When the iPhone X notch was first announced I thought it would be a fantastic security UI opportunity: What if the top of the screen was only writable by the system? It would normally be black or show the time, but whenever there is a password dialog, it turns green with a security lock. This is something I've wanted on all computers for a while: fundamentally, any computer where you can get access to the whole screen's buffer means you can fake a logged out screen asking you to log in, or any other number of phishing attacks. The only way to prevent this is to have a separate secure screen buffer for a special part of the screen that the user can use to visually verify the security of an operation. The notch provided an awesome opportunity for the because: 1) it was NEW screen real estate, it wouldn't feel like you were acquiescing existing screen space for this security need and 2) it looks absolutely horrible when integrated into apps anyways, so why not use it minimally for good reason instead?
This already exists on Windows (via require Ctrl-Alt-Del) and to a lesser degree on Android (by always being able to show the action bar in fullscreen).
What does prevent the developer from making this new screen buffer blank/black and making the top of app's screen look exactly like that shape and style? The user won't see the difference except small top margin.
Am I missing something here? Isn't the notch already taken up by FaceID sensors/front-facing camera? It isn't really "extra screen real estate".
I do like the idea of a separate indicator for system-wide security events though. Perhaps an LED indicator although that doesn't seem very Apple-like.
I worked in dumb phone standards 12 years ago (GlobalPlatform) and it was actually in the standards to tell the user "you are in the secure zone". Well, OEMS in the western world were not really willing to implement it, funny it comes back now.
This is related to an issue called root-phishing or superuser-phishing. You can do this with the Windows admin password prompt, the MacOS prompt, or with Linux sudo, as long as you can run code from a user account or edit a single file.
alias sudo='sudo ./somethingbad; sudo'
I'm surprised you don't hear about this that often. There is no perfect solution, since any visual feedback the operating system can do to make their prompt "official-looking" is possible by an application as well, unless the operating system can display information the user would recognize that it not accessible by the application. A perfect solution on iOS is to "minimize" the application so that the home screen is shown and then show the password prompt. The user would immediately recognize the wallpaper and icons to be theirs, which are two pieces of information unavailable to the application. However, the application could still fool the user by displaying the box over the application anyway.
For a while iOS would just seemingly randomly ask me to enter my icloud password. I’m so used to this that without reading this article I would have literally fall for this every single time.
I have a joke with my family that I am forced to enter iTunes password on at least one iOS device - daily. We share one iTunes account, and when you enter the password on one device, all the others prompt for a password when unlocked. It's mildly frustrating when you have kids, and multiple iOS devices.
The scenario goes like this: One of my kids' Messages app stops working (thanks Apple!). I am forced to turn off/on Messages, and during the process Apple asks for my password. Then, when I attempt to use my other iOS devices, I am prompted for the same password ... on ... every ... device. Then, about 20% of the time the password does not "take" and I am forced to ignore and attempt at a later time.
I agree, the ongoing and erratic basis that my devices ask me to sign in to iCloud is a serious flaw. I already find iCloud a completely opaque mess of services that I don't understand, and this doesn't help. The only saving grace is that cancelling out of these requests usually has no obvious downside.
I had the same issue, but I was so paranoid that I would always cancel out and not put in my password. I'm 95% sure it was legit, but randomly asking my password for seemingly no reason made me paranoid.
I've experienced this as well. I seem to be able to just cancel out of it but I'd like to know what's triggering it. It would be nice if the password box had some text to explain the context of the request.
So why does iCloud(?) randomly ask for credentials?
Me too. For a while it was truly awful on my Mac as well, constantly requiring a login. Signing out from all my devices and logging in again finally put it to bed, but it's seriously concerning when you consider how much sensitive info is carried by iCloud.
Once an OS trains it’s users to enter their password without thinking about it, because of random (seeming) password prompts, they’re already fucked. Apple screwed this up on iOS years ago.
I think OAuth and single sign on is great but I always thought OAuth had a similar issue to this. You're on a random website, you click to login via e.g. Google and then enter your Google password into the login dialog that appears. It's asking wayyy too much from regular users to be able to tell if this is safe or not. I'm really surprised there haven't been more phishing attempts where a fake login is shown which saves your password.
