Developer Demonstrates iOS Phishing Attack That Uses Apple-Style Password Request

Developer Felix Krause today shared a proof of concept phishing attack that's gaining some traction as it clearly demonstrates how app developers can use Apple-style popups to gain access to an iPhone user's Apple ID and password.

As Krause explains, iPhone and iPad users are accustomed to official Apple requests for their Apple ID and password for making purchases and accessing iCloud, even when not in the App Store or iTunes app.


Using a UIAlertController that emulates the design of the system request for a password, developers can create an identical interface as a phishing tool that can fool many iOS users.
Showing a dialog that looks just like a system popup is super easy, there is no magic or secret code involved, it's literally the examples provided in the Apple docs, with a custom text.

I decided not to open source the actual popup code, however, note that it's less than 30 lines of code and every iOS engineer will be able to quickly build their own phishing code.
Though some of the system alerts would require a developer to have a user's Apple ID email address, there are also popup alerts that do not require an email and can recover a password.


The phishing method that Krause describes is not new, and Apple vets apps that are accepted to the App Store, but it's worth highlighting for iOS users who may not be aware that such a phishing attempt is possible.

As Krause says, users can protect themselves by being wary of these popup dialogues. If one pops up, press the Home button to close the app. If the popup goes away, it's tied to the app and is a phishing attack. If it remains, it's a system request from Apple.

Krause also recommends users dismiss popups and enter their credentials directly within the Settings app.

Krause has reported the issue to Apple and recommends a fix that would include Apple asking customers to enter their credentials into the Settings app rather than directly through a popup that can be easily mimicked. Alternatively, he suggests credential requests could include an app icon to indicate that an app is asking rather than the system.

As extra protection from attacks like this, Apple customers should enable two-factor authentication as it prevents attackers from being able to log into an Apple ID account without a code from a verified device.


Discuss this article in our forums

Developer Demonstrates iOS Phishing Attack That Uses Apple-Style Password Request

Developer Felix Krause today shared a proof of concept phishing attack that's gaining some traction as it clearly demonstrates how app developers can use Apple-style popups to gain access to an iPhone user's Apple ID and password.

As Krause explains, iPhone and iPad users are accustomed to official Apple requests for their Apple ID and password for making purchases and accessing iCloud, even when not in the App Store or iTunes app.


Using a UIAlertController that emulates the design of the system request for a password, developers can create an identical interface as a phishing tool that can fool many iOS users.
Showing a dialog that looks just like a system popup is super easy, there is no magic or secret code involved, it's literally the examples provided in the Apple docs, with a custom text.

I decided not to open source the actual popup code, however, note that it's less than 30 lines of code and every iOS engineer will be able to quickly build their own phishing code.
Though some of the system alerts would require a developer to have a user's Apple ID email address, there are also popup alerts that do not require an email and can recover a password.


The phishing method that Krause describes is not new, and Apple vets apps that are accepted to the App Store, but it's worth highlighting for iOS users who may not be aware that such a phishing attempt is possible.

As Krause says, users can protect themselves by being wary of these popup dialogues. If one pops up, press the Home button to close the app. If the popup goes away, it's tied to the app and is a phishing attack. If it remains, it's a system request from Apple.

Krause also recommends users dismiss popups and enter their credentials directly within the Settings app.

Krause has reported the issue to Apple and recommends a fix that would include Apple asking customers to enter their credentials into the Settings app rather than directly through a popup that can be easily mimicked. Alternatively, he suggests credential requests could include an app icon to indicate that an app is asking rather than the system.

As extra protection from attacks like this, Apple customers should enable two-factor authentication as it prevents attackers from being able to log into an Apple ID account without a code from a verified device.


Discuss this article in our forums

Hackers Using iCloud’s Find My iPhone Feature to Remotely Lock Macs and Demand Ransom Payments

Over the last day or two, several Mac users appear to have been locked out of their machines after hackers signed into their iCloud accounts and initiated a remote lock using Find My iPhone.

