How to: Avoid passwordprompting phishing scams
Glenn Fleishman explains how to evade malicious scams
Unfortunately, it’s easy for an app developer with malicious intent to create a pop-up dialog in iOS that exactly resembles a system-level message prompting for a password. Felix Krause, like other iOS developers and security advocates, have taken issue with this for years. Krause is the founder of fastlane, a project designed to speed app release by automating all the app-store metadata and required elements.
His post on 10 October received due attention, because he created visualizations of a user interface problem Apple needs to tackle. Few malicious apps make their way to the App Store, and they’re usually stopped before they can do much or any harm. However, an attacker who subverted an app’s internal repositories and was able to insert code could do just as much harm as an app designed to phish intentionally.
Here’s how to avoid being suckered into one of these fake password prompts in a malicious app: Don’t enter your password into a pop-up that appears while you’re using a third-party app Press the Home button. If iOS returns you to the home screen and the password dialog disappears, then the app generated the pop-up If so, report this to Apple immediately and uninstall the app Krause advises going directly to the Settings app to enter passwords that the system requests.