Apple has fixed a security vulnerability in its latest iOS update (8.4.1) that would allow attackers to run a malicious app in the background for “an unlimited amount of time”.
What was interesting about this particular defect in the operating system was the fact that the malicious app would remain embedded in iOS even after it had been deleted.
For attackers, this was advantageous, reported FireEye researchers, who were responsible for the discovery of Ins0mnia.
It meant that they could continue to steal data, all without the user being aware - they were, after all, of the opinion that the issue had been resolved.
Usually, in iOS, an application can only run in the background for a limited amount of time (approximately three minutes).
After this time period has elapsed, the application is “suspended”. In part, this is to prevent developers of apps to monitor user behaviour and obtain data in a furtive manner.
“The Ins0mnia vulnerability allowed an app to circumvent these limitations,” FireEye explained in its blog.
“A malicious application could leverage the Ins0mnia vulnerability to run in the background and steal sensitive user information for an unlimited time without the user’s consent or knowledge.”
The vulnerability was fixed last month, as part of a number of security updates released by Apple.
Other issues with iOS included problems with the web browser Safari, which meant that a malicious website could “trigger an infinite number of alert messages”.
Apple noted at the time: “An issue existed where a malicious or hacked website could show infinite alert messages and make users believe their browser was locked. The issue was addressed through throttling of JavaScript alerts.”