A possible security vulnerability in iOS devices could let snoops record every key you tap and more, according to researchers from California-based security company FireEye. Reportedly, the vulnerability is found in versions 7.0.4, 7.0.5 and 7.0.6 as well as 6.1.x — even phones that have not been jailbroken.
Using this vulnerability, FireEye says it created a proof-of-concept app that was able to record all taps on the screen (this is often called keylogging) as well as the home press button, volume button and TouchID press, and then send that information to a remote server. Attackers could use such data to reconstruct sensitive information such as passwords, websites visited, texts and chats and more.
Targets would have to be tricked into downloading a malicious or vulnerable app that was capable of taking advantage of this exploit. "Based on the findings, potential attackers can either use phishing to mislead the victim to install a malicious/vulnerable app or exploit another remote vulnerability of some app, and then conduct background monitoring," FireEye researchers Min Zheng, Hui Xue and Tao Wei wrote in a company blog post.
Details in the post are light, but it appears that the vulnerability that FireEye's proof-of-concept exploits is located in the way affected iOS devices handle multitasking, or apps that run in the background. To protect your phone from this type of attack, FireEye says you can limit the number of apps that run in the background by going into the device's settings and disabling "background app refresh."
Apple has not commented on FireEye's claims, and a third-party security researcher has yet to confirm either the vulnerability or the proof-of-concept. If it's true, this will be Apple's second serious security crisis in a week. Last Friday, Apple patched a serious iOS vulnerability dubbed "goto fail" that let hackers break the SSL/TLS protection in Internet sessions to capture users' traffic data. UPDATE: The issue is now patched on Mac OS X devices as well