Interested in learning what's next for the gaming industry? Join gaming executives to discuss emerging parts of the industry this October at GamesBeat Summit Next. Register today.
Researchers have known for some time that jailbroken iOS 7 devices can be vulnerable to a keylogger that records and transmits every key stroke or touch. Now, a security firm has found a similar flaw in non-jailbroken iOS devices.
A proof-of-concept “monitoring” app, developed by FireEye and described in its blog on Monday night, can record and transmit in the background all touch or press events, including screen touches, home button press, volume button press, and TouchID press.
The app works on versions 7.0.4, 7.0.5, 7.0.6, and 6.1.x.
It can be installed via phishing or through a weakness in another app, the researchers said, and it can get through Apple’s review process. FireEye said it is “collaborating with Apple on this issue.”
MetaBeat will bring together thought leaders to give guidance on how metaverse technology will transform the way all industries communicate and do business on October 4 in San Francisco, CA.
Users can turn off “Background App Refresh,” which could help prevent the app from monitoring. But, FireEye points out, background music in an app does not need Refresh permission, and a malicious app could pretend to be background music.
FireEye recommends a more reliable fix until Apple has one: Stop apps from running in the background through task manager:
“iOS7 users can press the Home button twice to enter the task manager and see preview screens of apps opened, and then swipe an app up and out of preview to disable unnecessary or suspicious applications running [in] the background.”
For keyloggers, smartphones and tablets are the new frontier — they are not only new platforms, but much of their input is via a touchscreen instead of alphanumerics. Another security firm, Trustwave, recently announced that it has been able to create proof-of-concept malware for Android smartphones/tablets and jailbroken iOS devices that captures and transmits screenshots and X-Y coordinates of touches.
News of this most recent keylogger vulnerability comes on the heels of fixes for other iOS 7 issues. Most recently, Apple released on Friday version 7.0.6 to fix SSL encryption used to protect confidential info.
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.