The comforting notion that unmodified iOS phones are more or less immune to security threats has been shaken to the core with the release of new research that shows mobile monitoring applications can bypass Apple’s app review process and successfully exploit non-jailbroken iOS 7 kit. Background monitoring mobile (AKA snooping) …
"In the meantime it reckons the only way for iOS users to avoid the security risk is to use the iOS task manager to stop the apps from running in the background"
So the only way.... is to close ....the running app??
And this is the extent of the threat?
But I dare say it's only right that EL Reg put the fear of the Spaghetti Monster into us all, now and again.
Running in the background
Not sure 'running in the background' and 'closing' are the same. I've turned off 'running in the background' for Safari, but it is still available after swapping to another app. Maybe it means the app is no longer monitoring the UI or other input such as GPS?
Reading the linked article, it appears music apps can be set to "not run in the background", but continue to play music when they are no longer the foreground app.
Re: Running in the background
"..but continue to play music.."
Besides, the usual iPhone users generally press Home button to get out of the app and forget about it. So, at a time, a general user has 20 (i have seen 30) apps in the background ready to be resumed (that you can see by the double tapping the Home button). This is supposed to be efficient because these background apps are not allotted CPUs until they come in foreground.
So, what this result seems to be is about apps which perhaps have a special permission to run (consume CPU) in the background.
If Apple is allowing such apps (which go against the users' habits) and is failing to scrutinize them thoroughly (scanning the API usage), then it is the same problem that the other stores are blamed for,
They've proven nothing. The only way this would be of interest is if they got an app doing that onto the app store. To grab the events they have to use private Apple api's and that's something Apple would spot. Dull sensationalist garbage.
Which is precisely what they did.
'Shortly before the blog post went live, FireEye published a separate brief that was quickly removed. According to an RSS reader cache that preserved the earlier post, part of it said: "FireEye successfully delivered a proof-of-concept monitoring app through the App Store that records user activity and sends it to a remote server. We have been collaborating with Apple on this issue."'
My Taplogger malware has been embedded successfully into several widely downloaded "freeware" games. These remain on their App Store. We've successfully logged keystrokes and screen taps from several senior Apple executives - and sent them copies of their texts and emails that were sent from their phones. They're suitably scared, but have kept the threat to themselves since the beginning of the year.
iOS is as leaky as Windoze - they compromised security for "ease of use" just like M$ did.
"that's something Apple would spot."
Like they spotted the problem with SSL?
Ouch - I thought the sandoxing between applications on iOS was better than that, however this sounds like it subverts the APIs that allow inter-app communication although the way the article is written is could be specific existing applications that have elevated access that are the problem.
The problem is more basic than that - it's possible to subvert the kernel at the hardware interface level and pass keystrokes, taps and swipes to another file. This file is then uploaded in the background whenever the phone is connected to the 'net. The Taplogger cannot be stopped from the application manager either - it is only killed when the phone is restarted, but the software will run again whenever the application it's embedded into is run.
You mean the apple logo isn't an impenetrable shield. OMG!
The comforting notion that unmodified iOS phones are more or less immune to security threats
That's not how you spell "transparent marketing bullshit"!
'but have kept the threat to themselves since the beginning of the year.'
continuing to place a premium on treating their customers with respect, and not just on their pricing...
...and yet the user base will continue to drink the kool-aid...
- Updated Microsoft Azure goes TITSUP (Total Inability To Support Usual Performance)
- The Return of BSOD: Does ANYONE trust Microsoft patches?
- Review Apple takes blade to 13-inch MacBook Pro with Retina display
- Munich considers dumping Linux for ... GULP ... Windows!
- Pic iPhone 6 flip tip slips in Aussie's clip: Apple's 'reversible USB' leaks