Skip to main content

Researcher claims iOS 7 (including current 7.1.1) does not encrypt email attachments, Apple aware of issue

Screen Shot 2014-05-05 at 6.29.21 AM

Security researcher Andreas Kurtz has discovered that versions of iOS 7, including iOS 7.1.1 (the current release), iOS 7.1, and iOS 7.0.4 do not encrypt email attachments in the bundled Mail application. This is an issue itself, but more worrisome as iOS, according to Apple, is supposed to encrypt email attachments. Here’s a page from Apple’s website indicating that:

Screen Shot 2014-05-05 at 6.32.05 AM

Here’s how Kurtz verified that iOS 7 does not encrypt email attachments:

I verified this issue by restoring an iPhone 4 (GSM) device to the most recent iOS versions (7.1 and 7.1.1) and setting up an IMAP email account1, which provided me with some test emails and attachments. Afterwards, I shut down the device and accessed the file system using well-known techniques (DFU mode, custom ramdisk, SSH over usbmux). Finally, I mounted the iOS data partition and navigated to the actual email folder. Within this folder, I found all attachments accessible without any encryption/restriction:

Further, Kurtz found that the protected data feature of iOS 7 functions, but it just does not cover email attachments (as it is supposed to). Kurtz was able to verify this on an iPhone 4, iPad 2, and iPhone 5s. Kurtz first reported this issue the day following iOS 7.1.1’s release last month, but his blog post did not gain much attention until now.

Kurtz says that he reached out to Apple and that the Cupertino-company says it is aware of the bug. Unfortunately, Apple has not said when a fix could be expected. We have reached out to Apple for further comment on the matter. Obviously, the lack of email attachment encryption on iOS poses a major vulnerability to corporations and government users of iOS devices. With that in mind, it is likely that Apple is racing to fix up this problem.

iOS has generally been known for its industry leading security, and recent features such as hardware encryption and the Touch ID fingerprint scanner have put Apple ahead of the industry in this regard. This new bug is simply a single blemish within several moves to ensure the security of iPhones, iPads, and iPod touches is top-notch.

Update: Apple tells iMore that a fix is in the works.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

  1. Taste_of_Apple - 10 years ago

    Let’s hope they fix this ASAP.

  2. jrox16 - 10 years ago

    It also seems that Airdrop on 7.1 (or 7.1.1) has become somewhat buggy. It either takes very long to find a nearby phone, or doesn’t at all.

  3. Sean O'Farrell - 10 years ago

    Help me understand something here. How did Andreas get past disk protection on a locked device to begin with? I didn’t think there was a DFU exploit on the A5 or higher SOC. Seem like this isn’t as big a deal as a real world exploit.

    • Nate Lawson - 10 years ago

      He said he used an iPhone 4, which was the last limera1n-vulnerable device. His other testing was on 7.0.4, which had the evad3rs jailbreak exploit. So nothing new other than the fact that encryption is not fully applied to all the files, which is the important part here.

  4. John Smith - 10 years ago

    Sorry but this not just ‘simply a single blemish’

    This is one of a series of blemishes.

    Frankly I would like to see apple stop spending countless man hours on changing the appearance of IOS (or OSX) and more hours on polishing function and security.

    Is Ive up to the job? Or have they got the wrong guy in charge?

    • Mike Knopp (@mknopp) - 10 years ago

      @John Smith: Welcome to conflicting interest. There are two competing markets which Apple is trying to serve; consumer and commercial. The consumer market isn’t as concerned with security and stability as it is with appearance. The commercial market is more concerned with security and stability than it is with appearance.

      Ideally, they should have enough engineers hired to do both, but since they only do major UI overhauls every 6-10 years that would be a bit wasteful. Now that iOS7’s new interface work is mostly done they will have more resources to work on stability and polish.

      That is just the nature of the beast.

      Don’t believe me. Just ask any Microsoft Window’s engineer or manager they have been dealing with this same issue for a couple of decades now.

    • whatyoutalkingboutwillis - 10 years ago

      I think I’ve is only in charge of the design of the UI and not the creation of the OS and its applications

      • whatyoutalkingboutwillis - 10 years ago

        Ive

  5. kpom1 - 10 years ago

    Given that encryption is required by most enterprise policies, this looks like a bigger deal than what the author is making of it.

    • standardpull - 10 years ago

      Just to be totally clear to the casual reader – the vast majority of email sent over the internet is unencrypted. That includes attachments and the body of the email. Unless you have taken specific steps to secure your email, any network engineer can collect and read your email in its totality.

      So be spooked by this one. Because your email was never encrypted anywhere to begin with.

      • I’m not sure that this is correct. All of my accounts use TLS/SSL to communicate with the server. When I add an account to iOS it automatically chooses this option without my intervention. I’m not saying that the data is encrypted on the device or the server, but it is encrypted in transit. I’m sure some network engineers can hack SSL, but not all of them. It also isn’t very efficient to break cryptography.

        So I’m sure a portion of email is not encrypted during transmission, but a lot of it is. Of course, you can only be certain that the transmission is encrypted from the end-user to the email server… where it goes from there is anybody’s guest.

        Security is relative; not absolute.

      • standardpull - 10 years ago

        The node to node transport over the internet is SMTP. It is clear text.

        Only your mailbox access is encrypted. But once your email gets passed around from provider A to provider B it is all in clear text.

  6. Mika Peltokorpi - 10 years ago

    iPhone fingerprint scanner has been hacked already. Nokia Symbian devices had basically unbreakable hardware encryption already before there was no iPhone around. Not encyping the attachments even claming so is gate for class action suit. I strongly recommend NOT to use any iOS device for business purposes.