He found that by recording the X and Y coordinates of touch, and mapping them to screenshots of the current app, he could effectively keylog a touch screen. The only problem was that it required a jailbroken iOS or a rooted Android to work.
But now, working independently on the same task, FireEye has demonstrated that a similar process can be made to work on standard non-jailbroken iOS 7 devices using background monitoring – and even developed a proof-of-concept app to demonstrate. "This 'monitoring' app," the company blogged Monday, "can record all the user touch/press events in the background, including, touches on the screen, home button press, volume button press and TouchID press, and then this app can send all user events to any remote server."
From what is received, the server can build a complete history of everything done on the target – just as keyloggers do for desktop computers. This new flaw in iOS is an additional embarrassment for Apple, quickly following an emergency fix for an SSL implementation error that would allow attackers to mount a man-in-the-middle attack and read messages that the user thought would be encrypted and secure.
All that is necessary for an attacker to exploit FireEye's weakness would be a little social engineering or phishing to persuade the user to install a malicious app, or the use of another remote vulnerability in an existing app, in order to start background monitoring. Because it works in the background, there would be nothing visible to warn the user. There is a setting in iOS7 for 'background app refresh,' but this, says FireEye, can be bypassed.
"For example," it blogged, "an app can play music in the background without turning on its 'background app refresh' switch. Thus a malicious app can disguise itself as a music app to conduct background monitoring."
"We have," FireEye told Infosecurity, "sent a detailed report to Apple about the vulnerability and the approaches to bypass the view process; and Apple acknowledged them and is working on a fix." In the meantime, blogged the company, "the only way for iOS users to avoid this security risk is to use the iOS task manager to stop the apps from running in the background to prevent potential background monitoring. iOS7 users can press the Home button twice to enter the task manager and see preview screens of apps opened, and then swipe an app up and out of preview to disable unnecessary or suspicious applications running on the background."