Apple iOS 7 bug leaves email attachments unencrypted, says security expert

Nicole Arce, Tech Times 07 May 2014, 09:05 am

A security hole in the latest version of Apple's iOS leaves users' email attachments unsafe and ripe for the picking, says a German security researcher who discovered the bug a few weeks ago.

In a blog post written on April 23, Andreas Kurtz of NESO Labs security research firm said that Apple fails to provide protection for email attachments in its Mobile Mail app for iOS 7.0.4, 7.1 and 7.1.1, in spite of Apple's Data Protection technology, which supposedly adds an extra layer of security for emails, attachments and third-party apps in passcode-enabled iPhones.

"A few weeks ago, I noticed that email attachments within the iOS 7 MobileMail.app are not protected by Apple's data protection mechanisms. Clearly, this is contrary to Apple's claims that data protection 'provides an additional layer of protection for (...) email messages attachments,'" Kurtz wrote in his blog post.

Kurtz said he was able to locate email attachments without any encryption on an iPhone 4 running on iOS 7 by simply connecting the phone into a computer and using well-known password-bypass techniques, including DFU mode, custom ramdisk and SSH over usbmux. Data Protection, as per Kurtz, seems to function, but it does not cover email attachments as Apple claims.

Kurtz also said that he was able to reproduce the issue on an iPhone 5S and an iPad 2 both running on iOS 7.0.4.

"I reported these findings to Apple," wrote Kurtz. "They responded that they were aware of this issue, but did not state any date when a fix is to be expected. Considering the long time iOS 7 is available by now and the sensitivity of email attachments many enterprises share on their devices (fundamentally relying on data protection), I expected a near-term patch. Unfortunately, even today's iOS 7.1.1 did not remedy the issue, leaving users at risk of data theft."

An Apple spokesperson apparently reached out to iMore and said the company "is aware of the issue and are working on a fix which we will deliver in a future software update."

Security researchers Adam Engst and Rich Mogull of TidBits, however, are not so convinced of the severity of threat, saying that Kurtz's "well-known techniques" use tools that are only compatible with the iPhone 4 and earlier versions of the smartphone. They also argued that for an attacker to exploit the vulnerability, he needs to have physical possession of the iPhone.

"An attacker either needs your passcode (...) or he needs a jailbreak that works without a passcode, allowing him access to the file system," explain Engst and Mogull. "That's how Kurtz was able to attack an iPhone 4. It's unclear how he was able to reproduce on an iPhone 5S and iPad 2 running iOS 7.0.4, since more recent devices running iOS 7 aren't susceptible to a jailbreak without passcode."

Engst and Mogull also said there is "little to worry about here," since majority of iPhone users are not the type who sends highly sensitive data over email.

9to5Mac's Mark Gurman, however, warned business and government users of iOS devices that the loophole could pose a threat to their operations.