It's an even worse issue in e.g. Android apps that use Google or Facebook for logins as you can't tell what domain is serving the login prompt like you can in a desktop browser.
I'm almost ok in a web browser, at least there is a reasonable way of being 80% sure it's safe, but the webview version is my pet peeve... not even a power user could be able to tell...
I constantly have to verify my iCloud password, despite having 2FA and Touch ID enabled. At least once a week on at least one of my three iOS devices. It's such a constant chore I would probably fall for this phishing attack.
I believe it is because my email address is a relatively common [email protected], and people are trying to recover or guess the password. Perhaps there's some misguided attempt on Apple's side to increase the security if there's lots of failed attempts. I also get constant Facebook recovery attempts (at least they have a "Didn't request this change?" link), mortgage emails, bills, appointments, intra-family email threads, etc. I don't think they're malicious, tons of people are just fundamentally unable to type their email address correctly into a field.
Why not ask users to set a unique phrase to identify themselves when you set up the OS? If this phrase isn't in the box that asks for a master password, you know it's phishing. Hell, just put that IN the copy on the master password box.
"If the words below do not match your unique phrase, do not enter your password."
If I see "Green eggs and ham", I know it's safe to put in my password.
Perhaps when you put your finger on the home button it would read your fingerprint and authenticate you like that and the user wouldn't have to enter their password into a box that might steal it..
I can spend thousands using just my fingerprint, but authorising my Apple ID so I can buy a 99p app or login into iMessage requires my Apple ID password...
To the author: the double quote characters in your phishing dialog are straight ASCII " but the quotes in the official dialog are Unicode open/close double quote characters.
There are so many random popups in iOS to authenticate to itunes, app store, facetime, icloud, etc that I am amazed widespread phishing strategies don't already target them
Yes. This is the most horrible UX I have ever seen, especially from a company as security-sensitive as Apple is. In my experience, none of the mitigations given by the article are actually helping in some of the cases:
> Hit the home button, and see if the app quits:
if the prompt was caused by some in-app purchase related framework having to re-check something, then the app will quit and the prompt will go away.
> Don't enter your credentials into a popup, instead, dismiss it, and open the Settings app manually
if the prompt was related to that in-app purchase, the prompt will not re-appear inside of the Settings app. If it's because of something else (no idea what - nothing tells you), then it's still asynchronous and might or might not appear after a random delay.
Anyways. Overall, Apple is slowly getting better at this, reducing the amount of magic prompts, though during the beta period and after updates, it might still happen here and then.
Apple, if you're listening: You need to fix this. Centralise this in Settings and prompt users to go there. And do everything in your power to not having to re-prompt the user.
Every time I'm seeing this prompt, I'm wondering where I'm being phished or not, especially the really bad one that's not listing the Apple ID (my apple-id is using an apple id specific email address I'm not using anywhere else, so if I'm seeing the address, it's very, very likely legit).
> But, but, but, why is the . symbol within the ", is this all fake?
Fun fact for those who (like me) didn't know for a long time... technically "gmail.com." is actually the domain name for Gmail. It's called the fully qualified domain name (FQDN), akin to an absolute domain name (as opposed to relative to the current subnet).
This is also an issue with in app web browsers. AFAIK an in app broswer's data can one way or another be completely accessed by the app containing the browser.
as an example, Tinder requires Facebook login. To do this it launches a WebView. it could be faking that view to get your Facebook credientials. it could also just get them direct from the WebView .
I know tons of apps depend on WebViews but I kind of wish there was a solution . maybe Apple only allowing the WebView to access certain domains and no 3rd party domains and then requiring the app to actually launch safari not use a WebView. Of course I suppose that doesn't help as the app can still display a fake Facebook login.
Facebook changed their SDK login behaviour to open the Facebook app, or Safari if it's not installed. If you see an in-app webview login for Facebook, you are being phished. However, 99% of users wouldn't know to check for this.
