Every user iOS at least once saw a pop-up window asking to enter their username and / or password, and they usually come from Apple herself.
One developer thought that a phishing attack could be easily performed using such a window. Felix Krause created a concept proving that developers can easily disguise an attack as a popup from Apple.
As Krause says, users are used to seeing such windows even outside of iTunes and App Store apps. He used the UIAlertController and recreated the design of a standard password or username prompt, which can then be used for phishing.
'iOS prompts users for a password from iTunes for many reasons, the most popular of which are recently updated software and applications stuck during installation.
As a result, users automatically enter their Apple ID and password each time. But such windows pop up not only on the lock screen and home screen, but also in some applications that need access to iCloud, GameCenter or purchases.
Any application can easily take advantage of this, since the UIAlertController can accurately recreate a standard dialog box '.
In most cases, a developer will need the user's email address to get their password, but sometimes they don't even need one.
Krause says that such things need to be treated more carefully. When not sure, just close the window by pressing the Home button. If it does not disappear, this is the official window Apple, and if it disappears, this is the application window, and you should not enter your data.
This type of attack is not new, and Apple scrutinizes applications before adding them to App Store. But it never hurts to be careful.
Krause informed Apple about his concept.