Screen Shot 2014-05-05 at 6.29.21 AM

Security researcher Andreas Kurtz has discovered that versions of iOS 7, including iOS 7.1.1 (the current release), iOS 7.1, and iOS 7.0.4 do not encrypt email attachments in the bundled Mail application. This is an issue itself, but more worrisome as iOS, according to Apple, is supposed to encrypt email attachments. Here’s a page from Apple’s website indicating that:

Screen Shot 2014-05-05 at 6.32.05 AM

Here’s how Kurtz verified that iOS 7 does not encrypt email attachments:

I verified this issue by restoring an iPhone 4 (GSM) device to the most recent iOS versions (7.1 and 7.1.1) and setting up an IMAP email account1, which provided me with some test emails and attachments. Afterwards, I shut down the device and accessed the file system using well-known techniques (DFU mode, custom ramdisk, SSH over usbmux). Finally, I mounted the iOS data partition and navigated to the actual email folder. Within this folder, I found all attachments accessible without any encryption/restriction:

Further, Kurtz found that the protected data feature of iOS 7 functions, but it just does not cover email attachments (as it is supposed to). Kurtz was able to verify this on an iPhone 4, iPad 2, and iPhone 5s. Kurtz first reported this issue the day following iOS 7.1.1’s release last month, but his blog post did not gain much attention until now.

Kurtz says that he reached out to Apple and that the Cupertino-company says it is aware of the bug. Unfortunately, Apple has not said when a fix could be expected. We have reached out to Apple for further comment on the matter. Obviously, the lack of email attachment encryption on iOS poses a major vulnerability to corporations and government users of iOS devices. With that in mind, it is likely that Apple is racing to fix up this problem.

iOS has generally been known for its industry leading security, and recent features such as hardware encryption and the Touch ID fingerprint scanner have put Apple ahead of the industry in this regard. This new bug is simply a single blemish within several moves to ensure the security of iPhones, iPads, and iPod touches is top-notch.

Update: Apple tells iMore that a fix is in the works.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

13 Responses to “Researcher claims iOS 7 (including current 7.1.1) does not encrypt email attachments, Apple aware of issue”

  1. Let’s hope they fix this ASAP.


  2. jrox16 says:

    It also seems that Airdrop on 7.1 (or 7.1.1) has become somewhat buggy. It either takes very long to find a nearby phone, or doesn’t at all.


  3. Help me understand something here. How did Andreas get past disk protection on a locked device to begin with? I didn’t think there was a DFU exploit on the A5 or higher SOC. Seem like this isn’t as big a deal as a real world exploit.


    • Nate Lawson says:

      He said he used an iPhone 4, which was the last limera1n-vulnerable device. His other testing was on 7.0.4, which had the evad3rs jailbreak exploit. So nothing new other than the fact that encryption is not fully applied to all the files, which is the important part here.


  4. John Smith says:

    Sorry but this not just ‘simply a single blemish’

    This is one of a series of blemishes.

    Frankly I would like to see apple stop spending countless man hours on changing the appearance of IOS (or OSX) and more hours on polishing function and security.

    Is Ive up to the job? Or have they got the wrong guy in charge?


    • @John Smith: Welcome to conflicting interest. There are two competing markets which Apple is trying to serve; consumer and commercial. The consumer market isn’t as concerned with security and stability as it is with appearance. The commercial market is more concerned with security and stability than it is with appearance.

      Ideally, they should have enough engineers hired to do both, but since they only do major UI overhauls every 6-10 years that would be a bit wasteful. Now that iOS7’s new interface work is mostly done they will have more resources to work on stability and polish.

      That is just the nature of the beast.

      Don’t believe me. Just ask any Microsoft Window’s engineer or manager they have been dealing with this same issue for a couple of decades now.


    • whatyoutalkingboutwillis says:

      I think I’ve is only in charge of the design of the UI and not the creation of the OS and its applications


  5. kpom1 says:

    Given that encryption is required by most enterprise policies, this looks like a bigger deal than what the author is making of it.


    • standardpull says:

      Just to be totally clear to the casual reader – the vast majority of email sent over the internet is unencrypted. That includes attachments and the body of the email. Unless you have taken specific steps to secure your email, any network engineer can collect and read your email in its totality.

      So be spooked by this one. Because your email was never encrypted anywhere to begin with.


      • I’m not sure that this is correct. All of my accounts use TLS/SSL to communicate with the server. When I add an account to iOS it automatically chooses this option without my intervention. I’m not saying that the data is encrypted on the device or the server, but it is encrypted in transit. I’m sure some network engineers can hack SSL, but not all of them. It also isn’t very efficient to break cryptography.

        So I’m sure a portion of email is not encrypted during transmission, but a lot of it is. Of course, you can only be certain that the transmission is encrypted from the end-user to the email server… where it goes from there is anybody’s guest.

        Security is relative; not absolute.


      • standardpull says:

        The node to node transport over the internet is SMTP. It is clear text.

        Only your mailbox access is encrypted. But once your email gets passed around from provider A to provider B it is all in clear text.


  6. iPhone fingerprint scanner has been hacked already. Nokia Symbian devices had basically unbreakable hardware encryption already before there was no iPhone around. Not encyping the attachments even claming so is gate for class action suit. I strongly recommend NOT to use any iOS device for business purposes.