Apple is having quite a rough week. While security world is still reeling from this past week’s vulnerability discovery and fix, researchers have identified yet another security flaw in Apple’s iOS that attackers could exploit to remotely monitor a user.
With this newly discovered vulnerability, hackers are able to log a user’s keystrokes, including touch inputs and button uses, using a ‘host’ app. The exploit targets a flaw in iOS’s multitasking capabilities to capture user inputs and send them to a remote server. The attacker could then use the data to recreate every action and character the user inputs.
To test the exploits’ effectiveness, researchers at the security firm FireEye created a proof of concept monitoring app and found a way to bypass Apple’s App Store Review process. Once installed on any non-jailbroken iOS 7.0.x device, the app could monitor any action taken on the device. Even the brand new 7.0.6 update released to fix an earlier security flaw is vulnerable to this exploit.
“Based on the findings, potential attackers can either use phishing to mislead the victim to install a malicious/vulnerable app or exploit another remote vulnerability of some app, and [can] then conduct background monitoring,” researchers at FireEye wrote.
The team said they’re currently working with Apple on a fix. In the meantime, you can avoid being keylogged by not allowing any questionable apps to run in the background. To see which apps are currently running on your iDevice just hit your home button twice; swipe left to see which apps are open and swipe up to close an app. Apple also offers users the ability to turn an app’s background refresher off, but FireEye noted that some apps can bypass that feature and still work in the background. “For example,” FireEye wrote, “an app can play music in the background without turning on its “background app refresh” switch. Thus a malicious app can disguise itself as a music app to conduct background monitoring.”
Two aspects of this proof of concept attack should cause alarm for the security community. First is the fact that the team could get an app through Apple’s usually stringent App Store entry process without being noticed. We’d have to know more about how exactly FireEye accomplished that, but it brings up many questions about how we can protect devices from apps that allow malicious behavior – whether by hackers or government hacks. Second is the fact that the app was keylogging every stroke on a device – no matter what the background refresh preference was. Both issues point to the fact that mobile security is really just at its’ beginning stages and there’s a lot left to learn.
This new found flaw comes just four days after the first issue was announced and the iOS upgrade released. The SSL vulnerability allowed hackers to record and modify data in supposedly secure sessions in certain applications such as Safari, Mail, and others on both iOS and OS devices.
We’ll keep you updated on this new flaw as information emerges. You can read FireEye’s original report here.