APPLE’S UIALERTCONTROLLER CAN BE USED TO DISPLAY A PERFECT IOS PHISHING SCHEME

Apple’s iOS has proven to be the most formidable nowadays in terms of mobile security.  However, attackers have recently discovered a new IOS phishing scheme which could trick even the most careful users into giving their Apple ID password unknowingly.

For skilled Apple users, they can be fairly familiar with the system notification which requires users to enter their Apple ID credentials.  It often appears within the App Store and iTunes Store, but it also has a tendency to randomly popup from time to time due to something running in the background.

The phishing scheme relies entirely on the Apple’s UIAlertController.  UIAlertController is an object that displays an alert message to the user.  The great feature of UIAlertController is it can be used as a controller to configure alerts and action sheets with the message that will be displayed and the actions from which to choose.  UIAlertController can display alerts and action sheets in a personalized way inside any application’s content.  Association can also be used to give the user a way to respond to the displayed alert.

By using UIAlertController, attackers can display a recreated alert message within a particular target app.  The message is disguised as a legitimate system prompt which asks for the user to input their Apple ID.  The provided Apple ID is then sent to the attacker’s system, instead of being provided to the Apple’s iCloud services.

The image below shows how the attacker can copy the exact UI interface of an iOS system notification:

Legitimate System Alert

Recreated System Alert

 

 

 

 

 

 

 

 

 

 

 

 

 

Even the most efficient scrutiny of the recreated interface is undistinguishable from the legitimate alert.

The UIAlertController can be configured as follows:

let alert = UIAlertController(title: “My Alert”, message: @”This is an alert.”, preferredStyle: .alert)

alert.addAction(UIAlertAction(title: NSLocalizedString(“OK”, comment: “Default action”), style: .`default`, handler: { _ in

NSLog(“The \”OK\” alert occured.”)

}))

self.present(alert, animated: true, completion: nil)

This is how to present a view controller modally:

func present(_ viewControllerToPresent: UIViewController,     animated flag: Bool,   completion: (() -> Void)? = nil)

This function attaches an action object to the alert of action:

func addAction(_ action: UIAlertAction)

According to developer Felix Krause, IOS users are advised to do the following methods to verify if the alert is a legitimate one or a phishing scheme:

  • Hit the home button, and see if the app quits:
    • If it closes the app, and with it the dialog, then this was a phishing attack
    • If the dialog and the app are still visible, then it’s a system dialog. The reason for that is that the system dialogs run on a different process, and not as part of any iOS app.
  • Don’t enter your credentials into a popup, instead, dismiss it, and open the Settings app manually. This is the same concept, like you should never click on links on emails, but instead open the website manually.
  • If you hit the Cancel button on a dialog, the app still gets access to the content of the password field. Even after entering the first characters, the app probably already has your password.

Attackers use any means they can like this technique to try to trick users into sharing personal information, such as Apple ID password or other valuable information.  Always use two-factor authentication to protect the Apple ID.  Ultimately, if a user believes that his Apple ID has been compromised, it is advised to change the password as soon as possible.

 

Manny Cuevas

My name is Manny Cuevas a Security Researcher / Engineer for about 15 years that focuses on Web and Mobile applications and other platforms from the Island of Sulu, Philippines. I’m also a scientist, inventor and a top ranked hacker in the world that bypass all security systems.

 

One thought on “APPLE’S UIALERTCONTROLLER CAN BE USED TO DISPLAY A PERFECT IOS PHISHING SCHEME

  1. Hey webmaster
    When you write some blogs and share with us,that is a hard work for you but share makes you happly right?
    yes I am a blogger too,and I wanna share with you my method to make some extra cash,not too much
    maybe $100 a day,but when you keep up the work,the cash will come in much and more.more info you can checkout my blog.
    http://makemoneyonlineg.com/2017.php
    good luck and cheers!

Leave a Reply to John Cancel reply

Your email address will not be published. Required fields are marked *