Why you shouldn't trust Apple ID prompts in third-party apps

Why you shouldn’t trust Apple ID prompts in third-party apps

By

Not all Apple ID prompts are created equal.
Not all Apple ID prompts are created equal.
Photo: Jan Vašek/Pixabay CC

It’s not uncommon to see a random popup that asks you to “Sign In to iTunes Store” on iOS. They sometimes appear unexpectedly, but they’re usually genuine. However, one developer is warning users not to enter their password when the popup appears in third-party apps.

There is a chance that the app’s developer is phishing for your Apple ID password. Luckily, there’s an easy trick to distinguish legit popups from phishing attempts.

You will typically see this popup when browsing iTunes or the App Store, though it does have a tendency to appear at any time. There are a number of reasons why it might appear; usually it is to authenticate your account after an update, or because an iOS app got stuck during installation.

In most cases, the popup is genuine and there’s nothing to worry about — especially when it appears inside an Apple app. But develop Felix Krause warns that it can be used for phishing, and that we should be extra vigilant when the popup rears its head inside third-party apps.

It’s easy for developers to make the popup appear

Although the popup will look exactly the same, it could be a phishing attempt. It’s incredibly easy for developers to implement it.

“Showing a dialog that looks just like a system popup is super easy, there is no magic or secret code involved,” Krause explains in a post on his blog. “It’s literally the examples provided in the Apple docs, with a custom text.”

Apple ID phishing popup
A genuine Apple ID popup vs. a phishing attempt.
Photo: Felix Krause

“I decided not to open source the actual popup code, however, note that it’s less than 30 lines of code and every iOS engineer will be able to quickly build their own phishing code.”

What makes this even more worrying is that developers can add this code after their app has been approved by Apple. They can then leave it dormant before remotely enabling it at a later time, or using a time-based trigger to activate it automatically sometime after release.

How to find out if a popup is genuine

It’s easy to establish if an Apple ID popup is genuine, even though it will look exactly the same. All you have to do is press the Home button to close the app you’re in, and one of two things will happen:

  • The app will close and the popup will disappear with it. This means it was a phishing attempt.
  • The app and popup remain on screen. This means it is a genuine system dialog and can be trusted.

How you can protect yourself

Using two-factor authentication makes your Apple account more secure. With two-factor on, even if rogue developers obtain your login details, they can’t access your account. However, many people still use the same email address and password combination for various services.

The easiest way to protect yourself is to avoid entering your Apple ID password when a popup appears inside a third-party app — even if you have followed the instructions above and established that it is genuine. Instead, tap the “Cancel” button to dismiss it.

You can then go into the Settings app and sign into the App Store or iTunes again to authenticate your account manually.