iOS 7 Flaw Leaves Email Attachments Unencrypted, Security Researcher Warns

Andreas Kurtz security researchers has discovered that email attachments within the native iOS 7 email application aren’t protected by Apple’s data protection mechanism as stated by the iPhone maker (via ZDNET).

In a blog post dated April 23, Andreas Kurz describes the steps he has taken to verify his own claim, and what he found doesn’t match Apple’s claim: the email attachments were accessible without any encryption.

I verified this issue by restoring an iPhone 4 (GSM) device to the most recent iOS versions (7.1 and 7.1.1) and setting up an IMAP email account1, which provided me with some test emails and attachments. Afterwards, I shut down the device and accessed the file system using well-known techniques (DFU mode, custom ramdisk, SSH over usbmux). Finally, I mounted the iOS data partition and navigated to the actual email folder. Within this folder, I found all attachments accessible without any encryption/restriction:

Ios 7 security flaw

What may sound alarming, though, is Kurtz’s note: he reported the problem to Apple, and they are aware of this issue, but there is no word about when a fix will be released. And unfortunately, the latest iOS 7.1.1 doesn’t fix this issue either. Until the patch is out, users can look for other, third-party apps, but fact is this doesn’t look good at all, at least not for Apple’s enterprise customers.

Technology enthusiast, rocker, biker and writer of Follow me on Twitter or contact me via email: