Alleged iOS Security Flaw Enables Malicious Apps to Secretly Log User Touch Inputs

[69Mustang]

We should get used to it.

Like it or not, iOS is becoming more attractive to the nefarious. The ubiquity of Windows on the PC side sort of saves OSX by 'security through obscurity'. But iOS? All the metrics say iOS is the most profitable, most traffic, most etc. Criminals go where they get the biggest bang for the buck.

Hopefully this wasn't exploited. Not everyone is going to contact Apple about flaws.

 

[Dave.UK]

Like it or not, iOS is becoming more attractive to the nefarious. The ubiquity of Windows on the PC side sort of saves OSX by 'security through obscurity'. But iOS? All the metrics say iOS is the most profitable, most traffic, most etc. Criminals go where they get the biggest bang for the buck.

The good thing is this wasn't exploited. Not everyone is going to contact Apple about flaws.

How do you know it wasn't exploited?

 

[Espeonia]

The way Ars Technica phrased it it sounded like they'd managed to slip it past Apple's review policy and not 'find a way around it', which just sounds like they sideloaded it.

 

[JosephAW]

Maybe apple needs to add another level of security in the privacy area to block apps from reading all the sensors in the background.
My big complaint is that apps can freely use the cameras ( not camera roll ) without permission and transmit photos unaware. There needs to be a permission for camera access as well, there's already one for the microphone.

 

[gatearray]

These recent finds (SSL, etc) show that the famous Apple security is just a myth.

If you don't like long-running myths, you can choose Android where insecurity is a long-running fact.

 

[I WAS the one]

Remember how bad Steve Jobs keep all the bad news closed and no one knew the real deal? I miss Steve… only the advance users could find the bugs...

 

[Dave.UK]

If you don't like long-running myths, you can choose Android where insecurity is a long-running fact.

Looks like its also a fact for ios now!

 

[cwagner1]

If you know the exact coordinates you can simply overlay the iOS Keyboard and extract everything the user typed in, including passwords, logins or other personal information. But yeah, no security issue here. LOL.

Two things make this very minor. First it does not look like the attacker has any way of knowing what what app is active. If is hard to tell if you are typing a password of clicking out a game of Flappy Bird. Second the app needs to get into the appstore, trick people into installing it and avoid detection of the malicious activity. Remember Apple has a kill switch on third party apps.

 

[KPOM]

If they are "actively working with Apple," why are they publicizing the flaw and putting out a proof of concept to the public before there is a fix?

 

[69Mustang]

How do you know it wasn't exploited?

You're right. That was wishful thinking on my behalf.
I'll go correct that errant assumption.
Thanks

 

[zapnyc]

So, we are told basically do not go I to any non-trusted wifi, e.g. Airport or hotel. I am traveling in a few days so what do I do? Can anyone more versed thean me tell me? VPN? Use iPhone as router so it's not using the totally accessible wifi?

If you're referring to the *previous* bug - the one involving SSL and networks (sounds like you are) then that bug has been patched. Just simply update your iOS via iTunes or within the phone, and use wifi as you normally do.

If you're speaking of the bug in this thread - the potential app-touch-monitoring issue - chances are you have nothing to worry about. If you're feeling paranoid, close non-Apple apps you're not using, and don't download sketchy new ones if you're jailbroken...

 

[furi0usbee]

It requires that a). someone else has discovered the same method, b). has managed to sneak it onto the Appstore. c). has managed to get their app popular enough for a lot of people to download and d). that you actually have installed this app yourself.

When hundreds of millions of people are using a device/service, all those things you mentioned will happen very regularly.

My point is that companies need to put security as top priority. They all say that security is the #1 issue, however as we find out everyday, it's really not.

Maybe pass a law that states when a company loses personal info to hackers, maybe they need to pay each person $50.00. You'll see how quickly security gets moved up the list of priorities.

Between lax security, NSA, and hackers (the latter two can be interchanged), we are fighting an uphill battle.

 

[ghostface147]

And they don't know anyone who uses a beta of 7.1 to test?

 

[jamesryanbell]

Hackers have too much time on their hands. Go do something productive.

 

[Parise]

If you don't like long-running myths, you can choose Android where insecurity is a long-running fact.

Is it a fact? I've never been hacked. Then again I don't install shady looking apps from seedy third party sites. I've never heard of an android exploit that literally renders ssl useless.

 

[subsonix]

When hundreds of millions of people are using a device/service, all those things you mentioned will happen very regularly.

Really? You started out by pasting in a response from the SSL thread. my point was that this is very different and you can't simply cut and paste in the same response and say that "the message" is the same, it isn't. There have been these types of proof of concept shown before, it's not the same thing as a misbehaving popular application in the wild. Where are the reports about those apps?

 

[MH01]

After all those years of PC basing, and that smug I'm and mac / I'm a PC campaign, Apple finally gets a taste of what happens when your markert share grows and you become popular.

Time for Apple to get off their asses and take security seriously, they cannot continue to have the same attitude, cause they are now in the firing line.

Only a few years ago I was smug myself while on the mac, now I am concerned that I face the same dangers just like PC or Android.

 

[Shrink]

While it is not my intent, in any way, to defend Apple's software weaknesses...if I read the article correctly there is no mention of any current apps exploiting this weakness...simply demonstrating a bug.

Researchers from security firm FireEye have revealed a new bug in iOS that enables a malicious app...

To demonstrate the flaw, the researchers created a proof-of-concept monitoring app and developed approaches to "bypass" Apple's App Store Review process effectively.

 

[AppleScruff1]

Well it's certainly bad news that the exploit is there, but on the up shot at least it's now known and will be fixed promptly.

Too bad they haven't fixed the Safari problems in iOS 7 promptly. It's been about 5 months and still the random crashing and continual page reloading.

 

[trrosen]

Duh

Yes why can't we know what apps have done this?

Because none have! Just yet another "well yeah you'd have to physically install the app on your phone" supposed security threat.

 

[vpndev]

serious ouch

I know it's standard-Apple to not comment or respond to security issues until they have a fix but when this one settles, I'd sure like to know how long it has been there.

This has "NSA" written all over it.

 

[NMBob]

If they are "actively working with Apple," why are they publicizing the flaw and putting out a proof of concept to the public before there is a fix?

Maybe Apple decided to not actively work with them.

 

[subsonix]

I know it's standard-Apple to not comment or respond to security issues until they have a fix but when this one settles, I'd sure like to know how long it has been there.

This has "NSA" written all over it.

You know that someone can write a key logger on any platform then fool the user to install it by masquerading as a legit app right? The difference here is that the app needs to pass Apple's review process and must explicitly be started and put in the background by the user.

 

[i.mac]

If they are "actively working with Apple," why are they publicizing the flaw and putting out a proof of concept to the public before there is a fix?

Publicity + bragging rights x moronic behavior

 

[sofila]

Too bad they haven't fixed the Safari problems in iOS 7 promptly. It's been about 5 months and still the random crashing and continual page reloading.

I think Apple is not considering this a problem.
I also think that acknowledging page reloading as a problem would show Apple as the real "Mr. Scrooge" of vendors. It will also put the "Web usage statistics from mobile devices" directly in the trash can.
I wish my current knowledge of English was better to express my thoughts in a more concrete way