Apple sold its billionth iPhone on July 27, 2016, an impressive feat since the brand has been on the shelves for less than 10 years after it was launched on June 29, 2007.
It is estimated that at least 700 million iPhones are currently actively being used in the world. If that is the case, that means there are at least 700 million users with unique Apple IDs.
This is where it gets interesting. In a recent blog, Felix Krause, an iOS developer and founder of Fastlane.Tools, showed iPhone users how susceptible they are to a phishing scam. The scam makes use of the “UIAlertController” function that replicates the official popup dialog box of Apple. It is very easy to code in (as Krause says, it is less than 30 lines of code) and could be used by any iOS developer.
As most iOS users know, Apple uses these authentication popups for a number of reasons, such as for signing in to iTunes Store or completing purchases. As a result, most iOS users are just used to entering their information whenever the dialog box pops up. The alerts can contain your email or come with a generic “Sign in to manage your account,” which is an actual popup from Apple.
Unfortunately, as was demonstrated by Krause, this loophole can be used by unscrupulous people to glean information about your personal data. Once they have your password, they can access your iCloud and other pertinent information, including your backup. This can include all your emails, contacts, images, videos, and conversations — at this point, you probably get the gist that once they have access to your iCloud data, then they have access to everything on your phone.
The phishing scam can be coded in by developers with malicious intent. Once you download apps with this piece of code in place, the dialog box will pop up while you are using the app. If you are not paying attention, you may immediately sign in and provide the information being asked from you — albeit this time, you unknowingly signed off your credentials to people who can harm you.
To avoid this, Krause suggests that iOS users be more vigilant when inputting their information. The first step is to active Apple’s two-factor authentication. Also, he warns that while developers would have to get Apple’s approval for an app to be published on the App Store, there are many ways for people to circumvent this and to change the code once it has passed the approval process.
While there may be no apps in the market today that are utilizing this loophole, Apple has to step up and to remove this dangerous backdoor. Otherwise, unethical developers may take advantage of it and put countless iOS users at risk.
About IntelliTeK Pty Ltd
IntelliTeK is a managed IT services company in Sydney, Australia. With major vendor relationships and accreditation’s from the worlds leading IT companies including WatchGuard, Microsoft, Trend Micro and Amazon Web Services, IntelliTeK have kept clients happy since 2007.
IntelliTeK are always up to date with the latest cloud backup solutions which is why we only partner with the best in the industry. If your company isn’t fully equipped to fend off cyber criminals, then get in touch with us so we can discuss your options. Call us on 1300 768 779, email us at firstname.lastname@example.org, fill out the web form, or have a Live Chat with us below.