Stay up to date with notifications from The Independent

Notifications can be managed in browser preferences.

iPhone passwords 'shockingly easy' to steal from iOS users

'Even users who know a lot about technology have a hard time detecting that those alerts are phishing attacks'

Aatif Sulleyman

Wednesday 11 October 2017 18:03 BST

(Felix Krause)

A developer has demonstrated how “shockingly easy” it is to steal people’s Apple ID passwords.

Felix Krause created a proof of concept phishing attack that looks identical to the official system popups in iOS.

He says it’s possible for criminals to programme apps to run certain code only after Apple has approved it for a spot in the App Store, and that the scheme works because iOS has “trained” users to automatically enter their details without questioning a popup's legitimacy.

How to stop Facebook from revealing everything about you

Show all 9

1/9How to stop Facebook from revealing everything about you

How to stop Facebook from revealing everything about you

Lock your profile down

If you haven’t done this already, do it now. In Settings, hit the Privacy tab. From here, you can control who gets to see your future posts and friends list. Choose from Public, Friends, Only Me and Custom in the dropdown menu.

How to stop Facebook from revealing everything about you

Limit old posts

Annoyingly, changing this has no effect on who’s able to see your past Facebook posts. Instead, on the Privacy page, you have to click on Limit Past Posts, then select Limit Old Posts and finally hit Confirm on the pop-up.

How to stop Facebook from revealing everything about you

Make yourself harder to find

You can stop completely random people from adding you by selecting Friends of Friends from the dropdown menu in the Who can send you friend requests? section of the Privacy page. It’s also worth limiting who can find your Facebook profile with your number and email address. At the bottom of the page is the option to prevent search engines outside of Facebook from linking to your profile.

How to stop Facebook from revealing everything about you

Control access to your Timeline

You can limit who gets to post things on your Timeline and who gets to see posts on your Timeline too. In Settings, go to Timeline and Tagging and edit the sections you want to lock down.

How to stop Facebook from revealing everything about you

Block people

When you block someone, they won’t be able to see things you post on your Timeline, tag you, invite you to events or groups, start conversations with you or add you as a friend. To do it, go to Settings and Blocking. Annoyingly, you have to block people on Messenger separately. You can also add friends to your Restricted list here, which means they’ll still be friends with you but will only be able to see your public posts and things you share on a mutual friend's Timeline.

How to stop Facebook from revealing everything about you

Review tags

One of Facebook’s handiest privacy features is the ability to review posts you’re tagged in before they appear on your Timeline. They’ll still be visible on the News Feed while they’re fresh, but won’t be tied to your profile forever. In Timeline and Tagging, enable Timeline review controls.

How to stop Facebook from revealing everything about you

Clean up your apps

You can view a list of all of the apps you’ve connected to your Facebook account by going to Settings and Apps. The list might be longer than you expected it to be. It’s worth tidying this up to ensure things you no longer use lose access to your personal information. If you don’t want to log into websites and apps with your facebook account, scroll down and turn Platform off.

How to stop Facebook from revealing everything about you

Change your ad preferences

You can view a list of everything Facebook thinks you’re into and tinker with your ad preferences by going to Settings and Adverts. A lot more information is displayed on the desktop site than the app, so we’d recommend doing this on a computer.

How to stop Facebook from revealing everything about you

Download your data

Facebook lets you download all of the data it has on you, including the posts you’ve shared, your messages and photos, ads you’ve clicked on and even the IP addresses that are logged when you log in or out of the site. It’s a hell of a lot of information, which you should download to ensure you never over-share on the social network again.

Mr Krause says he was able to create the lookalike popup with less than 30 lines of code, and that “every iOS engineer” would be capable of creating their own phishing code.

“iOS asks the user for their iTunes password for many reasons, the most common ones are recently installed iOS operating system updates, or iOS apps that are stuck during installation,” he wrote in a blog post.

“As a result, users are trained to just enter their Apple ID password whenever iOS prompts you to do so. However, those popups are not only shown on the lock screen, and the home screen, but also inside random apps, e.g. when they want to access iCloud, GameCenter or In-App-Purchases.

“This could easily be abused by any app, just by showing an UIAlertController, that looks exactly like the system dialog. Even users who know a lot about technology have a hard time detecting that those alerts are phishing attacks.”

It highlights a huge potential danger for users, who could easily be tricked into simply handing their login details to a cyber criminal.

Mr Krause recommends hitting the home button when any popup appears in iOS. If doing so makes both the app and the popup disappear, it was a phishing attack, he says.

He says you can protect yourself further by dismissing popups altogether and instead only enter your password information in the Settings app.

“This is the same concept [as never clicking] on links on emails, but instead open the website manually,” he wrote.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies