Nikhil SubramaniamFeb 26, 2014 12:25:58 IST
Researchers have unearthed what is potentially a huge flaw in Apple’s iOS mobile operating system. While we have seen bugs crop up aplenty on all platforms, this is one of the biggest vulnerabilities in iOS that could potentially allow anyone to track your keyboard presses, physical button presses, and TouchID interaction.
The vulnerability, discovered by researchers at security firm FireEye, can affect even non-jailbroken iPhones and iPads as long as they are running a version of iOS newer than 6.1.x. Researchers published a blog post earlier this week, which ominously said the vulnerability can be exploited by using an app that can potentially harm your iDevice even after it bypasses Apple's stringent app review process. The malware-like app uses iOS’s native multitasking capabilities to capture the inputs, as evidenced in the image below.
The post went on to say, “We have created a proof-of-concept "monitoring" app on non-jailbroken iOS 7.0.x devices. This “monitoring” app can record all the user touch/press events in the background, including, touches on the screen, home button press, volume button press and TouchID press, and then this app can send all user events to any remote server. Potential attackers can use such information to reconstruct every character the victim inputs.” FireEye released a table which lists all recorded input from an infected iOS device.
FireEye verified the vulnerability in more recent iOS versions too, including 7.0.5, 7.0.6. The app that FireEye used to exploit the vulnerability taps in to the resources provided by Apple for apps to run in the background. It would appear that even though they are running in the background, they have access to see which presses were made on the keyboard and other buttons.
While Apple has not specifically commented on this latest vulnerability, we expect a patch will be released soon to fix it. Until then, iOS users are advised to not install suspect apps even though may appear on the App Store. Alternatively, they can disallow the app from running in the background.