Just days after patching a rampant security flaw in iOS, another one has popped up in its stead. According to network security company FireEye, there’s a bug in even the latest version of iOS that can let malicious apps track your every keystroke with ease.
FireEye was able to push a proof-of-concept app through the App Store and uses iOS 7’s multitasking capabilities to hang out in the background and snoop on all your activity.
We have created a proof-of-concept “monitoring” app on non-jailbroken iOS 7.0.x devices. This “monitoring” app can record all the user touch/press events in the background, including touches on the screen, home button press, volume button press and TouchID press, and then this app can send all user events to any remote server, as shown in Fig.1. Potential attackers can use such information to reconstruct every character the victim inputs.
Note that the demo exploits the latest 7.0.4 version of iOS system on a non-jailbroken iPhone 5s device successfully. We have verified that the same vulnerability also exists in iOS versions 7.0.5, 7.0.6 and 6.1.x. Based on the findings, potential attackers can either use phishing to mislead the victim to install a malicious/vulnerable app or exploit another remote vulnerability of some app, and then conduct background monitoring.
Fortunately, it’s only an issue if you’ve downloaded something shady, but until Apple releases another patch to fix this vulnerability, the only way to be sure that something isn’t watching you from the background is to open the multi-tasking menu with a double-tap of the home button, and swipe away everything you don’t trust completely.
It’s a slightly less egregious breach of security than Apple’s SSL problems — which are still at large on OS X — because here you at least have to be tricked into downloading a bad app, but it’s still concerning that all those stupid Flappy Bird clones you downloaded could be watching what you type.