Even if your iPhone or iPad hasn’t been jailbroken, malicious apps have the ability to record and transmit every key stroke or touch you make on Apple devices running the iOS 7 mobile operating system, thanks to a second security vulnerability that has just been discovered.
A proof-of-concept app created by security firm FireEye has proved that hackers are able to covertly monitor users’ handsets and there is currently no fix for the problem, as the vulnerability affects not only iOS 7 versions 7.0.4, 7.0.5 and 6.1.x, but also the latest version of iOS 7 – namely version 7.0.6 – which was only just released over the weekend.
Apple released the new update to fix a critical flaw affecting the Secure Sockets Layer (SSL) code that was found on 8 January, which is used to create secure connections between iOS devices and websites by authenticating SSL certificates.
One flaw fixed, another pops up
Cybercriminals use fake SSL certificates to pretend to be a popular website so that they can capture users’ login details, and this is a problem for both iOS devices running iOS 7 and Apple Mac computers running OS X Mavericks 10.9.1.
While one flaw may have been fixed, this new security flaw makes it even easier for hackers to spy on users, as the flaw is able to bypass Apple’s strict app review process.
A user could be tricked into downloading a malicious app by a phishing website, but cybercriminals could also choose to exploit a vulnerability in an innocent-looking app so that the app quietly monitors every single touch the user makes on the smartphone screen, as well as presses on the home button, volume button or TouchID.
All this data can then be quietly sent from the app to a remote server, where cybercriminals would be able to reconstruct passwords from the characters the user typed.
What you can do now
“Before Apple fixes this issue, the only way for iOS users to avoid this security risk is to use the iOS task manager to stop the apps from running in the background to prevent potential background monitoring,” FireEye researchers Min Zheng, Hui Xue and Tao Wei wrote in a blog post.
“iOS7 users can press the Home button twice to enter the task manager and see preview screens of apps opened, and then swipe an app up and out of preview to disable unnecessary or suspicious applications running on the background.”
Last month, IBTimes UK showcased a piece of malware that a Trustwave researcher produced to infect Android devices and jailbroken iOS devices, but FireEye says that their app and research had been conducted independently prior to the Trustwave research.