Print 10 comment(s) - last by KoolAidMan1.. on Feb 27 at 6:30 PM

Touch input being monitored in the background  (Source: FireEye)
No fix from Apple for this issue yet

Security researchers have already proven that apps can be placed on Jailbroken iOS devices that enable background monitoring by third parties. However, security researchers from FireEye have announced that they have found a vulnerability on iOS 7 devices that allows the bypassing of the official app review process and allows the exploitation of iOS device that aren’t even jailbroken.
The researchers say that they created a proof-of-concept monitoring app that is able to record all the user’s touch/press events in the background. The app can also record touches on the screen, home button presses, volume button presses, and Touch ID presses. That data can then be sent to any remote server.
Attackers using this vulnerability could then use the data to reconstruct all the characters entered in by the victim.  The demo app that the researchers created exploits iOS 7.0.4 on a non-jailbroken iPhone 5S smartphone. The exploit has also been verified as working on iOS 7.0.5, 7.0.6, and 6.1.x.
The researchers say that users of iOS 7 can turn off Background App Refresh to mitigate the vulnerability, however, music apps are able to play music in the background without needing to enable Background App Refresh. That means that apps can disguise themselves as a music app to conduct background monitoring. 
The researchers say that until Apple issues a fix, the only way to stop this is to stop all apps from running in the background.
Word of this exploit comes just days after Apple patched a serious SSL flaw in both OS X Mavericks and iOS 7.

Source: Fireeye

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

By p05esto on 2/26/2014 9:54:10 AM , Rating: 4
Of course Apple followers will give Apple a free pass on this as well all other security issues. Most will never have a clue about the serious risks of using Apple products because they don't read tech sites and don't even know what SSL is.

RE: yea
By amanojaku on 2/26/2014 10:38:25 AM , Rating: 3
For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available.
Translation: if no one knows about it, we can pretend it doesn't exist. If someone knowledgeable discovers it, we can claim the risk is low since only a "genius" can exploit it. Could Microsoft or Google get away with this? Of course not.

Thought this was funny:
Former Apple Security Engineer To Apple: 'Fix Your Sh-t'

The beauty of the SSL bug is that it's not limited to Safari. Several programs use the Safari code as a base.
Apple's 'Gotofail' Security Mess Extends To Mail, Twitter, iMessage, Facetime And More

RE: yea
By Motoman on 2/26/14, Rating: -1
RE: yea
By bankerdude on 2/26/2014 12:04:15 PM , Rating: 2
Everyone else just needs to do their own thing and ignore Apple, and all of Macolytes that go with it.

Here's the problem with that: so many people buy Apple, that the market for 3rd party accessories is dominated by Apple. For instance, it drives me nuts every time I look at a high end audio receiver and one of the features it touts is ipod/phone compatibility and an ipod dock. I don't use Apple products so that gives me exactly zero benefit but because so many people do the market caters to them and brings out product sets based on them. Same thing with car stereo compatibility, portable speaker systems, etc. We can't just ignore Apple and all their macolytes, they are not going to go away and they can significantly sway manufacturing decisions based on their sheer numbers.

RE: yea
By Motoman on 2/26/2014 12:10:12 PM , Rating: 2
We can't just ignore Apple and all their macolytes, they are not going to go away and they can significantly sway manufacturing decisions based on their sheer numbers.

But there's nothing you can do about it so...won't worry about it.

At any rate, the one and only feature any audio anything needs to "integrate" with any cellphone or audio player is an audio-in minijack.

That and a $1 cable from Monoprice, and you're good to go.

RE: yea
By aurareturn on 2/26/2014 3:13:36 PM , Rating: 2
No one buys Apple products because of their security. Or quality. Or price. Or features. Or...anything that a rational person would consider when purchasing a product.

This is why Apple has never been harmed by the irrefutable fact that they put out wildly overpriced, poorly engineered, non-QAd products frequently missing obvious features.

Those things don't matter to Apple consumers. Either you're an Apple consumer, or you're not. And if you doesn't matter what the next iThing does or doesn't're going to buy one, period.

No one competes with Apple. Only Apple competes with Apple. Everyone else just needs to do their own thing and ignore Apple, and all of Macolytes that go with it. Either they'll figure things out on their own someday, or they won't. Nothing that can be done about it by an outside force either way.

I hope you're joking. Apple consistently puts out the highest quality products with the most attention to details and the most R&D into user experience design. Look at benchmarks. Read the reviews. Look at the sheep companies that follow exactly what they put out.

Anand, the owner of this site is a heavy Apple user. Does he know nothing also?

RE: yea
By Reclaimer77 on 2/26/2014 5:43:19 PM , Rating: 2
Anand, the owner of this site is a heavy Apple user. Does he know nothing also?

Yes and you can tell. This is the kind of nonsense that infects your thought process when you become part of the cult of Apple:

Translation: Apple doesn't offer these features, so I'll just pretend they don't exist when I review phones. And I'll use half-baked reasoning as to why clear added value, isn't REALLY added value.

Seriously the quality of Anandtech, their objectivity, is honestly suspect today. And it's all because of a clear pro-Apple personal bias from Anand himself.

I never EVER thought I would be saying that. I used to worship Anantech, their word was law as far as I was concerned. Now? I'm not so sure.

RE: yea
By Imaginer on 2/26/2014 9:33:46 PM , Rating: 2
It is even more evident with the Surface Pro devices, in operation and handling.

Some of the tidbits:

"It could move to a thinner design this year and drop performance by going to a 6W Haswell SKU, keep performance the same but pay a thermal penalty with a 15W Haswell or wait until Broadwell next year to shrink the chassis (hopefully without much of an associated performance reduction). I can understand why Microsoft chose the latter, it’s still just frustrating as I would’ve loved a thinner/lighter Surface Pro."

And just above the taken apart internals...

"As Surface Pro 2 is rather thick by Ultrabook standards, you get the full performance of the 4200U. I ran a multithreaded Cinebench 11.5 test on Surface Pro 2, comparing it to Apple’s 13-inch 2013 MacBook Air under Windows 8. The two deliver identical performance, just in different form factors:"

But the pictures below show the design tradeoff - the needed fans and thermal blocks in case of the thermal envelop being needed to be pushed (unplugged or plugged in otherwise). This would prevent things such as the chassis becoming a hot plate. This of course, I have not experienced at all. It also shows an almost symmetry that the intended lead designer of the Surface had to go with in weight balance, of which he glossed over. He also failed to mention the cost reasons for a short design cadence that would have to be prolonged if considering other cooling devices and a chassis rework (never mind a separate SKU for the Surface Pro dock).

From a full analysis standpoint, he never made bridging analysis connections.

His quote on the pen, which is a very deciding factor for me (along with the deployability of the type covers - which is why I passed on the earlier released Samsung ATIV Smart PC Pro 700T) says this too.

"The tablet is a bit awkward to hold with the pen in place, and there’s also the problem of where do you store the pen if you’re using the tablet while plugged into the wall, but I suppose it’s better than nothing."

Never mentioned that pocket clip? Some styluses do not even have that at all. Some pens not so much either. Yet the Surface Pro pen has this. A very viable storage option, even in this day and age.

And this...

"Wacom’s own tablets let you switch to mouse mode, allowing you to use the pen as a mouse to place your cursor wherever you want it. Pen mode is something you may or may not be able to get used to, but it’s worth pointing out that the inflexibility is a limitation of Surface Pro’s pen implementation."

Not true. You can use the pen as you would a mouse pointer. Left clicking by normal pen tapping, right click by holding down the pen tip to the position. In all cases, there would be a cursor in many third party programs. Anand may have expected an arrow cursor to move, which is not how Tablet PCs work in general if using a pen.

Throw in the fact that he primarily heads articles with Apple products and occasionally the most vouched for Android product, along with sparse releases of technical articles - the major ones involve a drastic architecture... of which would not matter to begin with on Apple's side of things, point to point, in the consumer mind - All Anand needs to do is just blanket review the end user experience.

And Android devices, there isn't much he gives glances over. Even if he does review the industry SoC side of things, since there isn't the notion that we can swap out chips and boards like with PCs, we have to look and follow where these chips go to, which is only in a handful of OEM device makers - which he doesn't personally review or care for (time wise, I understand). But it should be a collaborative review process, to get a fuller gamut of "opinions" in the end.

Back then, Anandtech had the resources to verify and vouch for stability in components, mainly motherboards. I have used the site as a standard for such. Today? None of that matters, as OEM boards have pretty much gotten up to par in methodology (most of the major brands). They have become subjective as any other blog sites now.

Far less technical objectivity, and even less analytical, with grown more bias. I expect the Lumia Icon to be reviewed when Phone 8.1 comes around - perhaps with a re-review of any past Phone 8 device. But that is expected since the substance of articles changed from a simple cut and dry motherboard feature set and performance and stability numbers to something more closed and encompassing.

He did have it right with this quote.

"If I ran a PC OEM I wouldn’t be angry at Microsoft, I’d be angry at myself for letting this happen."

This may be more relevant with Android OEMs too.

RE: yea
By ritualm on 2/26/2014 10:36:53 PM , Rating: 2
right click by holding down the pen tip to the position

You don't even need to do that, and I found this out after doing some further reading on various sites. The Surface Pro stylus has a dummy magnetic plug that clips into the tablet's "Magsafe" charging port. Press and hold on that dummy plug before tapping the display, then release when the stylus tip makes contact with the display surface; volia, right-click.

RE: yea
By KoolAidMan1 on 2/27/2014 6:30:20 PM , Rating: 2
Translation: Anandtech doesn't treat removable batteries and media as absolute positives without any tradeoffs so you're mad about it.

That's the first time I read that post and Brian and Anand's stance is the same as its always been, balanced and well thought out.

They don't talk about those things being negatives but they do bring up their negative side effects on battery life and build quality. It is totally reasonable to talk about the downside to removable batteries yielding lower battery life and compromising build quality. I saw it with my old GS3, worst phone I've ever had, but I also understand that people can look past the hardware and OS. They also discuss the tradeoff with removable storage. Yes it expands storage (good) but it is also much slower and less reliable (bad). It also isn't supported by Google, which is why it is up to OEMs to make it works and why it isn't in the Nexus 5. It also compromises build quality, which is why you see them in phones that already have removable batteries.

They also talk about the downside with sealed systems. Their solution is to bump up storage specs to 32/64/128. Battery life is already solved since buying and carrying spare batteries with less life isn't absolutely better than having a sealed battery that lasts longer.

As usual, very well reasoned post from Brian and Anand.

There is nothing wrong talking about tradeoffs. You saying "infects your thought process when you become part of the cult of Apple" without putting any more thought into things and insisting that there is only one way is the standard nonsense that makes it impossible to take anything you say seriously.

I never EVER thought I would be saying that. I used to worship Anantech, their word was law as far as I was concerned. Now? I'm not so sure.

You won't be missed when Anand does the right thing and finally cuts loose of this site.

"Game reviewers fought each other to write the most glowing coverage possible for the powerhouse Sony, MS systems. Reviewers flipped coins to see who would review the Nintendo Wii. The losers got stuck with the job." -- Andy Marken

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki