A developer has shown off a new phishing attack that could be used in Apple’s iOS that is very conniving. Felix Krause has shown of a proof of concept that could be used to steal peoples login information.
According to the report by Felix, unscrupulous developers could possibly use this in an app to steal peoples passwords.
iOS asks the user for their iTunes password for many reasons, the most common ones are recently installed iOS operating system updates, or iOS apps that are stuck during installation.
As a result, users are trained to just enter their Apple ID password whenever iOS prompts you to do so. However, those popups are not only shown on the lock screen, and the home screen, but also inside random apps, e.g. when they want to access iCloud, GameCenter or In-App-Purchases.
This could easily be abused by any app, just by showing an UIAlertController, that looks exactly like the system dialog.
Felix has also provided some information on how you can avoid this type of phishing attack, you can find out more details about this over at his website at the link below.