Comment by hamburglar
2 days ago
Yes, it’s really bad for security. I just deny it if I don’t know what it’s for. I’m sure I’m missing out on some very important functionality.
2 days ago
Yes, it’s really bad for security. I just deny it if I don’t know what it’s for. I’m sure I’m missing out on some very important functionality.
My understanding is that iCloud backup requires it, among who-knows-what other things. So I've been reluctant to hit "Not now."
I just have to trust their security model to not allow random apps to pop up and issue those prompts.
I'd be surprised if there aren't malicious apps that pop up their own counterfeit version of Apple's "Just enter your password again, trust me bro" dialog that looks just like the real thing, and then do nefarious things with the trusting user's input.
Not only apps, webpages can easily do it too! I know that sophisticated users might think to themselves "hey why didn't it play the correct app-switching animation after I clicked 'Open Settings' to enter my password" or something, but normal users could be fooled simply by loading the password-entering UI lookalike right there in the browser, probably more than half the time, which is way more than enough.
Apple's continued drive toward having UI disappear when not "in use" makes this so much more trivial. Currently, as long as you've scrolled down an inch or so, Safari's chrome consists of a single line of ~5 point text, the hostname, on a plain background at the bottom of the screen. So, "Wait, i'm still in the browser" is the kind of thing only nerds would think. Normal people would just ignore the tiny text saying "apple.com.account-verification-system.cgi-bin-iphone-3cabcdef38673824.xyz" and assume they're looking at legitimate UI as long as it roughly approximates iOS.