Skip to main content
  1. Tech
  2. Gadgets & Tech
  3. Tech Gear

New iOS vulnerability discovered, allows key and screen touch logging

See also

Right on the heels of the iOS 6.1.6 and 7.0.6 releases, which fixed a huge "Goto" FUBAR in Apple's iOS SSL code, FireEye said on Monday night that they have discovered yet another iOS security vulnerability.This one could allow the installation and use of a keylogger which could monitor all key presses and screen touches.

According to the firm, they created such an app, and used it successfully on non-jailbroken iPhones and iPads. The vulnerability affects devices running iOS versions 7.0.4, 7.0.5, and 7.0.6, as well as those on 6.1.x. That means even the latest 7.0.x release still has the issue.

The big question, of course, is how would a hacker get the app on a device? A non-jailbroken iPhone can only install from the App Store, so a hacker would have to somehow disguise an app and get it past the App Store review process.

In terms of the proof-of-concept app, there are ways to install experimental apps on iDevices. Interestingly, though, prior to the posting of their blog entry, FireEye published a separate brief -- one that was quickly removed. However, what goes on the Internet stays on the Internet. According to an RSS reader cache that captured the earlier post,

FireEye successfully delivered a proof-of-concept monitoring app through the App Store that records user activity and sends it to a remote server. We have been collaborating with Apple on this issue.

The portion of that sentence that says that the app was delivered through the App Store has to be surprising.

The issue arises because of the way background apps run on an iPhone or iPad. While "background app refresh" can be disabled in iOS by going into Settings, General, Background App Refresh, some apps, like a music player, can run in the background without on its "background app refresh" switch being turned on.

Users can also kill background apps by using the iOS task manager. Pressing the home button twice in iOS will bring it up, and than an app can be swiped up and off the screen to disable it.

It is unclear if this vulnerability will be fixed in a new 7.0.x release or if Apple will simply wait for iOS 7.1 to release, and fix it there. It's also possible that 7.1 might ship with the vulnerability "intact," as most believe the new iOS version will ship in mid-March.


Don't Miss

  • Unity
    'Assassin's Creed Unity' preview: Ubisoft comes home to its urban origins
    Games Preview
  • Smart vending machine
    This smart vending machine will recommend drinks for you based on your gender and age
    Tech Buzz
  • Destiny
    The 'Destiny' beta: 7 things we absolutely love about Bungie's new franchise
    Games Feature
  • Wi-Fi
    Find out how to stretch your Wi-Fi signal where it has never gone before
    Tech Tips
  • Far Cry
    'Far Cry 4' exclusive: Animals, avalanches, oxygen, side content and much more
    Games Interview
  • Gamer ghost
    Gamer finds and plays with ghost of deceased father on a classic game