Security company FireEye is reporting a new keylogging flaw inside iOS7 that would allow an app to record what you’re typing and send that data to the server of its choice. Both Gigaom and Ars Technica are reporting this via FireEye’s blog. This has been a serious past few days for Apple, iOS and OSX. First there was the SSL security flaw found in iOS7 and OSX, read more here. Apple managed to push out a fix very fast for the iOS7 SSL flaw but their OSX platform still remains unpatched. Now FireEye is just compounding the bad news for the company and they’re likely scrambling to get it researched and patched. It is important to note that this flaw only applies to apps that run the monitoring code to use the flaw. Here’s what FireEye had to say.
“We have created a proof-of-concept “monitoring” app on non-jailbroken iOS 7.0.x devices. This “monitoring” app can record all the user touch/press events in the background, including touches on the screen, home button press, volume button press and TouchID press, and then this app can send all user events to any remote server, as shown in Fig.1. Potential attackers can use such information to reconstruct every character the victim inputs.
Note that the demo exploits the latest 7.0.4 version of iOS system on a non-jailbroken iPhone 5s device successfully. We have verified that the same vulnerability also exists in iOS versions 7.0.5, 7.0.6 and 6.1.x. Based on the findings, potential attackers can either use phishing to mislead the victim to install a malicious/vulnerable app or exploit another remote vulnerability of some app, and then conduct background monitoring.”
Generally Apple’s security is top notch but there is obviously someone possibly sleeping at the wheel this week (tongue in cheek). For the most part Apple has done well in responding to these types of issues and we’re sure they will do the same for this. Although we are still anxiously waiting the fix for the SSL flaw in OSX, the company hasn’t given any timeline as to when that will happen.