An exploit in the way iOS handles multitasking may allow the touch-equivalent of keylogger-type attacks — where your input is recorded in order to discover your passwords and other data — to work not only on jailbroken iPhones and iPads, but on any device. It would require a malicious app to be created, to get past App Store review, and to get installed onto your device, which is a complex chain and not one anyone has claimed to have actually seen happen yet. But according to Min Zheng, Hui Xue, and Tao Wei of FireEye, it is possible:
We have created a proof-of-concept "monitoring" app on non-jailbroken iOS 7.0.x devices. This “monitoring” app can record all the user touch/press events in the background, including, touches on the screen, home button press, volume button press and TouchID press, and then this app can send all user events to any remote server, as shown in Fig.1. Potential attackers can use such information to reconstruct every character the victim inputs.
They claim the exploit they're using affects devices on iOS 7, including 7.0.4, 7.0.5, and 7.0.6, as well as all versions of iOS 6.
There's not a lot of information available yet about how exactly this works, but again, it seems like an attacker would have to make a malicious app, get it through App Store review and into the App Store, and then get you to go to the App Store and install it onto your device. For example, someone emailing you a link to a knock-off app — "Hey John, check out Flappy Bards, it's free and awesome!"
The researchers suggest uber-paranoid users turn off background refresh and kill all background apps to avoid any possibility of exploit. That's so onerous I doubt many will do it. What's probably better is to follow the same old "don't click on links from people or sources you don't trust" (even if they take you to the App Store) advice, and when browsing the App Store on your own, stick to apps from known developers until Apple patches the exploit.
Most importantly, the exploit seems complex right now and no one has presented any evidence of it existing in the wild. Unless and until that changes, I'd recommend the usual caution but no crazy level of concern. Agree or disagree?
Nick Arnott contributed to this article.
Source: FireEye
Apple VR leak suggests 2022 release date, key features
A new research note from Apple supply chain guru Ming-Chi Kuo indicates Apple's VR headset is coming next year, and will be highly integrated with products like Apple TV+ and Apple Arcade.
Apple to face trial over use of refurbished replacement devices
A class-action lawsuit against Apple is proceeding to trial over its use of refurbished devices and parts in repairs.
![[Update] Apple to discontinue iMac Pro once stock runs out](https://www.imore.com/sites/imore.com/files/styles/w200h150crop/public/field/image/2018/03/imac-pro-birds-eye.jpg)
[Update] Apple to discontinue iMac Pro once stock runs out
Apple has tweaked the iMac Pro listing on its website to state that it is for sale "While supplies last", with only one configuration available. Apple has now confirmed it will discontinue the iMac Pro once stock runs out.
These HomeKit cameras work with iOS14's Face Recognition and Activity Zones
iOS 14 brings some powerful new capabilities to HomeKit Secure Video-enabled cameras like Face Recognition and Activity Zones. Here's all of the cameras and doorbells that support the latest and greatest HomeKit features.