Update: Subhransu Behera has drawn back his original hypothesis:
After posting this on HackerNews some developers / users feel my hypothesis is wrong and one can not repeat the steps below without having physical access to an user’s phone or locked devices. I agree to this. I also need to check for on which iOS version this is secure. Because as per as I remember, this is definitely doable in earlier version of iOS. But the original problem still remains same. These files are unencrypted and unprotected and one can copy your entire mail contents if he/she has access to your phone.
File Protection API won’t be enough to protect data for unlocked phones. For which one might require to encrypt documents or files with a key and the key being stored in some secure location.
I am building some concept apps to try out few things. Stay tuned …
App developer Subhransu Behera has described the popular iOS Mailbox app as ‘a security fail’ after discovering that it allows anyone with access to the phone to extract email contacts, content and attachments …
I love iOS apps and developers. And it’s the apps that I love [which] motivates me to write better code. However, Mailbox is an exception. I like the UX of this application but I dislike its data protection approach more. As a matter of fact, there’s no data protection at all.
Behera used iExplorer, a tool designed to allow users to transfer music, movies and playlists between iOS devices and computers.
But wait it gives you more, it gives you access to an application’s Document and Library directories on your devices. These are the usual places, where iOS developers store their database, plist files or other resource files and can be extracted to a system if device is stolen. You don’t need to jailbreak the device. So if anyone else can get hold of your phone, he can access to files of those apps where data is not protected.
Behera says that the iOS SDK gives developers tools they can use to protect the data, so is surprised Mailbox doesn’t take advantage of them.
Mainstream users may not be overly concerned, as an attacker would still need physical access to the unlocked phone in order to extract the data. Although there have been lockscreen security issues, those were fixed and in any case offered very limited access to the phone. But those using their phones for sensitive emails might wish to take the cautious approach of not using the apps for those email accounts.