iOS 7 has dangerous keylogging vulnerability
When it rains, it pours. Sadly for Apple, it seems the company just cannot catch a break. Most recently, a nasty SSL bug was discovered in both iOS and OSX, which potentially enabled man-in-the-middle attacks and lessened security. While iOS was patched pretty quickly, OS X ws not patched until earlier today.
While that alone is enough to damage a company's reputation on security, yet another Apple vulnerability has surfaced today. Security firm FireEye has discovered a keylogging-like bug in iOS 7, which could allow evil-doers to track all touchscreen and button presses.
"Background monitoring mobile applications has become a hot topic on mobile devices. Existing reports show that such monitoring can be conducted on jailbroken iOS devices. FireEye mobile security researchers have discovered such vulnerability, and found approaches to bypass Apple's app review process effectively and exploit non-jailbroken iOS 7 successfully. We have been collaborating with Apple on this issue", says FireEye.
The security firm further explains, "we have created a proof-of-concept 'monitoring' app on non-jailbroken iOS 7.0.x devices. This 'monitoring' app can record all the user touch/press events in the background, including, touches on the screen, home button press, volume button press and TouchID press, and then this app can send all user events to any remote server [...] Potential attackers can use such information to reconstruct every character the victim inputs".
Sadly, this bug even affects the recently released 7.0.6, which patched the SSL bug. The security firm is already working with Apple, so 7.1 will likely fix this vulnerability. However, users shouldn't be forced to wait that long -- 7.1 does not even have a definitive date yet. Hopefully Apple can get a patch out quicker.
In the interim, FireEye suggests closing all unnecessary apps by double tapping the home button and swiping up to close them. Even if you trust the app or it serves a valid purpose, there is no telling if this malicious code could be hidden inside. In other words, by design, hackers could hide the code in something like Flappy Bird. Even though the game runs and functions, it could be tracking you too.