentials a high percentage of the time.

      That said, iOS does make this worse. They have my biometrics but they still randomly show an iTunes/iCloud prompt, which is stupid.

  2. Never an Apple user by JackieBrown · · Score: 3, Insightful

    But this isn't a flaw in IOS. It's like saying Android is insecure because of fake emails I get asking me to reset my gmail password

    1. Re:Never an Apple user by Anonymous Coward · · Score: 5, Insightful

      Nah, it's a fundamental flaw in iOS's UI. You will be asked for your Apple ID password ALL THE TIME on iOS. Worse, it can be triggered from inside an app by the app trying to use iCloud stuff.

      And there's nothing "special" about the prompt. It's a regular dialog box with a regular password field. There is nothing that suggests any difference between a real "OS needs your password" and a fake "phisher is asking for your password."

      There's a reason Microsoft used to make you press Ctrl-Alt-Del to enter your password in NT. It was to ensure that you pressed a key combination that no program could read, so that you could always be sure your password was going to the OS, not a phishing program. iOS has no similar thing, and does nothing else to make it clear your password is going to the OS and not some random app.

    2. Re:Never an Apple user by El+Cubano · · Score: 2

      But this isn't a flaw in IOS. It's like saying Android is insecure because of fake emails I get asking me to reset my gmail password

      That all depends. If the users are conditioned to respond to those sorts of pop-ups because of the OS itself or because of apps bundled by Apple, then it could be considered an iOS flaw at least in the sense that poor design choices condition the user to be more susceptible to this sort of exploitation.

      It was like Microsoft's UAC in the early days. So many apps were written in such a way that they unnecessarily triggered the UAC pop-up. Users just wanted it to go away so they could get on with what they were doing. As a result, users just became conditioned to always allow it. Bad actors who wished to exploit users could count on the fact that the vast majority of users would just OK whatever it was to make the pop-up go away. Think about that for a minute. The goal was to stop unwanted changes to the system. If I double-click an installer then I want to change the system and there is no need to ask me. However, if something that I did not launch myself fires up in the background and wants to change my system, that is not OK. The way Microsoft executed UAC was such that the user could not easily distinguish between the two and the user in haste to make the pop-up go away will allow whatever.

      Back to Apple. If the user cannot distinguish between something like the two use cases I have described then there may be a flaw to be addressed. It may also just be a problem with the application ecosystem itself or a manifestation of the user community's predisposition for convenience. In any case, I think that calling it a "fundamental flaw in iOS" is hyperbole.

    3. Re:Never an Apple user by TheFakeTimCook · · Score: 3, Interesting

      Nah, it's a fundamental flaw in iOS's UI. You will be asked for your Apple ID password ALL THE TIME on iOS. Worse, it can be triggered from inside an app by the app trying to use iCloud stuff.

      And there's nothing "special" about the prompt. It's a regular dialog box with a regular password field. There is nothing that suggests any difference between a real "OS needs your password" and a fake "phisher is asking for your password."

      There's a reason Microsoft used to make you press Ctrl-Alt-Del to enter your password in NT. It was to ensure that you pressed a key combination that no program could read, so that you could always be sure your password was going to the OS, not a phishing program. iOS has no similar thing, and does nothing else to make it clear your password is going to the OS and not some random app.

      If something is asking for my AppleID, it needs to be displaying the "TouchID" "Dialog", or I'm not playing. And TouchID simply returns a Go/No-Go back to the App.

      That's about as secure as it can get.

      I do agree, however, that there should be something to distinguish a System-Generated Password Dialog from ANY other Dialog.

  3. Avatar or user only knowledge by Midnight+Thunder · · Score: 2, Informative

    This is where having a visual indicator that only the OS and user know about could help? It could be an image or a phrase, but the idea is that an application couldnâ(TM)t forge the OS dialogue, because it doesnâ(TM)t have access to that info.

    At the same time, there are probably still limitations arising from an app asking for permissions it shouldnâ(TM)t need. This easier to vet for anything going through the App Store and possibly signed applications, but for anything else it is still user beware.

    --
    Jumpstart the tartan drive.
  4. Re:Not "fundamental" by halivar · · Score: 2

    There's no equivalent to an iTunes account. If I'm asked for my Google Play account password I'm very wary.

    You said there was no equivalent, and then listed the equivalent.

  5. This is everywhere... by bradley13 · · Score: 2

    Lots of people use their Google account, or their Facebook account, to log into various sites and services. I'm not sure how Facebook works, because I rarely use it. Google makes you type in your password once per month, so Google users are also trained to enter their password more-or-less at random, when asked. It would be dead easy to fake the password dialog.

