Security researcher Andreas Kurtz has discovered that versions of iOS 7, including iOS 7.1.1 (the current release), iOS 7.1, and iOS 7.0.4 do not encrypt email attachments in the bundled Mail application. This is an issue itself, but more worrisome as iOS, according to Apple, is supposed to encrypt email attachments. Here’s a page from Apple’s website indicating that:
Here’s how Kurtz verified that iOS 7 does not encrypt email attachments:
I verified this issue by restoring an iPhone 4 (GSM) device to the most recent iOS versions (7.1 and 7.1.1) and setting up an IMAP email account1, which provided me with some test emails and attachments. Afterwards, I shut down the device and accessed the file system using well-known techniques (DFU mode, custom ramdisk, SSH over usbmux). Finally, I mounted the iOS data partition and navigated to the actual email folder. Within this folder, I found all attachments accessible without any encryption/restriction:
Further, Kurtz found that the protected data feature of iOS 7 functions, but it just does not cover email attachments (as it is supposed to). Kurtz was able to verify this on an iPhone 4, iPad 2, and iPhone 5s. Kurtz first reported this issue the day following iOS 7.1.1’s release last month, but his blog post did not gain much attention until now.
Kurtz says that he reached out to Apple and that the Cupertino-company says it is aware of the bug. Unfortunately, Apple has not said when a fix could be expected. We have reached out to Apple for further comment on the matter. Obviously, the lack of email attachment encryption on iOS poses a major vulnerability to corporations and government users of iOS devices. With that in mind, it is likely that Apple is racing to fix up this problem.
iOS has generally been known for its industry leading security, and recent features such as hardware encryption and the Touch ID fingerprint scanner have put Apple ahead of the industry in this regard. This new bug is simply a single blemish within several moves to ensure the security of iPhones, iPads, and iPod touches is top-notch.
Update: Apple tells iMore that a fix is in the works.
FTC: We use income earning auto affiliate links. More.