The Inquirer-Home

iOS bug opens way for background key-logging on iPhones

Non-jailbroken devices not safe
Wed Feb 26 2014, 10:24
Apple iPhone 5C with iOS 7 Copyright Apple

FIREEYE HAS REVEALED details of a security flaw in non-jailbroken devices running iOS that could let bad apps grab touchscreen impressions.

The firm said that it is already talking with Apple about its discovery, and has demonstrated a proof of concept app that does the dirty deed, that is, grab touchscreen interactions, including via Touch ID.

"Fireeye mobile security researchers have discovered such vulnerability, and found approaches to bypass Apple's app review process effectively and exploit non-jailbroken iOS 7 successfully. We have been collaborating with Apple on this issue," it said in a blog post.

"We have created a proof-of-concept 'monitoring' app on non-jailbroken iOS 7.0.x devices. This 'monitoring' app can record all the user touch/press events in the background, including, touches on the screen, home button press, volume button press and Touch ID press, and then this app can send all user events to any remote server."

Malicious users could exploit the flaw, which the researchers said is present in iOS versions 7.0.4, 7.0.5, 7.0.6 and 6.1.x, by phishing a victim into loading a blighted or malicious app, after which they would be able to begin background monitoring.

Until a fix is released, the advice is to keep an eye on what apps you use and which ones you allow to continue running in the background.

"iOS 7 users can press the Home button twice to enter the task manager and see preview screens of apps opened, and then swipe an app up and out of preview to disable unnecessary or suspicious applications running on the background," advised Fireeye.

If an update to iOS follows this revelation, it will be the second to come out of Cupertino in a week. The update to iOS 7.0.6 began rolling out last weekend following reports of an SSL vulnerability. µ

 

Share this:

blog comments powered by Disqus
Advertisement
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Advertisement
INQ Poll

Internet of Things at Christmas poll

Which smart device are you hoping Santa brings?