Dialogs owned by the OS should probably pull the drawer down and display in there. The simplest way is not allowing the application to access some sacred part of the UI, and putting system stuff there. Same thing web browsers do.
I guess lucky for me I always enter my password in the Settings app directly, because I don’t know my password and the iPhone won’t let me go to a password manager when it gives me this popup without warning.
Only password outside of my password manager is the Apple one. Exactly because I need it so often that it would be really big issue for me if I have to loose 30 seconds every time I want to enter it.
Isn't this one of the oldest tricks in the book? the following story is completely made up...
When I was in college me and a friend re-made the win2000 login sequence in visual basic to play pranks on people. After typing username and password it pretended to load and then just quit itself so the desktop would show so it looked like everything was fine. We'd then go in and do the classic "take a screenshot of your desktop, set it as you wallpaper and hide the icons".
Could apple just make a dialog style unique to OS level prompts? not foolproof, but you can't customise os blocking dialogs from apps so you couldn't replicate the behaviour if you tried to fake it.
If you had enough access to run your Visual Basic program, didn't you already have enough access to change the wallpaper and hide the icons even without the victim's password?
Shouldn't this type of password be stored in the devices keychain, which can be unlocked with the device's auth mechanism, and provides authentication services without exposing the itunes password to app developers? That is, authenticate user on device -> verify recipient of auth info -> send auth message.
I must be missing something since no-one seems to be suggesting this.
Android already has a decent fix for this. When a Google app needs a password entered, it shows a notification. An example I run into is when Chrome wants its Sync Passphrase. I remember long ago seeing something similar when I changed my account password, but I haven't seen it recently so I don't know if they're still doing it.
[+] [-] tolmasky|8 years ago|reply
[+] [-] zoul|8 years ago|reply
[+] [-] Osmium|8 years ago|reply
[+] [-] tetrep|8 years ago|reply
[+] [-] zacmps|8 years ago|reply
[+] [-] amelius|8 years ago|reply
(Of course, no question that for us hackers this would be a very useful improvement!)
[+] [-] ProfessorLayton|8 years ago|reply
[+] [-] ercu|8 years ago|reply
[+] [-] altern8tif|8 years ago|reply
I do like the idea of a separate indicator for system-wide security events though. Perhaps an LED indicator although that doesn't seem very Apple-like.
[+] [-] skav|8 years ago|reply
[+] [-] tony101|8 years ago|reply
[+] [-] Nition|8 years ago|reply
[+] [-] stephanerangaya|8 years ago|reply
[+] [-] vortico|8 years ago|reply
[+] [-] smcl|8 years ago|reply
[+] [-] josefresco|8 years ago|reply
The scenario goes like this: One of my kids' Messages app stops working (thanks Apple!). I am forced to turn off/on Messages, and during the process Apple asks for my password. Then, when I attempt to use my other iOS devices, I am prompted for the same password ... on ... every ... device. Then, about 20% of the time the password does not "take" and I am forced to ignore and attempt at a later time.
/rant
[+] [-] sgustard|8 years ago|reply
[+] [-] sumeno|8 years ago|reply
[+] [-] criddell|8 years ago|reply
So why does iCloud(?) randomly ask for credentials?
[+] [-] giobox|8 years ago|reply
[+] [-] mcphage|8 years ago|reply
[+] [-] seanwilson|8 years ago|reply
It's an even worse issue in e.g. Android apps that use Google or Facebook for logins as you can't tell what domain is serving the login prompt like you can in a desktop browser.
[+] [-] soared|8 years ago|reply
https://news.ycombinator.com/item?id=14205432
[+] [-] scotu|8 years ago|reply
[+] [-] Androider|8 years ago|reply
I believe it is because my email address is a relatively common [email protected], and people are trying to recover or guess the password. Perhaps there's some misguided attempt on Apple's side to increase the security if there's lots of failed attempts. I also get constant Facebook recovery attempts (at least they have a "Didn't request this change?" link), mortgage emails, bills, appointments, intra-family email threads, etc. I don't think they're malicious, tons of people are just fundamentally unable to type their email address correctly into a field.
