iOS asks the users to write their Apple ID password for many reasons, the most popular thing is when installing operating system updates, or iOS apps that are stuck during installation. As a result, users are trained to just enter their Apple ID password whenever iOS asks you to do so.
But, these popups are not only displayed on the lock screen, and the home screen, but also inside random apps, e.g. when they want to access iCloud, GameCenter or In-App-Purchases.
Attackers can easily trick users just by showing an UIAlertController, that seems exactly like the system dialog.
According to an alarming blog post published by Krause:
Do you want the user’s Apple ID password, to get access to their Apple account, or to try the same email/password combination on different web services? Just ask your users politely, they’ll probably just hand over their credentials, as they’re trained to do so ?
You can protect yourself by hitting the home button, and see if the application quits, If it quitting the app, and with it the dialog, then this was a phishing attack. But If the popup and the application are still visible, then it’s a system popup. The reason for that is that the system dialogs run in a separate process, and not as a component of any iOS app.
You can also avoid entering your credentials into a popup, alternatively, dismiss it, and open the Settings app manually.
