Researchers at security firm FireEye are highlighting an exploit involving iOS’s multitasking architecture to enable a nefarious (or exploited) app to record user touch events, Home Button presses and other events even whilst the app is backgrounded. It has always been theoretically possible for apps to record touch events whilst foregrounded, as the app needs access to the touch input to respond to user events. However, FireEye are demonstrating that this is possible even when the iOS app is not frontmost.
The researchers claim they submitted a proof-of-concept to the App Store, including this covert tracking exploit, and it passed Apple’s approval process. The flaw affects all versions of iOS 7, as well as iOS 6.1. FireEye is in communication with Apple about this security hole, which means that Apple is likely to roll out a fix in an upcoming release.
In the meantime, the only way to protect yourself from this issue is to undertake (the rather impractical) task of consistently removing apps from the iOS 7 multitasking tray, which prevents any background operations from running.