Keylogger Revealed in the Apple iOS Ecosystem

February 25, 2014

In the course of their daily grind, Financial Security professionals dealing with the current BYOD fever often refer to risks associated with use unmanaged endpoints in business operations — especially when this involves using consumer-oriented unmanaged tablets and/or phones running Android or iOS.  A special subset of that risk involves the theft of company credentials — generally still a username/password pair.  Once those credentials are ‘owned’ by hostile actors, a targeted organization is at elevated risk along any dimension associated with the ‘real’ worker’s role.  For example, a hostile who possesses credentials of the chief financial officer, treasury personnel, database administrator, server administrator, or other individual with elevated rights can (in theory) perform all the activities authorized for those individuals — which would result in material risk to your organization.  All risk management professionals and decision-makers at all levels need to keep these risks in mind as they evaluate the appropriateness of BYOD for their organization(s).

In the last month, two separate research teams (from Trustwave and FireEye) have produced proof-of-concept apps to exploit an iOS flaw that allows a hostile party to record every tap and keystroke made on an Apple iOS device — jailbroken or not.  This type of software has been around in the Android marketplace for some time.  But Apple and its ‘marketers’ have been adamant that various features of the iOS operating system architecture provide overlapping layers of protection to prevent this type of activity, and as a final backstop their (opaque) App Store app review practices effectively eliminate the risk of overtly hostile software successfully behaving in a hostile manner in the iOS ecosystem.  In other words, “just trust us…”  A recent example of ‘analysis’ of this type — stating that “there is essentially no iOS malware” — might include “Defending Data on iOS 7.”

Security researchers have identified a vulnerability which allows malicious actors to log your taps & keystrokes (X-Y coordinates) before sending that data to a remote server of their choice.

Mobile specialists on staff of security company FireEye have been collaborating with Apple after creating a proof-of-concept app, and deploying it through the production Apple App Store review process without detection, and then having it successfully exploit a non-jailbroken iOS 7 device after downloading and installing from Apple’s App Store.

In practice, the ‘keylogging’ would be an ‘added feature’ in an otherwise ‘reasonable’ app, and a hostile party would use phishing or other social engineering to mislead victims into installing their software.  Another route would be to exploit another remote vulnerability in iOS itself or in another app to begin the malicious app download process.

According to the authors, the exploit works on non-jailbroken modern iOS devices, including iOS 7.0.5, 7.0.6 and 6.1.x.

In the context of the recent iOS SSL vulnerability — something that any reputable static code security analysis product or service would have caught — it is difficult to support Apple’s opaque ‘trust us…” approach to security details.  I believe that Apple is going to have to be much more transparent to win over the Financial Services markets.

The exploit takes advantage of the way Apple’s exceptions to the iOS settings for “background app refresh.” Security-conscious users can use settings to ‘disable’ specific app’s background refreshing. App authors, though, are allowed to bypass the user’s wishes. One example is permitting an app to play music in the background without turning on its ‘background app refresh’ switch. It appears that in this case, the proof-of-concept app may have disguised itself as a music app to conduct background monitoring. MDM vendors also deploy apps that exhibit analogous behaviors to this ‘backgrounding exception.’ Even when an iOS device is set to deny all ‘Background App Refresh’ the MDM app will continue to run, examining the local device, and ‘calling home’ with results of that assessment.

As we have mentioned before on this blog, the Android app marketplace is still an ‘elevated security risk muddle,’* and there is no ‘Apple security magic.’ Apple has an excellent record of managing their image, but an uneven record at implementing real, or Financial Services-grade resistance to hostile actors.

Until Apple figures this one out, iOS users should avoid at least some of this risk by using the iOS task manager to stop unnecessary apps from running in the background. This will prevent a range of potential elevated risk monitoring that might be occurring.** iOS7 users can press the Home button twice to enter the task manager and see preview screens of apps opened, and then swipe an app up and out of preview to disable unnecessary or suspicious applications running on the background.

*Technical term.
**Remember, an MDM agent is a ‘trusted’ app and is used to qualify endpoints for some types of access to private infrastructure. If your company requires a given MDM agent, I recommend that you let it continue to run.
“Researcher Creates Malware to Captures Every Tap on Your Smartphone or Tablet.” By David Gilbert , January 31, 2014

“New iOS flaw makes devices susceptible to covert keylogging, researchers say — Proof-of-concept app in Apple’s App Store sent keystrokes to remote server.” By Dan Goodin – Feb 24 2014

“Background Monitoring on Non-Jailbroken iOS 7 Devices — and a Mitigation.” By Min Zheng, Hui Xue and Tao Wei, February 24, 2014

“Defending Data on iOS 7. Version 2.0” by Rich Mogull, Securosis.


%d bloggers like this: