Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Security IOS Apple

Security Researcher Finds a Fundamental Flaw in iOS (krausefx.com) 162

Felix Krause writes: Do you want a user's Apple ID password to get access to their Apple account or to try the same email/password combination on different web services? Just ask your users politely, they'll probably just hand over their credentials, as they're trained to do so. This is just a proof of concept, phishing attacks are illegal! Don't use this in any of your apps. The goal of this blog post is to close the loophole that has been there for many years, and hasn't been addressed yet. For moral reasons, I decided not to include the actual source code of the popup, however it was shockingly easy to replicate the system dialog.

Security Researcher Finds a Fundamental Flaw in iOS

Comments Filter:
  • Terrible headline (Score:5, Insightful)

    by Anonymous Coward on Tuesday October 10, 2017 @10:08AM (#55342663)

    Phishing attacks that are well crafted don't count as flaws.

    • by halivar ( 535827 )

      As if this couldn't be done on ANY platform.

      • Yes, it could be done on any platform.

        However, the different platforms cultivate different sorts of users.

        On a platform where an immense amount of handholding is part of the design and culture of the platform, compliant and obedient users are the norm.

        Compare the effectiveness of this sort of phishing on:

        - An iOS account holder.
        - An OpenBSD account holder.

        Clearly, the Fisher-Price interface coddles and encourages certain types of behavior. You can't really blame that on the developers, or the users. It's

      • As if this couldn't be done on ANY platform.

        It cant. There are reasons passwords fields don't popup like that in other operating systems without also doing something only the operating system can. The problem here is the lack of any indicators that this is trusted.

    • by gweihir ( 88907 ) on Tuesday October 10, 2017 @10:19AM (#55342725)

      Well, normally I would agree, but this one is not quite phishing anymore, it is more an OS dialog impersonation attack, and the user cannot really see what is going on. Make this dialog appear when it is reasonable to expect, and the user really does not have much of a chance.

      • Well, normally I would agree, but this one is not quite phishing anymore, it is more an OS dialog impersonation attack, and the user cannot really see what is going on. Make this dialog appear when it is reasonable to expect, and the user really does not have much of a chance.

        Again, why is this even news?

        Impersonation of a Login Dialog can be done on ANY OS, period. And with stuff like Text Substitutions in a Dialog, pretty much no amount of App-Scanning by %APP_APPROVER%
        is going to discover a cleverly-obsfucated Dialog creation function.

        What Apple (and others) could POSSIBLY do, is to make a "Credentials" Dialog appear COMPLETELY different from any-other-Dialog, using baked-in UI elements that are simply not accessible to Apps. Kind of like building holograms and micro-

      • OS dialog impersonation attacks are nothing new [microsoft.com]. I remember there one that popped on a browser that looked like a Fisher-Price Windows XP dialog. The first time I was on a Mac so it was obvious. The second time, it popped up on an XP machine. But the user had set their colors to the olive green XP colors and not the default blue one or it might be convincing to the user.

    • by omnichad ( 1198475 ) on Tuesday October 10, 2017 @10:22AM (#55342751) Homepage

      If the platform doesn't give you a way to distinguish, then it's still a platform security issue.

      • If the platform doesn't give you a way to distinguish, then it's still a platform security issue.

        I agree. I think an authentication dialog box should include something that the app cannot know, such as some sort of user-selected image or phrase. If the dialog has a standard appearance an app can spoof it.

        • Windows solved this in the 1990s with ctrl-alt-del.
      • by torkus ( 1133985 )

        This is nothing new by any stretch and applies to many platforms.

        I remember back in college the computers were all linux terminals. Someone scripted a shell within their shell that let others log in. Equal to running a VM within a VM...and a handy keylogger in the middle.

        And...it looked just like every other terminal. You could log in, do your thing, log out. It was slow as crap but...the whole computer system at the time was crap so no one suspected anything. He was eventually caught and expelled, but

        • This is nothing new by any stretch and applies to many platforms.

          I don't disagree with you there. But it's been ignored too long at this point. With the OS taking the primary role in security these days, it's time to address it.

    • One word:

      2FA

    • by w3woody ( 44457 ) on Tuesday October 10, 2017 @11:10AM (#55343037) Homepage

      Honestly I think this does count as a fundamental flaw--but a flaw in the design of the user interface flow used to obtain credentials for iTunes (or for other applications).

      It's a flaw for two reasons. First, any process which interrupts your current actions with a modal dialog is a flaw in that if you are not paying attention, you may accidentally tap the accept or cancel button without realizing what you are doing. (This is worse on a desktop environment, where a pop-up may appear while you are typing. If you are a fast touch-typest like I am, you may accidentally press 'enter' or 'space' before realizing what you're typing has gone into the dialog box that just randomly appeared.)

      Second, the design is a flaw because it does not give a mechanism by which the context of the dialog box cannot be brought forward and examined for validity. That is, with the iTunes login prompt, all you are permitted to do is to enter the password or not--but you have no way to know that it indeed is coming from iTunes.

      I personally would consider fixing this user interface flaw by doing three things.

      First, provide a notification mechanism which is clearly visible to the user (such as a flashing bar at the top of the screen), but which does not directly interrupt the user's interaction with the device. If, for some reason a password is necessary before the user can continue his interaction with the device, I would propose a dialog box come up with stops the user interaction with an accept/cancel button but which does not ask for information.

      Second, in response to the notification mechanism, I would switch to the application that is asking for the information. (This is easier now that iOS supports multiple concurrent applications and a method for going 'back' in the upper-left corner of the screen.) This gives the user the opportunity to examine the application which is asking for the information. (If this is in response for an iTunes password prompt, I would switch to the Settings app and to the iTunes password screen within settings.)

      Third, I would explicitly prohibit (either by changing the OS or through the review process) modal dialogs not belonging to an application from appearing over another application. This includes built-in OS modal dialogs.

      All of this is designed to force the user to examine the context in which their sensitive information is being requested, rather than blindly handing it over. Because this sort of interaction is relatively rare, forcing the user to switch to the settings page (rather than just grabbing the password on the go) is not an unreasonable price to pay here.

      • by w3woody ( 44457 )

        As an aside, on iOS we already force applications to switch to the Settings app to turn on or off notifications and location settings; there is no API within iOS which can programmatically change these settings.

        Doing the same for iTunes passwords doesn't seem unreasonable to me.

    • by Dixie_Flatline ( 5077 ) <.moc.liamg. .ta. .hog.naj.tnecniv.> on Tuesday October 10, 2017 @11:15AM (#55343077) Homepage

      I disagree in this case. Apple has had an annoying problem for a couple of years where it would pop up an anonymous dialog box asking you to log in for no discernible reason.

      You should never be prompted to enter your password without some sort of justification and idea of where it's coming from. It used to pop up 6 or 8 times in a row and I'd dutifully enter my password, wondering what the heck was going on. Usually I'd press the cancel button before iOS stopped asking me.

      Apple's crafted a system where you reflexively enter your password with no justification, and they could make that stop any time by including information about the process that's asking for it. It really is a problem in iOS that we've been complaining about for years. I'm surprised it took this long for someone to point out that it could be used for phishing.

      • I agree with you entirely - but if Apple adds some sort of identifier regarding which process triggered the pop-up prompt, it’s not clear a malicious actor couldn’t fake that part of the pop-up as well.

        I wonder whether the whole process should be redesigned somehow.

        • I agree with you entirely - but if Apple adds some sort of identifier regarding which process triggered the pop-up prompt, it’s not clear a malicious actor couldn’t fake that part of the pop-up as well.

          I wonder whether the whole process should be redesigned somehow.

