iPhone’s Apple ID Demands: Annoying or Security Flaw?

The iPhone's habit of repeatedly requesting your Apple ID password with little explanation or warning isn't just annoying -- it's also a security flaw that could allow attackers to craft extremely convincing phishing attacks, an iOS developer has warned.

Regular users of iPhones or iPads will be used to sporadic requests from the operating system to enter their Apple ID password, popping up in the middle of other activities and preventing them from continuing until they accede to the request.

It can be frustrating, particularly if the password is long and complex, and it can often be hard to work out why, precisely, the device needs your credentials. But according to developer Felix Krause, the incessant requests are more than just an irritation.

"Users are trained to just enter their Apple ID password whenever iOS prompts you to do so. However, those popups are not only shown on the lock screen, and the home screen, but also inside random apps, eg when they want to access iCloud, GameCenter or in-app purchases," Krause said.

"This could easily be abused by any app, just by showing [an alert] that looks exactly like the system dialogue. Even users who know a lot about technology have a hard time detecting that those alerts are phishing attacks."

Apple's standard alerts look identical to those that normal developers can present, Krause noted, which means a well-crafted phishing pop-up could present absolutely no visual warnings that something "phishy" was afoot.

Apple declined to comment.

As currently constituted, there is only one way a user can be certain that the request for a password comes from Apple and not a rogue app, Krause said: hit the home button before entering the password. That's because only Apple itself can respond to home button inputs. Any other app will be forced to close, and with it, the...

Comments are closed.