ipadair.jpg

After Apple patched a security flaw in iOS, another just popped up. According to network security company FireEye, this bug is in the latest version of iOS and it can let malicious apps see all your keystrokes.

The security company was able to push a proof-of-concept app through the App Store and used iOS 7's multitasking capabilities to snoop in all your activity in the background. They say:

We have created a proof-of-concept "monitoring" app on non-jailbroken iOS 7.0.x devices. This "monitoring" app can record all the user touch/press events in the background, including touches on the screen, home button press, volume button press and TouchID press, and then this app can send all user events to any remote server, as shown in Fig.1. Potential attackers can use such information to reconstruct every character the victim inputs.

Note that the demo exploits the latest 7.0.4 version of iOS system on a non-jailbroken iPhone 5s device successfully. We have verified that the same vulnerability also exists in iOS versions 7.0.5, 7.0.6 and 6.1.x. Based on the findings, potential attackers can either use phishing to mislead the victim to install a malicious/vulnerable app or exploit another remote vulnerability of some app, and then conduct background monitoring.

The issue will only come about if you've downloaded something shady. The only way to be sure something isn't watching you in the background is to open the multi-tasking menu with a double tap and swipe away everything you don't trust.

Either that, or don't download apps that are weird sounding or ones that look suspicious - however they may be.

[FireEye via Ars Technica]