[rorosaurus]

If I remember correctly, people at the time were suggesting Apple simply had their own, private version of the popup which indicated it's authenticity via colors or a badge. I honestly feel like that might have been good enough, especially if you change the other, public popup dialogs to warn not to enter password information.

[tolien]

I guess the corollary to that is Dropbox faking the macOS credential popup [1] - anything you can see can be cloned. If they'd just fixed it so it didn't appear so damned often and without any apparent cause (I get that it was probably triggered by some background process trying to sync or something - those should really have triggered a "Open Settings to confirm your Apple ID" sort of message, rather than a direct request for credentials), that might have been enough.

1: https://www.reddit.com/r/privacy/comments/51wqhd/dropbox_fak...