          I don't think that the pop-up prompt that the phishing apps are using is the same as the iOS is using. The way it works, normally, is that a pop-up will be displayed when you attempt to start any of those phishing apps. There are some games in the App Store right now that will force you to enter your password before you could even start the game. Some of these apps have similar pop-up format (but not exactly) right when you load it up as well. So it doesn't matter whether Apple adds some sort of identifier

    • It's a *design* flaw though, not the usual half-assed implementation flaw. Yes, there's a social engineering component, but the design of the OS makes the job of the social engineer all too easy.

      This attack is like a hybrid Trojan/phishing/MITM attack: your evil app puts up a bogus dialog box that looks like an iOS dialog box asking for Apple credentials. It then harvests this information and transmits it to the bad actor. And it isn't just Apple that's vulnerable to this; Windows does this so often th

    • by houghi ( 78078 )

      We already know that hacking is 95% social engineering (and still geeks can't social engineer girlfriends), but at least they could solve it like /. does where they show the password hidden like
      Login:houghi
      Pass:********

    • This cannot be done on Windows. If you put up a login screen, people have to press ctrl-alt-delete. If they see a login screen without having pressed this, they will know it's bogus. If they press ctrl-alt-delete, a real Windows screen will come up. So you can't put up a fake login screen. Mobile phones need something similar. i.e. you have to touch the "home" button for any password entry and if somebody touches the home button take them to the real home so they can't be fooled. Sorry but this is a p
      • by AuMatar ( 183847 )

        If you think the average user will think "Oh, I didn't press ctrl alt delete this must be a fake!!!", you have FAR too much faith in the average user. I don't think the average techie would think about the keypress combo, much less the average user. The techie is more likely to realize that there was no reason for a login screen to come up than think about the lack of a keypress.

      • If they see a login screen without having pressed this, they will know it's bogus.

        Really? I don't press c-a-d when I click on an unmounted but mapped network drive, and I get a pretty clear request for a username and password.

    • Do you want a user's Apple ID password to get access...

      Not just the headline; why would i want the password to have access?? Oh, wait; it was just another deficiency in basic English...

    • I believe they were pointing out was the users.

    • If your browser would let any web site show https://myaccount.google.com/ [google.com] in the address bar with the green padlock, is that not a security flaw?

      Not saying this is exactly the same, but if a platform makes it very hard or impossible for the user to detect a phishing attack, it is a security flaw.

  • by JackieBrown ( 987087 ) <dbroome@gmail.com> on Tuesday October 10, 2017 @10:13AM (#55342695)

    But this isn't a flaw in IOS. It's like saying Android is insecure because of fake emails I get asking me to reset my gmail password

    • by Anonymous Coward on Tuesday October 10, 2017 @10:19AM (#55342723)

      Nah, it's a fundamental flaw in iOS's UI. You will be asked for your Apple ID password ALL THE TIME on iOS. Worse, it can be triggered from inside an app by the app trying to use iCloud stuff.

      And there's nothing "special" about the prompt. It's a regular dialog box with a regular password field. There is nothing that suggests any difference between a real "OS needs your password" and a fake "phisher is asking for your password."

      There's a reason Microsoft used to make you press Ctrl-Alt-Del to enter your password in NT. It was to ensure that you pressed a key combination that no program could read, so that you could always be sure your password was going to the OS, not a phishing program. iOS has no similar thing, and does nothing else to make it clear your password is going to the OS and not some random app.

      • by TheFakeTimCook ( 4641057 ) on Tuesday October 10, 2017 @11:12AM (#55343067)

        Nah, it's a fundamental flaw in iOS's UI. You will be asked for your Apple ID password ALL THE TIME on iOS. Worse, it can be triggered from inside an app by the app trying to use iCloud stuff.

        And there's nothing "special" about the prompt. It's a regular dialog box with a regular password field. There is nothing that suggests any difference between a real "OS needs your password" and a fake "phisher is asking for your password."

        There's a reason Microsoft used to make you press Ctrl-Alt-Del to enter your password in NT. It was to ensure that you pressed a key combination that no program could read, so that you could always be sure your password was going to the OS, not a phishing program. iOS has no similar thing, and does nothing else to make it clear your password is going to the OS and not some random app.

        If something is asking for my AppleID, it needs to be displaying the "TouchID" "Dialog", or I'm not playing. And TouchID simply returns a Go/No-Go back to the App.

        That's about as secure as it can get.

        I do agree, however, that there should be something to distinguish a System-Generated Password Dialog from ANY other Dialog.

        • From what I've read (can't confirm since I don't use iOS), the system sometimes asks for your password even if you use TouchID for authentication. If so, there's the flaw.
          • From what I've read (can't confirm since I don't use iOS), the system sometimes asks for your password even if you use TouchID for authentication. If so, there's the flaw.

            The only time that is true is the initial Lock-Screen (wherein it will ask for a PW under certain conditions, e.g. not logging-in for 48 hours, etc.), and I double-dog-dare anyone to do a MITM attack on THAT process! ;-)

            • Nah, not that. The lock screen asks for the passcode. This article is about the Apple ID password. (Again, I can't confirm how exactly it works - maybe it only asks for that when you use iCloud)
              • Nah, not that. The lock screen asks for the passcode. This article is about the Apple ID password. (Again, I can't confirm how exactly it works - maybe it only asks for that when you use iCloud)

                AppleID Passwords are asked for only when Making Purchases in the App Store, or iTunes Purchases. And if you have TouchID, you can use that, which is more secure (no authentication info leaves the device).

                I avoid iCloud; but the iCloud sign-in Dialog asks for an "iCloud PW", (NOT the AppleID one); so I think they at least CAN be different.

      • Ok but how long would survive such app having such a bad behavior? ( let alone be approved by Apple in the 1 st place)
      • Nah, it's a fundamental flaw in iOS's UI. You will be asked for your Apple ID password ALL THE TIME on iOS. Worse, it can be triggered from inside an app by the app trying to use iCloud stuff.

        Sounds like someone who's never used iOS. I'm not asked "ALL THE TIME" for my Apple ID especially if I've already set my settings. The times I'm asked for my authentication for my Apple ID, it's for my fingerprint. If I turn it off, it would ask if I purchase something (because my settings are set to this).

        And there's nothing "special" about the prompt. It's a regular dialog box with a regular password field. There is nothing that suggests any difference between a real "OS needs your password" and a fake "phisher is asking for your password."

        And what determines an authentic password request on Windows or Android? And that request can't be faked?

        There's a reason Microsoft used to make you press Ctrl-Alt-Del to enter your password in NT. It was to ensure that you pressed a key combination that no program could read, so that you could always be sure your password was going to the OS, not a phishing program. iOS has no similar thing, and does nothing else to make it clear your password is going to the OS and not some random app.

        Er what? You've confused many things. Ctrl-Alt-Del originally had nothing to do with passwords. The

    • No, it's always Apple's fault that all computer users could be susceptible to this kind of attack.
    • But this isn't a flaw in IOS. It's like saying Android is insecure because of fake emails I get asking me to reset my gmail password

      That all depends. If the users are conditioned to respond to those sorts of pop-ups because of the OS itself or because of apps bundled by Apple, then it could be considered an iOS flaw at least in the sense that poor design choices condition the user to be more susceptible to this sort of exploitation.

      It was like Microsoft's UAC in the early days. So many apps were written in such a way that they unnecessarily triggered the UAC pop-up. Users just wanted it to go away so they could get on with what they

      • But this isn't a flaw in IOS. It's like saying Android is insecure because of fake emails I get asking me to reset my gmail password

        That all depends. If the users are conditioned to respond to those sorts of pop-ups because of the OS itself or because of apps bundled by Apple, then it could be considered an iOS flaw at least in the sense that poor design choices condition the user to be more susceptible to this sort of exploitation.