With access to an iCloud user's username and password, Find My iPhone on iCloud.com can be used to "lock" a Mac with a passcode even with two-factor authentication turned on, and that's what's going on here.


Apple allows users to access Find My iPhone without requiring two-factor authentication in case a person's only trusted device has gone missing.

2-factor authentication not required to access Find My iPhone and a user's list of devices.

Affected users who have had their iCloud accounts hacked are receiving messages demanding money for the passcode to unlock a locked Mac device.


The usernames and passwords of the iCloud accounts affected by this "hack" were likely found through various site data breaches and have not been acquired through a breach of Apple's servers.

Impacted users likely used the same email addresses, account names, and passwords for multiple accounts, allowing people with malicious intent to figure out their iCloud details.

It's easy to lock a Mac with a passcode in Find My iPhone if you have someone's Apple ID and password.

To prevent an issue like this, Apple users should change their Apple ID passwords, enable two-factor authentication, and never use the same password twice. Products like 1Password, LastPass, and even Apple's own iCloud Keychain are ideal ways to generate and store new passwords for each and every website.


Users who have had their Macs locked will need to erase their machines or restore from a backup to remove the lock if no passcode is available. Apple Support can offer specific assistance on the steps that need to be followed to remove the lock.

(Thanks, Eli!)


Discuss this article in our forums

Developer Hacks Apple Watch to Run Game Boy Emulator

Developer Gabriel O'Flaherty-Chan recently shared a project where he managed to get a Game Boy emulator he dubbed "Giovanni" running on the second-generation Apple Watch, allowing it to play Game Boy and Game Boy Color games.

According to O'Flaherty-Chan, it was a challenge finding the right balance "between framerate and performance," but he says the end result is a "surprisingly usable emulator." In GIFs shared in a blog post, the Apple Watch is displayed running Pokémon Yellow.


The Giovanni emulator, named after the villain in Pokémon Yellow, was built using open source code from Gambatte, an existing iOS emulator. It uses the Digital Crown and gestures for control purposes.

By allowing the user to pan on screen for directions, rotate the Digital Crown for up and down, and tap the screen for A, I was able to eliminate buttons until I was left with Select, Start, and B.

Touching the screen for movement isn't a great interaction, but being able to use the Crown worked out a lot better than originally anticipated. Scrolling through a list of options is basically what the Crown was made for, and if the framerate was even slightly higher, the interaction could almost be better than a hardware D-pad.
As Ars Technica points out, Giovanni is not something you should expect to see in the App Store -- it's more of a proof of concept than anything else. Apple does not allow emulators on the App Store, and O'Flaherty-Chan himself says it is afflicted with bugs due to the "constraints of watchOS," including the lack of support for OpenGL and Metal.

The Giovanni source code is, however, available on Github for anyone to download, and the blog post behind the creation of Giovanni is worth reading for anyone interested in the development process.

Tags: hack, emulator

Discuss this article in our forums

This Android malware is hacking into your Google account to install apps

Https%3a%2f%2fblueprint-api-production.s3.amazonaws.com%2fuploads%2fcard%2fimage%2f302314%2fap_917826219528

Feed-twFeed-fb

Your Google accounts could have been compromised if you own a Android phone, thanks to a new malware variant known as “Gooligan.”

The malware has infected more than 1 million accounts, according to research released Wednesday from cyber security company Check Point, and that figure is growing by a massive 13,000 devices per day.

In August, Gooligan emerged as a complex malware that infects devices after users download apps from third party stores. It was originally related to a malicious app from 2015 named SnapPea. 

The malware steals authentication tokens that can be used to access data from Google Play, Gmail, Google Docs, Google Drive and more. The malware installs certain apps on a user’s phone and highly rates them. Its main mission is to install adware to generate revenue for those apps, reportedly raking in as much as $320,000 a month. Read more…

More about Gooligan, Malware, Hack, Apps, and Android