Second Major iOS Security Flaw Found, No Update Yet

Feb 25, 2014 By Sarah Vonnegut

Apple is having quite a rough week. While security world is still reeling from this past week’s vulnerability discovery and fix, researchers have identified yet another security flaw in Apple’s iOS that attackers could exploit to remotely monitor a user.

With this newly discovered vulnerability, hackers are able to log a user’s keystrokes, including touch inputs and button uses, using a ‘host’ app. The exploit targets a flaw in iOS’s multitasking capabilities to capture user inputs and send them to a remote server. The attacker could then use the data to recreate every action and character the user inputs.

To test the exploits’ effectiveness, researchers at the security firm FireEye created a proof of concept monitoring app and found a way to bypass Apple’s App Store Review process. Once installed on any non-jailbroken iOS 7.0.x device, the app could monitor any action taken on the device. Even the brand new 7.0.6 update released to fix an earlier security flaw is vulnerable to this exploit.

“Based on the findings, potential attackers can either use phishing to mislead the victim to install a malicious/vulnerable app or exploit another remote vulnerability of some app, and [can] then conduct background monitoring,” researchers at FireEye wrote.

The team said they’re currently working with Apple on a fix. In the meantime, you can avoid being keylogged by not allowing any questionable apps to run in the background. To see which apps are currently running on your iDevice just hit your home button twice; swipe left to see which apps are open and swipe up to close an app. Apple also offers users the ability to turn an app’s background refresher off, but FireEye noted that some apps can bypass that feature and still work in the background. “For example,” FireEye wrote, “an app can play music in the background without turning on its “background app refresh” switch. Thus a malicious app can disguise itself as a music app to conduct background monitoring.”

Two aspects of this proof of concept attack should cause alarm for the security community. First is the fact that the team could get an app through Apple’s usually stringent App Store entry process without being noticed. We’d have to know more about how exactly FireEye accomplished that, but it brings up many questions about how we can protect devices from apps that allow malicious behavior – whether by hackers or government hacksSecond is the fact that the app was keylogging every stroke on a device – no matter what the background refresh preference was. Both issues point to the fact that mobile security is really just at its’ beginning stages and there’s a lot left to learn. 

This new found flaw comes just four days after the first issue was announced and the iOS upgrade released. The SSL vulnerability allowed hackers to record and modify data in supposedly secure sessions in certain applications such as Safari, Mail, and others on both iOS and OS devices.  

We’ll keep you updated on this new flaw as information emerges. You can read FireEye’s original report here

The following two tabs change content below.
Sarah is in charge of social media and an editor and writer for the content team at Checkmarx. Her team sheds light on lesser-known AppSec issues and strives to launch content that will inspire, excite and teach security professionals about staying ahead of the hackers in an increasingly insecure world.

Latest posts by Sarah Vonnegut (see all)

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.