iOS 7 Flaw Leaves Email Attachments Unencrypted, Security Researcher Warns

Andreas Kurtz security researchers has discovered that email attachments within the native iOS 7 email application aren’t protected by Apple’s data protection mechanism as stated by the iPhone maker (via ZDNET).

In a blog post dated April 23, Andreas Kurz describes the steps he has taken to verify his own claim, and what he found doesn’t match Apple’s claim: the email attachments were accessible without any encryption.

I verified this issue by restoring an iPhone 4 (GSM) device to the most recent iOS versions (7.1 and 7.1.1) and setting up an IMAP email account1, which provided me with some test emails and attachments. Afterwards, I shut down the device and accessed the file system using well-known techniques (DFU mode, custom ramdisk, SSH over usbmux). Finally, I mounted the iOS data partition and navigated to the actual email folder. Within this folder, I found all attachments accessible without any encryption/restriction:

Ios 7 security flaw

What may sound alarming, though, is Kurtz’s note: he reported the problem to Apple, and they are aware of this issue, but there is no word about when a fix will be released. And unfortunately, the latest iOS 7.1.1 doesn’t fix this issue either. Until the patch is out, users can look for other, third-party apps, but fact is this doesn’t look good at all, at least not for Apple’s enterprise customers.