        It was like Microsoft's UAC in the early days. So many apps were written in such a way that they unnecessarily triggered the UAC pop-up. Users just wanted it to go away so they could get on with what they were doing. As a result, users just became conditioned to always allow it. Bad actors who wished to exploit users could count on the fact that the vast majority of users would just OK whatever it was to make the pop-up go away. Think about that for a minute. The goal was to stop unwanted changes to the system. If I double-click an installer then I want to change the system and there is no need to ask me. However, if something that I did not launch myself fires up in the background and wants to change my system, that is not OK. The way Microsoft executed UAC was such that the user could not easily distinguish between the two and the user in haste to make the pop-up go away will allow whatever.

        Back to Apple. If the user cannot distinguish between something like the two use cases I have described then there may be a flaw to be addressed. It may also just be a problem with the application ecosystem itself or a manifestation of the user community's predisposition for convenience. In any case, I think that calling it a "fundamental flaw in iOS" is hyperbole.

        The iOS experience is NOT filled with UAC-like Permission Challenges. Never has (hopefully) never will.

        The typical iOS User will ONLY be challenged in a very few situations:

        1. Doing an OS Update.
        2. Doing a Backup/Restore of their Device.
        3. Downloading an App from the App Store.
        4. iTunes Store Purchases/Rentals.
        5. Creating/Changing your AppleID login credentials.

        There MIGHT be a few others; but they are rare enough that I can't remember ever seeing them personally.

        Notice that ALL of those are ONLY initiated

        • by mark-t ( 151149 )

          The fact that you'd only be asked for password in those situations is not sufficient to be sure it would not be a problem.

          If I were the so inclined to try and exploit this so-called "flaw", I would write my application so that the malicious code does not execute for the first 30 days (and thus should not be noticed by those that are performing an app-store eligibility review), and then one day after that, and entirely at random, upon invoking some in-app purchase, the faked dialog pops up instead of the

          • The fact that you'd only be asked for password in those situations is not sufficient to be sure it would not be a problem.

            If I were the so inclined to try and exploit this so-called "flaw", I would write my application so that the malicious code does not execute for the first 30 days (and thus should not be noticed by those that are performing an app-store eligibility review), and then one day after that, and entirely at random, upon invoking some in-app purchase, the faked dialog pops up instead of the real one. The user enters their credentials, and a brief moment later, they are given the same message that would show up if a user happened to lose their network connectivity just after they got the dialog (I don't know what sort of notification this is for the iphone, so I can't say for sure that I know what it would it would be... maybe the app just says it lost connection to the store, or whatnot. I don't know). Anyways, after is has done this exactly once for a given user, it would not ever do it again.

            I expect that most users would retry, and at this point the app would proceed normally via a real itunes purchase, while their password was still stored by the app in the first popup.

            At some later point, this username and password combo could be sent to some home base by the application, perhaps as part of a request that retrieves high scores for other players, and the user would not necessarily ever know about it unless they were practically being voyeurs for every network packet their device sends and receives.

            I'm honestly not sure what it says about my ethical standards that I would have taken the time to even think of this.

            Pretty sure that iOS sandboxing would make those kinds of inter-app shenanigans impossible.

    • by Tomahawk ( 1343 )

      No, it would be like saying android is insecure because Google regularly send emails asking to reset your gmail password. So when you get an email that looks similar you'll just click the link and enter your password.

      On Android, I'm trying to remember any time I'm asked to enter my account password. When I add my account to the phone initially, and when I purchase something from the play store. I don't recall ever seeing a popup asking for my google account password in any other circumstance.

      So the issue

      • No, it would be like saying android is insecure because Google regularly send emails asking to reset your gmail password. So when you get an email that looks similar you'll just click the link and enter your password.

        On Android, I'm trying to remember any time I'm asked to enter my account password. When I add my account to the phone initially, and when I purchase something from the play store. I don't recall ever seeing a popup asking for my google account password in any other circumstance.

        So the issue here is that by being asked for your password a lot (relatively, at least), then a user won't think twice when asked at any random time and will just enter it.

