There are reports from a trusted source that new bug in iOS 7, and even in little older iOS 6, versions can send all your keylogging data back to any third party server which then can translate it to know what you are typing and where you are tapping.
If you remember, few days ago a SSL bug was discovered in SSL handling security code which was later fixed in the latest iOS 7.0.6 update. The same bug is still present in OS X Mavericks and Apple has promised to release a new update of this OS too to patch the loophole.
This new bug, though, is not as serious as is SSL bug until and unless you install any app from untrusted source. But if you install any new app of unknown developer to test it or to know how it performs, you are at risk. Any developer can incorporate few lines of code in the app which can send back all the data related to your activity on the device. It can record every keylog in a file and then send it back to the hacker which can then convert it into something meaningful.
FireEye reported through his blog post that they have successfully bypassed the Apple’s approval process and got listed their app in the App Store containing the code which can send back the keylogging. They also say that all devices, both non-jailbroken and jailbroken, are equally susceptible to this bug.
We have created a proof-of-concept “monitoring” app on non-jailbroken iOS 7.0.x devices. This “monitoring” app can record all the user touch/press events in the background, including touches on the screen, home button press, volume button press and TouchID press, and then this app can send all user events to any remote server, as shown in Fig.1. Potential attackers can use such information to reconstruct every character the victim inputs.
They have also posted a screenshot to support their discovery.
They say every app which can run in the background, like any music app etc, can take advantage of this issue. Such apps can easily monitor every movement without disturbing any connection between user and iPhone.
As usual Apple is silent on this matter too as they don’t respond promptly on every new security issue until they release the fix for it. FireEye also tell us that they have escalated the issue in front of Apple and that they are working with Apple to find more details about it.
Until Apple sends out another update to fix this new bug, one solution is to not install any app from non-trusted developers. If you have already installed some app from unknow developers, either remove them temporarily or close them in the switchers too when you leave them. Don’t let them sit in the background.
Source: ArsTechnica
