Open Radar

 
Area:
Something not on this list

Summary:
This is a large security risk since users are being trained to enter their Apple ID password while using 3rd party apps. This opens up the possibility that a malign 3rd party app could use the same prompt and request a user's Apple ID password. The iOS-provided prompt has no indication that it is Apple-sourced or otherwise legitimate, so there's no way for a user to tell the difference.

Steps to Reproduce:
1. Change your Apple ID password on macOS, using Safari.
2. Unlock an iPhone.
3. Start using apps that are not published by Apple.
4. A prompt to enter your Apple ID password appears.

Expected Results:
Option A: The prompt looks different than other prompts to indicate that it is safe to enter your password
Option B: The prompt does not appear at all until the user is on the home screen or using an Apple app
Option C: If the UIAlertController title or message contains the word password, add a note that "Apple will never ask or request for your Apple ID password in an alert."
Option D (my favorite): The UIAlertController contains no text field whatsoever, and simply has an action ("Re-enter Password" ?) that redirects the user to Settings.app to enter their credentials. Also include the note in Option C in the alert.

Observed Results:
The prompt looks like a normal UIAlertController, thereby normalizing user behavior to enter their Apple ID password into random alert views. See attachment.

Version:
iOS 10.3.2 (14F89)

Notes:


Configuration:
iPhone SE 64GB T-Mobile