We have all done it.
What is “it”? It, is entering our iTunes password when requested by our iDevices.
It happens frequently enough that even I fail to question what’s behind the request. However, new research by Felix Krause has me now asking, “Who, or what, is asking for my password?”
How it was discovered
Felix is a developer and founder of fastlane.tools. According to his blog, fastlane is “an open source tool for iOS and Android developers focussed on making building and releasing apps easier”.
In his post, Felix shares how the exploit can be performed. It appears to be nothing more that a simple request using Apple’s own developer tools to generate look-a-like password requests that can be spawned from within the app.
He also offers ways to determine if a request is fraudulent:
1. Try to close the app by pressing the home button.
2. Don’t enter your password into a pop-up. Use the Settings app and enter your password into the iTunes entry manually. Much like you would if you were sent an email to reset your password. Instead of clicking on the link, you open the browser and navigate to the site.
3. Be mindful that any text (even a partial password) may result in sending the full password, even if you tap ‘cancel’.
I would add one more. That is to close all apps and restart your phone. If you receive a prompt after restarting, then open Settings and enter it there.