iOS 7 bug leaves email attachments unencrypted

A recently-discovered bug in Apple's iOS 7 mobile operating system has revealed that any email attachments sent from an iOS 7 device will remain unencrypted, even if iOS 7's 'Data Protection' feature is enabled.

The bug was found by Andreas Kurtz, a researcher for NESO Security Labs in Germany. According to Kurtz, he verified the claim by restoring an iPhone 4 to iOS 7.1 and setting up an IMAP email account. Kurtz then accessed the file system, where he discovered that every attachment was accessible and completely lacked any encryption or restriction.

A few weeks ago, I noticed that email attachments within the iOS 7 MobileMail.app are not protected by Apple's data protection mechanisms. Clearly, this is contrary to Apple's claims that data protection "provides an additional layer of protection for (..) email messages attachments".

The findings were reproduced on an iPhone 5s and an iPad 2, both running iOS 7.0.4. The bug was reported to Apple, who acknowledged that they were "aware of the issue" but did not provide a timeframe for when the bug is expected to be fixed.

According to Kurtz, the bug affects IMAP as well as POP and ActiveSync -- and while the vulnerability is fairly severe, even the recently released iOS 7.1.1 update didn't fix the issue. 

Source: Andreas Kurtz via UberGizmo | Image via Shutterstock - iPhone 5s and iPad

Report a problem with article
Previous Story

Big tech companies are defying U.S. authorities for the sake of transparency

Next Story

EFF uses a Badger to protect your privacy

37 Comments - Add comment