Every tap, touch, and press you make on your iPhone and iPad could be monitored and captured remotely due to an iOS security flaw. At least, that's the claim from security firm FireEye.
In a blog posted Monday, FireEye researchers said they conducted a test on non-jailbroken iOS 7.0.x devices in which they installed a "monitoring" app. This app was able to record all touch and press events in the background, including screen touches, home button presses, volume button presses, and TouchID presses. Based on its findings, the team concluded that an attacker could use such an app to remotely obtain keystrokes and screen touches on an iOS device, thereby reconstructing "every character the victim inputs."
The flaw reportedly lies in the way background apps run on an iPhone or iPad as those apps can detect all keystrokes and touch inputs made on the device. Disabling the Background App Refresh setting can prevent the background monitoring, though a malicious app disguised as a music program could still conduct such monitoring.
And though the researchers used a device running iOS 7.0.4, they said the same vulnerability exists in iOS versions 7.0.5, 7.0.6 and 6.1.x.
Of course, an iOS user would have to somehow allow the malicious app to be installed in the first place. Apple does impose strict requirements on the apps allowed in the App Store. FireEye was able to install its test app on a non-jailbroken device, though it didn't explain how.
Until Apple patches the problem, the only way to avoid the flaw is to trigger the iOS task manager to manually shut down apps running in the background, according to FireEye. Double-tapping the Home button displays all background apps. Swiping a background app in iOS 7.0.x then closes the app.
What is Apple's take on this reported security bug? The FireEye researchers said they've been collaborating with the company on this issue. CNET contacted Apple for comment and will update the story if the company responds.
Apple is already grappling with a security flaw that affects OS X as well as iOS. The flaw could allow an attacker to capture and modify data supposedly protected by SSL, or Secure Sockets Layer. The launch of iOS 7.0.6 late last week patched the hole for mobile devices. OS X remains exposed, though Apple has promised a fix there as well.