Checking the SSL certificate of the website.
--snip--
The attacker could make self-signed SSL certificate, but AFAIK most browser shows warning for website which self-signed SSL certificate.
Just to add, this also applies to android, the host file can be changed if you have root access. Another reason, why you shouldn't root your device.
True, but there are ways to do it without editing hosts file directly such as using proxy or VPN which only manage DNS request.