Apple just patched a serious SSL vulnerability flaw in iOS 7 last week, but that doesn’t appear to the end of its mobile security problems. Ars Technica pointed Tuesday to a blog post from security company FireEye that shows a new security flaw in iOS 7 that could allow certain apps to log your keystrokes as they run in the background.
Here are the details according to FireEye:
“We have created a proof-of-concept “monitoring” app on non-jailbroken iOS 7.0.x devices. This “monitoring” app can record all the user touch/press events in the background, including touches on the screen, home button press, volume button press and TouchID press, and then this app can send all user events to any remote server, as shown in Fig.1. Potential attackers can use such information to reconstruct every character the victim inputs.
Note that the demo exploits the latest 7.0.4 version of iOS system on a non-jailbroken iPhone 5s device successfully. We have verified that the same vulnerability also exists in iOS versions 7.0.5, 7.0.6 and 6.1.x. Based on the findings, potential attackers can either use phishing to mislead the victim to install a malicious/vulnerable app or exploit another remote vulnerability of some app, and then conduct background monitoring.”
What this means is that if you download an infected app, it can run in the background on your device, storing information on what you type and then transmitting that information to a remote server.
Of course, this means you need to have an app with the monitoring code installed, which isn’t something you can readily tell. I’d venture a guess that the vast majority of high-profile apps are free of malicious code, but there are hundreds of thousands of others out there. Apple has a fairly extensive app review policy that’s designed to catch malware, but as this shows, it isn’t always perfect.
According to FireEye, you can reduce your potential for background monitoring by closing out any background apps through the multitasking menu. You can also disable background apps from refreshing through Settings.
Last week Apple issued an update to iOS 7.0.6, which fixed a serious flaw that could allows hackers to bypass SSL/TLS security verification and intercept their data.
According to FireEye, it has been collaborating with Apple on this latest security issue, so hopefully we’ll see a fix soon.