While the security vendor has not spotted any large scale attacks exploiting the vulnerability, “there is an increasing possibility of targeted attacks,” Tao Wei, senior staff research scientist, FireEye, said.
“Normal people should be fine, but enterprise, government users should be warned about such a threat,” he said.
FireEye, who worked with Apple to fix the flaw, built a proof-of-concept monitoring app on non-jailbroken iOS 7.0.x devices. The app bypassed Apple’s app review process and recorded all of the user’s touch and press events in the background.
Activities captured included touches on the screen and the pressing of the home and volume buttons and the TouchID, which is Apple’s fingerprint reader on the latest iPhone. The app was also capable of sending all gathered data to a remote server.
“Potential attackers can use such information to reconstruct every character the victim inputs,” Wei and two other FireEye researchers said in a joint blog post.
Apple did not respond to a request for comment.
An attacker would first have to figure out how to get the monitoring app onto the iPhone or iPad, a difficult task given Apple’s vetting of all apps before they are available on its App Store, the only official store for iOS software.
Nonetheless, potential hackers could find a way through a phishing attack in which the user installs the app by clicking on a malicious link in a text message. Another path could be exploiting a remote vulnerability on another app.
“Thus people should know this vulnerability and the mitigation when they use their iPhone, iPad to store some sensitive information,” Wei said.
To mitigate the risk, FireEye recommends disabling all unnecessary or suspicious apps running in the background. To do that, iOS 7 users can press the home button on their device twice to enter the task manager and see the preview screens of opened apps. Swiping the screen upward shuts down the app.
FireEye is not the first company to build a proof-of-concept app to record a user’s touchscreen activity. Neal Hindocha, senior security consultant at Trustwave, recently demonstrated such an app on Android smartphones and tablets and jailbroken iOS devices.
Over the weekend, security researchers reported finding flaws in iOS and Mac OS X that made it possible to intercept information transmitted over public Wi-Fi networks. Apple has released patches for the vulnerabilities.