Security Firm Reveals New iOS Keystroke Flaw

iPhone News · Feb 25, 2014

AppleInsider reports today on more possible security woes for Apple, with the apparent discovery of* a new keystroke flaw in iOS. The flaw was found by security firm FireEye, and initially reported on by ArsTechnica. Detailing the apparent security vulnerability in a blog post, FireEye said that the discovered flaw exploits iOSs built-in multitasking features. […]

Read more...

Skull One · Feb 25, 2014

This is probably one of the more interesting security flaws in iOS to date. Being able to reverse parse passwords and unlock swipes is a very serious issue. Lets see how fast they post iOS 7.1 now.

Pinkpoison · Feb 25, 2014

Skull One said:
This is probably one of the more interesting security flaws in iOS to date. Being able to reverse parse passwords and unlock swipes is a very serious issue. Lets see how fast they post iOS 7.1 now.

The sooner the better.

thewitt · Feb 26, 2014

I don't believe they can install a keystroke logger around the iTunes Store on a stock device and break the barrier between apps. Sorry. The blog post has been conveniently removed so my guys cannot attempt the hack, but the walls between apps are very secure on a stock iOS device. Jail broken? No doubt. Stock? I doubt it.

Skull One · Feb 26, 2014

thewitt said:
I don't believe they can install a keystroke logger around the iTunes Store on a stock device and break the barrier between apps. Sorry. The blog post has been conveniently removed so my guys cannot attempt the hack, but the walls between apps are very secure on a stock iOS device. Jail broken? No doubt. Stock? I doubt it.

The blog is still up and all the info from yesterday is still there. Also it was done on a non-jailbroken device. Background Monitoring on Non-Jailbroken iOS 7 Devices ? and a Mitigation | FireEye Blog

BTW, your assumption on how iOS works is actually very incorrect. The wall between apps is at the DATA level, not at the interface level. Since there is only one set of API calls for dealing with the touch screen, the only way to truly keep one app from seeing what the other app is doing it to virtualize each instance of an app in its own version of iOS. Which would require more memory and CPU than is currently available in the iPhone 5S. Android tried to use their DALVIK VM to secure their apps from this issue, but they failed for the same reason. They didn't virtualize the OS with each app.