A newly discovered vulnerability allows an iOS application to continue to run for an unlimited amount of time, even if an application gets terminated by a user.
The flaw – dubbed Ins0mnia – potentially allows any iOS application to bypass Apple background restrictions, security researchers at FireEye warn.
FireEye notified Apple soon after discovering Ins0mnia. In response, Apple's security team confirmed this vulnerability was fixed in iOS 8.4.1. Users running older versions of iOS would be well advised to update their devices.
Normally an iOS application can only run in the background for a limited time (typically three minutes) before the application is suspended by Apple's operating system. Ins0mnia skirts this restriction.
Apps that might use the feature to keep on running would not be visible in Task Switcher. Shutting down such an iOS app using the Task Switcher dashboard would not stop it from running either.
The attack involves fooling an iThing into believing that an iOS application was being debugged, preventing the system from suspending the application when the permitted background duration expired.
FireEye has put together a demo video showing a malicious iOS application that the user believes they've terminated, but which keeps running without the user’s knowledge. The proof of concept nasty sends victim location updates to an attacker.
The background running time limitation built into iOS is designed to keep iPhones and iPads fast and responsive, and not slow down in the eyes of users because processors are working overtime on background tasks.
The technology also safeguards against eavesdropping, as FireEye explains in a blog post.
A music app may have legitimate reason to ask permission to access GPS location and microphone while working on the foreground, but few users would want the app to run in the background and continually monitor GPS locations and record audio.
The control by iOS is supposed to prevent such abuse of permissions.
It's tempting to think that FireEye's developers had the recent privacy controversy about Spotify in mind when choosing this example. Spotify didn't leverage Ins0mnia, but it did change its T&Cs so that it monitored users' movement, locations and voice commands.
More seriously yet, a malicious app could abuse the Ins0mnia vulnerability to stay running continuously in the background as it spied on users of compromised iThings. The attack would have worked on iPhones and iPads even if they weren't jailbroken.
Unlike other known iOS malware that runs only on jailbroken devices, or must be distributed with Apple Enterprise Certificates, hypothetical Ins0mnia malware didn't require anything not allowed by Apple.
"We believe that such an application had a high probability of passing the Apple Store review, making it a rare loophole for an attacker to distribute malware within Apple’s walled garden," FireEye concludes. ®