Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I would guess that most iOS users think that the confirmation message for in-app purchases (prompting you for your iCloud credentials) is from the app from which they initiated the purchase, rather than from a system service.

This probably conditions them to trust all iOS apps with their password if prompted to enter it.



Which is precisely why the thing this article is pointing out is extremely terrible - Apple should have made it a rule a long time ago that no 3rd party app can ask for Apple ID credentials.

But they dug themselves in a ditch by unifying extremely sensitive things (App Store access) & very sensitive things (email, calendar) under a single account.

A few ways to get out of that ditch:

- not allowing any iOS/Mac app store 3rd party app to ask for iCloud credentials. This will suck but at least protects the average Joe.

- forcing users to have a different password for the app store/anything that can take money from a credit card.

- using something like OAuth.

- use two step verification for app store purchases (of course, the mobile app store being on a phone makes it harder)


use two step verification for app store purchases

That's actually a great idea, and it wouldn't be hard at all, as long as they were to use TFA for all iCloud access. The second factor (e.g. a 6-digit number) could be displayed in the dialogue box asking for your password.

If it's a genuine dialogue box, no problem. If it's _not_ a genuine dialogue box, then the captured username/password is of no use, as you don't have the second factor. Replay and MITM attacks could be avoided by using a session identifier; the app wouldn't be able to get at it due to the sandbox.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: