iOS asks the user for their iTunes password for many reasons, the most common ones are recently installed iOS operating system updates, or iOS apps that are stuck during installation.
If the dialog and the app are still visible, then it's a system dialog.
Don't enter your credentials into a popup, instead, dismiss it, and open the Settings app manually.
To protect yourself from such attacks, Krause suggests that you hit the Home button when the prompt pops up. "Also included in the update is the Love-You Gesture, designed after the "I love you" hand sign in American Sign Language", Apple declared a while ago. If doing so makes both the app and the popup disappear, it was a phishing attack, he says. Just one week later, and we've got more bug fixes, which goes to show just how quickly Apple pushed iOS 11.0 out the door.
Even if you have two-factor authentication (2FA), what's to stop an app developer from asking for your 2FA key as well?
Mr Krause said malicious developers can turn on alerts inside their apps that look nearly identical to Apple's pop-ups using a simple bit of code. As you can see in the screenshot above, this comes in the form of a password request that looks pretty much identical to the one that Apple uses themselves. This could easily be abused by any app'.
The proof-of-concept involves the use of an overlay popup that mimics the Apple iOS password prompt. He also adds that any data in the text field of the fake password prompt can be harvested even if you hit cancel. He says he's already filed this issue as a radar with Apple and explains that it could be fixed by Apple not allowing passwords to be entered in popups, but rather only in the Settings app/App Store.
Mr Krause said this will close the app if it is a phishing scam, but the pop-up will remain if it is a legitimate Apple ID request.