It is reported that a new security bug of iOS has been found which allows malicious apps to monitor and record users’ touch input and key use condition from background. By exploiting a defect of multitasking, this security bug can capture information about input and send the captured information to a remote server.
In order to demonstrate this security bug of iOS, researchers build a conceptual verification to monitor apps, which can bypass the process of Apple Store Review. Once the app is installed in iOS devices, operations to keys like keyboard, volume button, and Home, touch screen with precise coordinate, Touch ID validation, and other information will be captured. Researchers also pointed out even disenabling background program refresh can not stop malicious program from recording data, and the only solution is to delete the app manually from task switching.
This demonstration is made successfully in iPhone 5s which runs iOS 7.0.4, and the same bug also exists in iOS 7.0.5, 7.0.6, and 6.1.x. The investigation shows potential attackers can make use of phishing to mislead users to install malicious or vulnerable apps, and they can also exploit another type of remote bug of some apps to perform background monitoring.
Now that this security bug of iOS has been found, we hope Apple Inc. can give corresponding solutions as soon as possible.