Researchers said they have identified a flaw in Apple's iOS that makes it possible for attackers to surreptitiously log every touch a user makes, including characters typed into the keyboard, TouchID presses, and adjustments to the volume control.

The vulnerability affects even non-jailbroken iPhones and iPads running iOS versions 7.0.4, 7.0.5, and 7.0.6, as well as those running on 6.1.x, researchers from security firm FireEye wrote in a blog post published Monday night. They said attackers could carry out the covert monitoring using an app that bypasses Apple's stringent app review process. The app uses multitasking capabilities built into iOS to capture user inputs. The blog post explained:

We have created a proof-of-concept "monitoring" app on non-jailbroken iOS 7.0.x devices. This “monitoring” app can record all the user touch/press events in the background, including touches on the screen, home button press, volume button press and TouchID press, and then this app can send all user events to any remote server, as shown in Fig.1. Potential attackers can use such information to reconstruct every character the victim inputs. Note that the demo exploits the latest 7.0.4 version of iOS system on a non-jailbroken iPhone 5s device successfully. We have verified that the same vulnerability also exists in iOS versions 7.0.5, 7.0.6 and 6.1.x. Based on the findings, potential attackers can either use phishing to mislead the victim to install a malicious/vulnerable app or exploit another remote vulnerability of some app, and then conduct background monitoring.

Shortly before the blog post went live, FireEye published a separate brief that was quickly removed. According to an RSS reader cache that preserved the earlier post, part of it said: "FireEye successfully delivered a proof-of-concept monitoring app through the App Store that records user activity and sends it to a remote server. We have been collaborating with Apple on this issue."

Based on the few details provided in the blog posts, the proof-of-concept app appears to rely on resources iOS provides for applications to run in the background, as music apps frequently do. As they run behind the scenes they appear to have visibility into all presses made to the keyboard and all other iPhone or iPad buttons.

Until Apple releases a patch for the vulnerability, the only way to prevent attacks is to open the iOS task manager and stop questionable apps from running in the background, FireEye said. Users can open the task manager by pressing the home button twice.

Apple representatives typically don't comment on matters involving the security of their products, making it hard for Ars to provide complete and fully confirmed details about the vulnerability FireEye is reporting. It's possible there are mitigating circumstances not included in the FireEye posts. This article will be updated if any such mitigations become known. Ars is reporting the findings out of an abundance of caution.

The disclosure comes three days after Apple patched an extremely critical iOS vulnerability that gave attackers an easy way to bypass encryption many browsers and other types of apps use to prevent eavesdropping of passwords and other sensitive data. Dubbed "goto fail," after one of the lines of code responsible for the bug, the flaw remains unfixed in OS X 10.9.0 and 10.9.1. Apple has yet to say when a patch will be released.