Security researchers highlight iOS flaw that enables hidden logging of touch events and other actions

fig1

Researchers at security firm FireEye are highlighting an exploit involving iOS’s multitasking architecture to enable a nefarious (or exploited) app to record user touch events, Home Button presses and other events even whilst the app is backgrounded. It has always been theoretically possible for apps to record touch events whilst foregrounded, as the app needs access to the touch input to respond to user events. However, FireEye are demonstrating that this is possible even when the iOS app is not frontmost.

Author Ad Placeholder
Will only appear on redesign env.

The researchers claim they submitted a proof-of-concept to the App Store, including this covert tracking exploit, and it passed Apple’s approval process. The flaw affects all versions of iOS 7, as well as iOS 6.1. FireEye is in communication with Apple about this security hole, which means that Apple is likely to roll out a fix in an upcoming release.

In the meantime, the only way to protect yourself from this issue is to undertake (the rather impractical) task of consistently removing apps from the iOS 7 multitasking tray, which prevents any background operations from running.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

  1. So, you can keep listening to events in the BG.. And? What would a BG app do with touch events on a screen in the BG???
    And what App’s do this? If no one does it, why stir up this issue?

    Please give an example of a case where this is actually an issue of ‘security’???

    • Jurgis Ŝalna - 9 years ago

      There are over a million apps out there. Feel free to decompile all of them, analyse the code and present the results.

    • Benjamin Mayo - 9 years ago

      You could look at the x,y coordinates of the touches and reverse-engineer what buttons are being pressed. For instance, you could (with some work, granted) convert the x/y touch coordinates into keypresses on the iOS keyboard, making the exploit a keylogger for anything you type into the phone.

      • rrobinson1216 - 9 years ago

        Exactly. Just because you don’t see why it’s an issue doesn’t mean it’s not an issue. A dev with malicious intentions could use that information to decode password input very easily, especially Apple ID’s, and apps that use a common email/password combination (hello bank apps).

      • rrobinson1216 - 9 years ago

        That reply was meant for @marook, not you, Ben. Obviously you knew why it’s a security issue.

Author

Avatar for Benjamin Mayo Benjamin Mayo

Benjamin develops iOS apps professionally and covers Apple news and rumors for 9to5Mac. Listen to Benjamin, every week, on the Happy Hour podcast. Check out his personal blog. Message Benjamin over email or Twitter.