[+] [-] iamben|8 years ago|reply
"If the words below do not match your unique phrase, do not enter your password."
If I see "Green eggs and ham", I know it's safe to put in my password.
[+] [-] ecesena|8 years ago|reply
Perhaps in a future Apple can make you press the home button as part of the verification, so it’s kind of implicit.
[+] [-] esMazer|8 years ago|reply
I think this is the best solution so far!
[+] [-] jon889|8 years ago|reply
I can spend thousands using just my fingerprint, but authorising my Apple ID so I can buy a 99p app or login into iMessage requires my Apple ID password...
[+] [-] iaml|8 years ago|reply
[+] [-] silentOpen|8 years ago|reply
[+] [-] krausefx|8 years ago|reply
[+] [-] Luc|8 years ago|reply
[+] [-] DoodleBuggy|8 years ago|reply
[+] [-] pilif|8 years ago|reply
> Hit the home button, and see if the app quits:
if the prompt was caused by some in-app purchase related framework having to re-check something, then the app will quit and the prompt will go away.
> Don't enter your credentials into a popup, instead, dismiss it, and open the Settings app manually
if the prompt was related to that in-app purchase, the prompt will not re-appear inside of the Settings app. If it's because of something else (no idea what - nothing tells you), then it's still asynchronous and might or might not appear after a random delay.
Anyways. Overall, Apple is slowly getting better at this, reducing the amount of magic prompts, though during the beta period and after updates, it might still happen here and then.
Apple, if you're listening: You need to fix this. Centralise this in Settings and prompt users to go there. And do everything in your power to not having to re-prompt the user.
Every time I'm seeing this prompt, I'm wondering where I'm being phished or not, especially the really bad one that's not listing the Apple ID (my apple-id is using an apple id specific email address I'm not using anywhere else, so if I'm seeing the address, it's very, very likely legit).
[+] [-] throwaway613834|8 years ago|reply
Fun fact for those who (like me) didn't know for a long time... technically "gmail.com." is actually the domain name for Gmail. It's called the fully qualified domain name (FQDN), akin to an absolute domain name (as opposed to relative to the current subnet).
[+] [-] mxscho|8 years ago|reply
As a German (we don't do this), I also didn't like that when I saw it the first time.
[1] http://www.thepunctuationguide.com/british-versus-american-s...
[+] [-] BCM43|8 years ago|reply
[+] [-] greggman|8 years ago|reply
as an example, Tinder requires Facebook login. To do this it launches a WebView. it could be faking that view to get your Facebook credientials. it could also just get them direct from the WebView .
I know tons of apps depend on WebViews but I kind of wish there was a solution . maybe Apple only allowing the WebView to access certain domains and no 3rd party domains and then requiring the app to actually launch safari not use a WebView. Of course I suppose that doesn't help as the app can still display a fake Facebook login.
[+] [-] scosman|8 years ago|reply
[+] [-] Sir_Cmpwn|8 years ago|reply
[+] [-] dsacco|8 years ago|reply
I guess lucky for me I always enter my password in the Settings app directly, because I don’t know my password and the iPhone won’t let me go to a password manager when it gives me this popup without warning.
[+] [-] drinchev|8 years ago|reply
[+] [-] have_faith|8 years ago|reply
When I was in college me and a friend re-made the win2000 login sequence in visual basic to play pranks on people. After typing username and password it pretended to load and then just quit itself so the desktop would show so it looked like everything was fine. We'd then go in and do the classic "take a screenshot of your desktop, set it as you wallpaper and hide the icons".
Could apple just make a dialog style unique to OS level prompts? not foolproof, but you can't customise os blocking dialogs from apps so you couldn't replicate the behaviour if you tried to fake it.
[+] [-] raldi|8 years ago|reply
[+] [-] wll|8 years ago|reply
watch.user: https://github.com/KrauseFx/watch.user
[+] [-] jtbayly|8 years ago|reply
[+] [-] maxpert|8 years ago|reply
[+] [-] rebuilder|8 years ago|reply
I must be missing something since no-one seems to be suggesting this.
[+] [-] discreditable|8 years ago|reply