FIREEYE HAS REVEALED details of a security flaw in non-jailbroken devices running iOS that could let bad apps grab touchscreen impressions.
The firm said that it is already talking with Apple about its discovery, and has demonstrated a proof of concept app that does the dirty deed, that is, grab touchscreen interactions, including via Touch ID.
"Fireeye mobile security researchers have discovered such vulnerability, and found approaches to bypass Apple's app review process effectively and exploit non-jailbroken iOS 7 successfully. We have been collaborating with Apple on this issue," it said in a blog post.
"We have created a proof-of-concept 'monitoring' app on non-jailbroken iOS 7.0.x devices. This 'monitoring' app can record all the user touch/press events in the background, including, touches on the screen, home button press, volume button press and Touch ID press, and then this app can send all user events to any remote server."
Malicious users could exploit the flaw, which the researchers said is present in iOS versions 7.0.4, 7.0.5, 7.0.6 and 6.1.x, by phishing a victim into loading a blighted or malicious app, after which they would be able to begin background monitoring.
Until a fix is released, the advice is to keep an eye on what apps you use and which ones you allow to continue running in the background.
"iOS 7 users can press the Home button twice to enter the task manager and see preview screens of apps opened, and then swipe an app up and out of preview to disable unnecessary or suspicious applications running on the background," advised Fireeye.
If an update to iOS follows this revelation, it will be the second to come out of Cupertino in a week. The update to iOS 7.0.6 began rolling out last weekend following reports of an SSL vulnerability. µ