        As I said, fortunately, iOS doesn't ask for your login every whipstitch, either. Only during certain specific APPLE tasks.

        See: https://it.slashdot.org/commen... [slashdot.org]

    • Yes, it is, because it shouldn't be possible for a trojan to impersonate the system log in screen. That's why Windows boxes make you use ctrl-alt-del--user programs can't catch that key sequence and make it look like you're logging in.

    • by Anonymous Coward

      But this isn't a flaw in IOS.

      It's a flaw when the operating system allows an application to trivially impersonate the operating system, and the operating system doesn't have any way for the user to determine that the UI element is part of the operating system and not an application.

  • by Anonymous Coward

    This article is the stupid.

  • by Midnight Thunder ( 17205 ) on Tuesday October 10, 2017 @10:17AM (#55342713) Homepage Journal

    This is where having a visual indicator that only the OS and user know about could help? It could be an image or a phrase, but the idea is that an application couldnâ(TM)t forge the OS dialogue, because it doesnâ(TM)t have access to that info.

    At the same time, there are probably still limitations arising from an app asking for permissions it shouldnâ(TM)t need. This easier to vet for anything going through the App Store and possibly signed applications, but for anything else it is still user beware.

    • This is where having a visual indicator that only the OS and user know about could help? It could be an image or a phrase, but the idea is that an application couldnâ(TM)t forge the OS dialogue, because it doesnâ(TM)t have access to that info.

      At the same time, there are probably still limitations arising from an app asking for permissions it shouldnâ(TM)t need. This easier to vet for anything going through the App Store and possibly signed applications, but for anything else it is still user beware.

      Apple did the "Permissions" the other way-around. The App can install; but it has to ask Permission when it goes to USE the Service for the first time, and the Permission can ALWAYS be revoked from the Settings "App". I think Android FINALLY changed to a similar security model; but it took 'em long enough!

  • If you tell someone that you're from the IT department, most users will gladly tell you their password even though corporate policy says not to tell anyone your password. Some people have their password on a Post-It note underneath their keyboard or on the side of their monitor.
  • by bradley13 ( 1118935 ) on Tuesday October 10, 2017 @10:26AM (#55342777) Homepage

    Lots of people use their Google account, or their Facebook account, to log into various sites and services. I'm not sure how Facebook works, because I rarely use it. Google makes you type in your password once per month, so Google users are also trained to enter their password more-or-less at random, when asked. It would be dead easy to fake the password dialog.

    Users trading of security for convenience, yet again. The stupid thing is that companies encourage this behavior. If some service really wants you to login again, it should ask you to go log in, not present you with some dialog to type in your password.

    • by Zocalo ( 252965 )
      This is supposedly using some kind of federated authentication system like OAuth that doesn't require the password be exposed, but the idea is absolutely horrible from a phishing standpoint precisely because too many users are conditioned to blindly enter passwords on demand when confronted by an authentic enough looking prompt on what they consider to be a legit site. (In many cases, they'll even do it on a decidedly sketchy looking prompt on a highly suspect site as well, but that's kind of by the by.)
      • by phorm ( 591458 )

        Except with oauth, you should not be entering your credentials anywhere except Google/FB's site. That's part of the point of it.

        If you're not on google.com or facebook.com, don't enter the password.

        • by Zocalo ( 252965 )
          Yeah, I know that. You know that. The average Joe who is used to Google/Facebook asking for their password to be re-entered (legitimately) at apparently random points in time though? Unless they've paid particular attention to blurb from Google/Facebook, or looked into how OAuth works, I can't imagine too many of them are going to think twice on the spur of the moment if the faked prompt is suitably convincing.
  • by Anonymous Coward

    This is old as stones. We used this ages ago to make fun of unsuspecting uni dinosaurs. Just run a program printing "login:" and you're done.

    So ,what's new?

  • Will they install control, alt and delete keys on iPhones?

