fastlane’s Felix Krause points out that getting a user’s Apple ID password may be as easy as asking: iOS’s password prompt is supposedly simple to replicate in rogue applications that aim to steal information. The loophole, which revolves around UIAlertController, has remained for many years.



iOS asks the user for their iTunes password for many reasons: the most common ones are recently installed iOS operating system updates, or iOS apps that are stuck during installation. As a result, users are trained to just enter their Apple ID password whenever iOS prompts you to do so. However, those popups are not only shown on the lock screen, and the home screen, but also inside random. This could easily be abused by any app, just by showing an UIAlertController, that looks exactly like the system dialog.

Discussion

Source: [H]ardOCP – iOS Privacy: Apple Makes Phishing Easy