Email attachments in MobileMail.app are not encrypted

May 3, 2014 07:00 GMT  ·  By

Security researcher Andreas Kurtz has discovered a dangerous flaw in Apple’s mobile operating system regarding email encryption. Kurtz says he reported his findings to the mother-ship, but Apple has failed to address the problem.

Sometime last month, Kurtz reportedly noticed that email attachments within Mail were not protected by Apple's, despite the company claiming to use data protection mechanisms. He confirmed the vulnerability using an iPhone 4 with the latest firmware and an IMAP account.

Kurtz relays, “I verified this issue by restoring an iPhone 4 (GSM) device to the most recent iOS versions (7.1 and 7.1.1) and setting up an IMAP email account, which provided me with some test emails and attachments.”

“Afterwards, I shut down the device and accessed the file system using well-known techniques (DFU mode, custom ramdisk, SSH over usbmux). Finally, I mounted the iOS data partition and navigated to the actual email folder. Within this folder, I found all attachments accessible without any encryption/restriction,” he writes.

The hacker was able to reproduce the bug even on the latest iPhone version, as well as on  second-generation iPad, both running iOS 7.0.4. Despite warning Apple of the vulnerability, the Cupertino giant did not make it a priority for the iOS 7.1.1 release from last week. Worse still, Kurtz alleges that the company was aware of the issue prior to his reporting.

“I reported these findings to Apple,” Kurtz continues. “They responded that they were aware of this issue, but did not state any date when a fix is to be expected. Considering the long time iOS 7 is available by now and the sensitivity of email attachments many enterprises share on their devices (fundamentally relying on data protection), I expected a near-term patch. Unfortunately, even today's iOS 7.1.1 did not remedy the issue, leaving users at risk of data theft.”

The security expert offers a workaround for users who are concerned that their data may end up in the wrong hands: “As a workaround, concerned users may disable mail synchronization (at least on devices where the bootrom is exploitable),” Kurtz concludes.

Again, if Kurtz’ claims are accurate, Apple not putting security at the top of its priorities list is concerning, to say the least. iOS 7.1.1 was also expected to address a widely-reported battery draining bug, though Apple chose only to make improvements to Touch ID fingerprint recognition, fix a bug that could impact keyboard responsiveness, and patch an issue when using Bluetooth keyboards with VoiceOver enabled.