Skip to main content
  1. Tech
  2. Gadgets & Tech
  3. Tech Gear

New iOS vulnerability discovered, allows key and screen touch logging

See also

Right on the heels of the iOS 6.1.6 and 7.0.6 releases, which fixed a huge "Goto" FUBAR in Apple's iOS SSL code, FireEye said on Monday night that they have discovered yet another iOS security vulnerability.This one could allow the installation and use of a keylogger which could monitor all key presses and screen touches.

According to the firm, they created such an app, and used it successfully on non-jailbroken iPhones and iPads. The vulnerability affects devices running iOS versions 7.0.4, 7.0.5, and 7.0.6, as well as those on 6.1.x. That means even the latest 7.0.x release still has the issue.

The big question, of course, is how would a hacker get the app on a device? A non-jailbroken iPhone can only install from the App Store, so a hacker would have to somehow disguise an app and get it past the App Store review process.

In terms of the proof-of-concept app, there are ways to install experimental apps on iDevices. Interestingly, though, prior to the posting of their blog entry, FireEye published a separate brief -- one that was quickly removed. However, what goes on the Internet stays on the Internet. According to an RSS reader cache that captured the earlier post,

FireEye successfully delivered a proof-of-concept monitoring app through the App Store that records user activity and sends it to a remote server. We have been collaborating with Apple on this issue.

The portion of that sentence that says that the app was delivered through the App Store has to be surprising.

The issue arises because of the way background apps run on an iPhone or iPad. While "background app refresh" can be disabled in iOS by going into Settings, General, Background App Refresh, some apps, like a music player, can run in the background without on its "background app refresh" switch being turned on.

Users can also kill background apps by using the iOS task manager. Pressing the home button twice in iOS will bring it up, and than an app can be swiped up and off the screen to disable it.

It is unclear if this vulnerability will be fixed in a new 7.0.x release or if Apple will simply wait for iOS 7.1 to release, and fix it there. It's also possible that 7.1 might ship with the vulnerability "intact," as most believe the new iOS version will ship in mid-March.

Advertisement

Don't Miss

  • The Crew
    'The Crew' exclusive: New details on racing types, open-world, seamlessness and more
    Games Exclusive
  • Dirty hands
    Find out how to clean the gross gadgets you carry with you all the time
    Video
    Tech Buzz
  • Civ
    Need to catch up on 'Sid Meier's Civilization'? Here is everything you need to know
    Camera
    Games Feature
  • Contact lenses
    Google applies for patent for what could be the Google Glass successor
    Tech News
  • Upcoming
    These are 2014's biggest PS4, Xbox One and Wii U games
    Camera
    Games Feature
  • Microscope
    A brilliant doctor invents a microscope that can be created for less than 50 cents
    Video
    Headlines

User login

Log in
Sign in with your email and password. Or reset your password.
Write for us
Interested in becoming an Examiner and sharing your experience and passion? We're always looking for quality writers. Find out more about Examiner.com and apply today!