Questions on can iPhone password be hacked via apps requesting  the device password

jana
jana used Ask the Experts™
on
I have a concern of installing apps where they request my iPhone/iPad password.  So some questions:

  • When an apps request authenticating their apps with my iPhone password, it it possible that apps extract the password?
  • Also, using a Two-factor authentication for Apple ID, would that protect my Apple data even though I gave the password to the apps requesting it?

(sorry for my ignorance and maybe is nothing to worry about, but wanted the expert input on this - so any help would be greatly appreciated).
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
That's not how the iPhone password works.  Apps don't request the password.  The app only asks that Apple validates the user on the phone.  They request authentication.  You enter a password to generate the authentication token.  Apple basically tells the app that you validated, and the password is never passed to the App in question.

Author

Commented:
Makes sense, thank u! I have been trying to find documentation on the web  so I can post it in the office but can't find none.  Do u have a link that or web page I can look into that covers this topic?  Thanx!
btanExec Consultant
Distinguished Expert 2018

Commented:
It is the option to enable the authentication when you make a purchase, you'll always be asked to enter your password, even if you're signed in with your Apple ID.

https://support.apple.com/en-in/HT204030
https://support.apple.com/en-sg/HT201371

2FA is additional security for your Apple ID. After you turn it on, signing into your account will require both your password and access to your trusted devices or trusted phone number. To keep your account as secure as possible and help ensure you never lose access, there are a few simple guidelines you should follow:

Remember your Apple ID password.
Use a device passcode on all your devices.
Keep your trusted phone number(s) up to date.
Keep your trusted devices physically secure

In a way, data remain encrypted till authenticated. Unless your other trusted phone is also being hacked to get that verification code and at the same time, have physical access to your actual phone, it is rather hard to hack into the actual phone.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Thank u for the info, but my question is more directed to the authentication when an apps (other than apple store) requests it, like VPN apps.  

What Serialband said on "You enter a password to generate the authentication token.  Apple basically tells the app that you validated, and the password is never passed to the App in question." makes a lot of sense and i guess that is the answer, but I need to document this so what I  am trying to find reference to Serialband statement.

Author

Commented:
Btan, I haved been searching for an answer using search strings like:

  • do iPhone passes password to other applications when authentication is requested
  • why vpn application request my iPhone password
  • why do some applications request my iPhone password
  • when iphone is requested authentication my password is not given
  • how to iphone authenticate with other applications

Strings like the above - but I haven't been able to get an answer close to Serialband.
https://stormpath.com/blog/the-ultimate-guide-to-mobile-api-security Here's a basic idea of how an password authentication API works.  They've since changed some details, but it still gives a basic diagram.  Passwords are never sent as passwords, if it's done correctly.  They're converted to tokens or hashes that are used to validate your password through some API.  Those tokens or hashes are generally sent through an encrypted channel, such as through SSL.  You should never see the plain token.

Author

Commented:
Thank u! Based on your link I change some info on my search string and found more related links!

Good enough!

Thanx!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial