How to spy on people on iOS
Bizzare behaviour of iOS browsers in treating keyloggers.
TL;DR:
How to conveniently run keyloggers in operating systems like iOS (but not Android); In this article I’m describing and testing the “feature” that makes eavesdropping far easier.
Disclaimer
The article is not to encourage illegal activities but rather to warn the general audience about serious flaws of current internet browsers, mainly on iOS and desktop devices.
We haven’t spotted such flaws on recent Android devices (browsers).
Who are “We”?
This article is made for our project in cybersecurity — A-Irene.com — enabling security and anomaly detection with a single line of code — as easy to setup as Google Analytics.
We are in a phase of testing our telemetry plugin — allowing our clients to spot bots, anomalies in traffic or imposters.
During the process, I’ve spotted numerous bizarre behaviours on behalf of browsers that shouldn’t really be allowed and have no explanation.
Let me explain.
What is keylogging?
Keylogging is an activity where a script or a device registers the keys you pressed or tapped on your keyboard with an intention of storing it or sending on a server.
It comes in many flavours — from diagnostics up to malicious codes, stealing your passwords and eavesdropping your conversations.
The reason for this article is our concern about the state of security of modern browsers.
While collecting keystrokes for legitimate reasons is not a problem, keeping features that make keylogging plugin scripts much easier is a bad practice.
Our findings
We have tested how limited — or unlimited — access scripts have to your keystrokes. In short — how easy it is to spy on you.
It turned out that Android protects users from this practice, by obscuring key codes (we don’t know which key was pressed). Browser extension, plugin or malicious script cannot access keycodes, it returns “undefined” which in this case makes us very happy. Only the event is recognised with no details on Android.
iOS is a different story — we can eavesdrop all key actions, including password text fields from anywhere. It’s as easy as typing:
document.addEventListener(“keydown”,spy);
A single line of code is enough to eavesdrop you. Then the “spy” function can collect all your activities. Pretty creepy I have to say.
The same behaviour you can experience on desktop browsers. Both Windows and MacOS have failed our test.
Who can really eavesdrop on you?
There are few categories like website itself — including all scripts it’s using — but also 3rd party plugins (like google analytics, hotjar, facebook pixel, newrelic) and many other analytical tools.
Also all active at a current moment browser extensions can record everything you type, including passwords. This one is really scary as we don’t always register what exactly is running at the moment and how it behaves long term.
About Me
Marcin Rybicki, former game developer, algorithm enthusiast.
I‘m working with my co-founder Rafał on an ambitious project called — A-Irene — unsupervised and easy to operate anomaly detection based on Machine Learning.
