Researchers at security firm FireEye are highlighting an exploit involving iOS’s multitasking architecture to enable a nefarious (or exploited) app to record user touch events, Home Button presses and other events even whilst the app is backgrounded. It has always been theoretically possible for apps to record touch events whilst foregrounded, as the app needs access to the touch input to respond to user events. However, FireEye are demonstrating that this is possible even when the iOS app is not frontmost.
The researchers claim they submitted a proof-of-concept to the App Store, including this covert tracking exploit, and it passed Apple’s approval process. The flaw affects all versions of iOS 7, as well as iOS 6.1. FireEye is in communication with Apple about this security hole, which means that Apple is likely to roll out a fix in an upcoming release.
In the meantime, the only way to protect yourself from this issue is to undertake (the rather impractical) task of consistently removing apps from the iOS 7 multitasking tray, which prevents any background operations from running.
FTC: We use income earning auto affiliate links. More.
So, you can keep listening to events in the BG.. And? What would a BG app do with touch events on a screen in the BG???
And what App’s do this? If no one does it, why stir up this issue?
Please give an example of a case where this is actually an issue of ‘security’???
There are over a million apps out there. Feel free to decompile all of them, analyse the code and present the results.
You could look at the x,y coordinates of the touches and reverse-engineer what buttons are being pressed. For instance, you could (with some work, granted) convert the x/y touch coordinates into keypresses on the iOS keyboard, making the exploit a keylogger for anything you type into the phone.
Exactly. Just because you don’t see why it’s an issue doesn’t mean it’s not an issue. A dev with malicious intentions could use that information to decode password input very easily, especially Apple ID’s, and apps that use a common email/password combination (hello bank apps).
That reply was meant for @marook, not you, Ben. Obviously you knew why it’s a security issue.