demo

This is the default “Sign in to iCloud” dialogue that iOS presents its users (sometimes a bit too often and for no apparent reason). What scares me is that this is a fairly simple sign in prompt for someone to doctor, include in a decoy app, and use to steal iCloud passwords.

Email Address

Although users iCloud emails aren’t readily available to developers, there is an API Apple provides that verifies if an email address belongs to an iCloud account.

The decoy app could ask the user for their email during a sign up process, or get it from their Facebook account. Later on, the attacker could verify that the email belongs to an account, then display the popup shown in the video. If the email doesn’t belong to an iCloud account, the prompt could be modified to say that the email address provided is wrong and just ask for the email and password from within the prompt — most people wouldn’t think twice.

Issues

The real “Sign in to iCloud” popup seems to present itself at random times, so a fake form would be hard to detect. Additionally, iOS uses a generic UIAlertController to ask users to input secure information, which means it would be hard for the average person to detect a fake one. Instead of iOS asking users to log in from within the alert view, it should launch settings to the iCloud section where the user can securely sign in. Unfortunately, users are already conditioned to the current dialogue. I get the feeling that even if Apple secured their sign in to iCloud flow, a majority of people would still fall for this sort of attack. You may think an app like this would never be accepted by Apple, but in order to fly under the radar during the reviewal process, the attacker can delay the pop up from showing until the app is approved. For example there could be some server side logic that dictates when and who to show the fake form to.

Keep up with what I’m up to on twitter or my website, and please share this article to raise awareness.