Apple is not having much luck on the vulnerability front lately. Not only is the gotofail bug relating to SSL encrypted traffic still making headlines but now a new security flaw in iOS has been brought to light. This new flaw makes it possible for someone with a malicious intent to covertly log every touch a user makes, including keyboard and Touch ID presses.
This flaw was discovered by the research security firm FireEye where they said in a blog post that the gap exists within iOS’ multitasking feature which allows for the background monitoring. This can be exploited through a malicious app install or remotely via a separate app vulnerability.
ArsTechnica has the full scoop:
“We have created a proof-of-concept “monitoring” app on non-jailbroken iOS 7.0.x devices. This “monitoring” app can record all the user touch/press events in the background, including, touches on the screen, home button press, volume button press and TouchID press, and then this app can send all user events to any remote server, as shown in Fig.1. Potential attackers can use such information to reconstruct every character the victim inputs.
Note that the demo exploits the latest 7.0.4 version of iOS system on a non-jailbroken iPhone 5s device successfully. We have verified that the same vulnerability also exists in iOS versions 7.0.5, 7.0.6 and 6.1.x. Based on the findings, potential attackers can either use phishing to mislead the victim to install a malicious/vulnerable app or exploit another remote vulnerability of some app, and then conduct background monitoring.”
Although FireEye has since removed the claim, apparently they “delivered a proof-of-concept app through the App Store that records user activity and sends it to a remote server.”
This vulnerability has been confirmed to exist on non-Jailbroken devices running iOS versions 7.0.4, 7.0.5, and 7.0.6, as well as those running on 6.1.x. Reportedly Apple is working on a fix.