Unfortunately, it’s easy for an app developer with malicious intent to create a pop-up dialog in iOS that exactly resembles a system-level message prompting for a password. Felix Krause, like other iOS developers and security advocates, have taken issue with this for years. Krause is the founder of fastlane, a project designed to speed app release by automating all the app-store metadata and required elements.
His post on October 10 received due attention, because he created visualizations of a user interface problem Apple needs to tackle. Few malicious apps make their way to the App Store, and they’re usually stopped before they can do much or any harm. However, an attacker who subverted an app’s internal repositories and was able to insert code could do just as much harm as an app designed to phish intentionally.
From the Mac 911 perspective, here’s how to avoid being suckered into one of these fake password prompts in a malicious app:
- Don’t enter your password into a pop-up that appears while you’re using a third-party app.
- Press the Home button. If iOS returns you to the home screen and the password dialog disappears, then the app generated the pop-up.
- If so, report this to Apple immediately and uninstall the app.
Krause advises going directly to the Settings app to enter passwords that the system requests. He has other advice and insight in his post.
Ask Mac 911
We’ve compiled a list of the questions we get asked most frequently along with answers and links to columns: read our super FAQ to see if your question is covered. If not, we’re always looking for new problems to solve! Email yours to firstname.lastname@example.org including screen captures as appropriate. Mac 911 can’t reply to—nor publish an answer to—every question, and we don’t provide direct troubleshooting advice.