That new 'privacy icon' in iOS 11.3 does nothing to prevent password phishing

iPhone users are still vulnerable to being tricked into handing over passwords. Apple knows it — but won't do anything about it.
Written by Zack Whittaker, Contributor

(Image: ZDNet)

iPhone or iPad users, if you update to iOS 11.3 now, you'll have new features and a bunch of security updates. But you'll still be just as vulnerable to on-device phishing attacks as you ever were.

A long-expected privacy icon debuts in the software update out Thursday which help users identify when Apple requests more of their personal information. The update doesn't change how much data Apple collects, but it helps show what data will be collected when Apple apps and features are used for the first time.

"You won't see this icon with every feature since Apple only collects this information when it's needed to enable features, to secure our services, or to personalize your experience," a screen says, once you update.

Maybe the timing is a coincidence, but this seems like a way to grab some good headlines amid Facebook's recent data sharing controversy.

Will Strafach, a security researcher with a focus on mobile, knows iOS better than most. He told ZDNet that the privacy icon will have some benefits.

"Although the purpose was misinterpreted as some kind of indicator -- it is not -- the actual purpose of giving information on how data is used is a very good thing I believe," he said. "Many people these days wonder about how their data is used and just have no idea, so if Apple is going to ask for something sensitive, it seems very helpful to give information to the user on data management -- and users can then hold them to it instead of it being ambiguous."

The downside is that, contrary to several reports, the privacy icon actually has nothing to do with preventing phishing attacks that try to steal your iCloud password. For its part, Apple never confirmed that the privacy icon would do anything of the sort.

We reached out to Apple, but a spokesperson would not comment on the record.

Although phishing attacks on the desktop have been around for years, they're less so targeted to the individual device. And as widely celebrated for their security as iPhones and iPads are, the device's weakest link is often a result of tricking the average user into turning over their password.


Apple's new privacy icon. (Image: ZDNet)

It's a problem that Apple doesn't seem to want to tackle -- despite a rash of attention earlier this year, when Felix Krause demonstrated in a blog post how easy it was to trick an iPhone or iPad user into turning over their Apple ID credentials.

In a proof-of-concept, he said users are "trained to just enter" their email address and password "whenever iOS prompts you to do so." Any long-term iPhone or iPad user can tell you that their phone or tablet will randomly prompt for your password, but often it's not clear why. And that's something attackers are keen to capitalize on.

One report called the attack a "hacker's dream."

"Showing a dialog that looks just like a system popup is super easy. There is no magic or secret code involved. It's literally the examples provided in the Apple docs, with a custom text," said Krause.

He described it as "less than 30 lines of code" that every iOS engineer would know.

Even with two-factor authentication, users aren't necessarily safe, said Krause. If you wanted to inflict damage, you only need a user's Apple ID email address and password to wipe a person's device without warning.

Apple says in a developer post that it's difficult to combat phishing -- or social engineering as it's often referred to.

Others say it's not that difficult.

"I would like to see the password requests show up as a banner alert or notification sent by the Settings app, which should send the user to the Settings app when pressed in order to enter their credentials," said Strafach.

"No icon or anything else is sufficient because the running app is able to mess with all user interface elements including status bar," he said. "Using an alert and redirect to Settings would completely solve the issue."

It's a simple solution that Krause -- and others -- have already suggested. But Apple won't budge, and its customers remain at risk.

Editorial standards