  • by Fly Swatter ( 30498 ) on Tuesday October 10, 2017 @10:30AM (#55342803) Homepage

    Am I the only one that shakes my head every time I see this term used to describe a hacker/cracker/black hat that doesn't actually do research except to unlawfully break into other peoples stuff just to brag about it?

    And to stay slightly on topic, this is just social engineering, not an OS flaw. Clickbait garbage.

    • Am I the only one that shakes my head every time I see this term used to describe a hacker/cracker/black hat that doesn't actually do research except to unlawfully break into other peoples stuff just to brag about it?

      And to stay slightly on topic, this is just social engineering, not an OS flaw. Clickbait garbage.

      Exactly!


  • I can simulate a real terror threat and people will believe it! -get a new brain?!

    How the fuck is this a flaw in iOS? What a load of rubbish.
  • Why title it "Security Researcher" when you clearly submitted a post about yourself? Why not instead title it "I find what I personally think is a fundamental flaw in iOS"?

  • Keyword: Trained (Score:5, Insightful)

    by Anonymous Coward on Tuesday October 10, 2017 @10:47AM (#55342879)

    I'm asked for my Apple password at least once a week, and it happens absolutely randomly. I might be doing anything, and suddenly "hey re-authenticate please!". I've absolutely been trained to not question it and just punch the password in so my phone continues to work. This is even worse than the whole "constant UAC prompt trains users to just say yes", because it has absolutely zero context. I don't know what triggered it, I don't know how not putting the password in limits me exactly, I have no way of knowing it's really the system asking for the credential, and I'm not just pressing yes, I'm inputting my golden key. Just bad design all around.

    • by smartr ( 1035324 )
      I find this odd. I've been using iOS for probably 10 years now and don't have this experience. Maybe on some very old version? Is your phone jailbroken by someone who has your password?
      • Do you use iCloud for anything? That seems to be the most common culprit as far as I can tell, but as the article notes, it is hard to tell sometimes why you're being pestered for it. It may be akin to how if an email server is down your client will think you failed to log in and pester you a lot with a prompt. If you don't use the relevant services or never have connectivity issues it may leave you alone for the most part.
      • When he says "password", I think he may mean "passcode". After the passcode is entered to unlock the phone, it will then unlock using only TouchID for a week before requiring the passcode again be entered (unless two days go by without being unlocked). The passcode prompt often appears to be random since you keep unlocking the phone with a finger, then suddenly it says no, give me the passcode instead (often at a rather inconvenient time).

        Like you, I don't get Apple/iCloud password prompts unless performing

  • ...the article title was a kind of phishing itself. When will you learn there is a difference between bait and chum? In the least iOS should be removed from the title - the issues described can happen to most any device OS.
  • Wow, congratulations on discovering social engineering! Seriously slashdot, we've had posts where people supposedly discover things that have been around for years. The other day it was vending machines, now it's social engineering.
    • by epine ( 68316 )

      Wow, congratulations on discovering social engineering!

      Yeah, no. Whoosh. What we're debating here is social engineering engineering, the kind of engineering a responsible corporation engages in if they're up to speed with the former.

      I'm pretty sure this is why Apple wants to include a living retina eye scanner in every phone.

      Personally, if I had the option (and an iPhone), I'd set things up so my smart watch's accelerometer first had to detect my left hand performing a sinister Catholic cross before the o

  • Anyone with a minimum of dev background ( hopefully that means a lot of people here ) knows that kind of "trick".
  • This is not theoretical, these exploits are live and active. A week ago my not-so tech savvy father-in-law was visiting me in the USA and asked me to help "clean up" his iPhone 6. He kept getting these "please enter you apple ID" credential popups for no known reason. Also, he was getting odd printer setup popups and knew of no printer software on his phone. He lives in Switzerland travels the world and had installed several apps to communicate with friends in China and various European countries. A co

Children begin by loving their parents. After a time they judge them. Rarely, if ever, do they forgive them. - Oscar Wilde

Working...