    Users trading of security for convenience, yet again. The stupid thing is that companies encourage this behavior. If some service really wants you to login again, it should ask you to go log in, not present you with some dialog to type in your password.

    --
    Enjoy life! This is not a dress rehearsal.
  6. 'Security Researcher' by Fly+Swatter · · Score: 4, Insightful

    Am I the only one that shakes my head every time I see this term used to describe a hacker/cracker/black hat that doesn't actually do research except to unlawfully break into other peoples stuff just to brag about it?

    And to stay slightly on topic, this is just social engineering, not an OS flaw. Clickbait garbage.

  7. Re:Not "fundamental" by omnichad · · Score: 2

    Did they? All they said is that they'd be wary if they were asked for their Google Play password. They did not say that the request was ever legitimate. I imagine that if I was asked for the password, the phone would switch over to the Play store app before popping up the dialog - but I also can't remember ever being asked.

  8. Keyword: Trained by Anonymous Coward · · Score: 5, Insightful

    I'm asked for my Apple password at least once a week, and it happens absolutely randomly. I might be doing anything, and suddenly "hey re-authenticate please!". I've absolutely been trained to not question it and just punch the password in so my phone continues to work. This is even worse than the whole "constant UAC prompt trains users to just say yes", because it has absolutely zero context. I don't know what triggered it, I don't know how not putting the password in limits me exactly, I have no way of knowing it's really the system asking for the credential, and I'm not just pressing yes, I'm inputting my golden key. Just bad design all around.

    1. Re:Keyword: Trained by smartr · · Score: 2

      I find this odd. I've been using iOS for probably 10 years now and don't have this experience. Maybe on some very old version? Is your phone jailbroken by someone who has your password?

  9. I think it counts as a flaw. by w3woody · · Score: 3, Insightful

    Honestly I think this does count as a fundamental flaw--but a flaw in the design of the user interface flow used to obtain credentials for iTunes (or for other applications).

    It's a flaw for two reasons. First, any process which interrupts your current actions with a modal dialog is a flaw in that if you are not paying attention, you may accidentally tap the accept or cancel button without realizing what you are doing. (This is worse on a desktop environment, where a pop-up may appear while you are typing. If you are a fast touch-typest like I am, you may accidentally press 'enter' or 'space' before realizing what you're typing has gone into the dialog box that just randomly appeared.)

    Second, the design is a flaw because it does not give a mechanism by which the context of the dialog box cannot be brought forward and examined for validity. That is, with the iTunes login prompt, all you are permitted to do is to enter the password or not--but you have no way to know that it indeed is coming from iTunes.

    I personally would consider fixing this user interface flaw by doing three things.

    First, provide a notification mechanism which is clearly visible to the user (such as a flashing bar at the top of the screen), but which does not directly interrupt the user's interaction with the device. If, for some reason a password is necessary before the user can continue his interaction with the device, I would propose a dialog box come up with stops the user interaction with an accept/cancel button but which does not ask for information.

    Second, in response to the notification mechanism, I would switch to the application that is asking for the information. (This is easier now that iOS supports multiple concurrent applications and a method for going 'back' in the upper-left corner of the screen.) This gives the user the opportunity to examine the application which is asking for the information. (If this is in response for an iTunes password prompt, I would switch to the Settings app and to the iTunes password screen within settings.)

    Third, I would explicitly prohibit (either by changing the OS or through the review process) modal dialogs not belonging to an application from appearing over another application. This includes built-in OS modal dialogs.

    All of this is designed to force the user to examine the context in which their sensitive information is being requested, rather than blindly handing it over. Because this sort of interaction is relatively rare, forcing the user to switch to the settings page (rather than just grabbing the password on the go) is not an unreasonable price to pay here.

    1. Re:I think it counts as a flaw. by w3woody · · Score: 2

      As an aside, on iOS we already force applications to switch to the Settings app to turn on or off notifications and location settings; there is no API within iOS which can programmatically change these settings.

      Doing the same for iTunes passwords doesn't seem unreasonable to me.

  10. Re: Did you know... by saloomy · · Score: 2

    Itâ(TM)s not a real attack unless you can get it onto the phone. Has an app with this dialog code made it past the app review process? Can you pop it up on safari? If so, then a simple change to that one dialog box (like making it a different color to indicate secure) will fix that. If not, then nothing to see here. Just developers playing in a sandbox justifying the app review process.

  11. So... by BitztreamNotARealNam · · Score: 2

    How's life in the hypocrite lane?