iOS 7 bug leaves email attachments unencrypted

A recently-discovered bug in Apple's iOS 7 mobile operating system has revealed that any email attachments sent from an iOS 7 device will remain unencrypted, even if iOS 7's 'Data Protection' feature is enabled.

The bug was found by Andreas Kurtz, a researcher for NESO Security Labs in Germany. According to Kurtz, he verified the claim by restoring an iPhone 4 to iOS 7.1 and setting up an IMAP email account. Kurtz then accessed the file system, where he discovered that every attachment was accessible and completely lacked any encryption or restriction.

A few weeks ago, I noticed that email attachments within the iOS 7 MobileMail.app are not protected by Apple's data protection mechanisms. Clearly, this is contrary to Apple's claims that data protection "provides an additional layer of protection for (..) email messages attachments".

The findings were reproduced on an iPhone 5s and an iPad 2, both running iOS 7.0.4. The bug was reported to Apple, who acknowledged that they were "aware of the issue" but did not provide a timeframe for when the bug is expected to be fixed.

According to Kurtz, the bug affects IMAP as well as POP and ActiveSync -- and while the vulnerability is fairly severe, even the recently released iOS 7.1.1 update didn't fix the issue. 

Source: Andreas Kurtz via UberGizmo | Image via Shutterstock - iPhone 5s and iPad

Report a problem with article
Previous Story

Big tech companies are defying U.S. authorities for the sake of transparency

Next Story

EFF uses a Badger to protect your privacy

37 Comments

Commenting is disabled on this article.

I know, right! Apple is known for not having any security problems, ever, ever, ever. Now this? Wtf?!?!??!?!

/s

Seriously...

ZipZapRap said,
Man, and people say Windows 8 looks ugly. That's one (two) ugly screen(s)

They look 10,000x less ugly than Windows 8. At least they don't look like they were made by a 12 year old in MS paint.

Eclipse77 said,

They look 10,000x less ugly than Windows 8. At least they don't look like they were made by a 12 year old in MS paint.

No, they were made by a 12 year old who found the gradient tool in corel paint shop pro.

ZipZapRap said,
Man, and people say Windows 8 looks ugly. That's one (two) ugly screen(s)

man are you kidding me! Windows 8 was the first MS OS which made me go out and buy a Mac. It took a few weeks to get the hang of it, but it reminds me off a modern Windows XP (i.e., get stuff done fast!). Windows 8 is just a mess.

glen8 said,

man are you kidding me! Windows 8 was the first MS OS which made me go out and buy a Mac. It took a few weeks to get the hang of it, but it reminds me off a modern Windows XP (i.e., get stuff done fast!). Windows 8 is just a mess.

I was Purely Windows/Android. Windows 8 came out, and i was so disgusted with it that i tried out a macbook air last summer and loved it. Now i Own and iPad Mini Retina as well. Im not sure if i can ever not use an android phone or windows desktop(sadly cause of gaming im stuck on this mess of an OS).

ZipZapRap said,
Man, and people say Windows 8 looks ugly. That's one (two) ugly screen(s)

I think they look great, but lets keep discussing it because opinions are rare on the Internet.

attachments in the local datastore aren't encrypted... Oh well I'm sure they'll patch it; in the meantime I don't intend to lose my iPhone.

trek said,
attachments in the local datastore aren't encrypted...

They are encrypted, like everything else on the local datastore. They just aren't double encrypted. (to enter DFU, you need to disable the PIN code or passcode on iOS, to ssh into an iPhone, you need to jailbreak it)

Note that he used iOS 7.0.4 on the newer models, which has a jailbreak. The processor used in the iPhone 4 also has a jailbreak. iOS 7.1.x on newer devices does not have a jailbreak.

Edited by Rosyna, May 5 2014, 1:17am :

I just have to ask.... I really want to believe that Apple does security, but they have been having some of the most horrendous lapses with some of the most basic concepts. This is security 101.

They never got trial by fire that everybody else got, so they're going through what MS went through a decade ago. They'll get there eventually.

Dot Matrix said,
I just have to ask.... I really want to believe that Apple does security, but they have been having some of the most horrendous lapses with some of the most basic concepts. This is security 101.

So where's the question :p

Yes, yes, yes. Pick up the pitch fork and torches, boys: Apple needs to be shown what's up!

Come on now. Sure, it is a security problem but you need to have physical access to the device to get to these attachments. Some of you have some serious double-standard issues.

Someone has to steal my iPhone for this to be a problem. If that happens, I've remote wiped it anyway. But, yeah, lets bring out the punch bowl and celebrate. You win.

bdsams said,
Maybe read the post? "The bug was reported to Apple".

Oh, that makes it all right to give it to the media then. Carry on then.

/s

It is never a bad idea to give it to the media so users know what is going on. Awareness is always important for the public to be able to make decisions on whether or not they want to continue using a product or wait until there is a patch.

Also, it forces the hand of the company to actually go ahead and address the situation and not allow it to linger, making things worse in the long term.

Nashy said,

Oh, that makes it all right to give it to the media then. Carry on then.

/s

Yes, Apple clearly know there is a security breach yet do we have a press release from them concerning security? As a user should I now perhaps be careful with what I send regarding sensitive information? As an administrator of a large network of iPhones I should inform employees to be vigilant and transfer sensitive information via some other means?

If one hacker knows about it, I'm sure many more do. Plus, once it's out it forces Apple to act immediately.

Auzeras said,

Yes, Apple clearly know there is a security breach yet do we have a press release from them concerning security? As a user should I now perhaps be careful with what I send regarding sensitive information? As an administrator of a large network of iPhones I should inform employees to be vigilant and transfer sensitive information via some other means?

If one hacker knows about it, I'm sure many more do. Plus, once it's out it forces Apple to act immediately.

Did the article give specific details for you to form that decision? Maybe if he'd given Apple a chance to fix it first, he wouldn't have to drag their name through the mud.

Nashy said,

Did the article give specific details for you to form that decision? Maybe if he'd given Apple a chance to fix it first, he wouldn't have to drag their name through the mud.

Sometimes it's best to read the source articles instead of the summaries posted here as news. Those usual explain the story far more clearly.


Apple has been made aware of the issue, and responded to Kurtz that they were aware of the problem. No timetable has been made available as to when a fix will be completed for the issue, or if the lack of encryption is intentional.

Maybe if Apple requested Kurtz hold back the information for a certain period of time while they fix it, I could agree with you. However, they didn't even acknowledge it as an issue (acknowledge lack of encryption, didn't say if it was intentional).

Nashy said,

Did the article give specific details for you to form that decision? Maybe if he'd given Apple a chance to fix it first, he wouldn't have to drag their name through the mud.

No one is dragging a name through the mud here, the guy who discovered the flaw simply stated that it exists. My opinion that it is ok to release such information publicly is founded from what I discussed in the previous comment. Apple have yet to comment & people have the right to know.

If your car was found to have a flaw would you rather know about it or wait for the next service was done when the dealership would fix the faulty part and you'd be none the wiser?

Now as jasondefaoite said, no NDA or similar agreement was requested by apple not to share the information.

Therefore, the hacker is in their rights to report on such a matter, media companies are able to report on the article and users are able to take action based on information provided by said parties.

No mud dragging, just facts.

Auzeras said,
My opinion that it is ok to Apple have yet to comment & people have the right to know.

With all due respect, and I know I am going off on a bit of a tangent here, people don't have a right to know in this situation. They would like to know (some wouldn't though), but they by no means have a right to.

vanx said,

With all due respect, and I know I am going off on a bit of a tangent here, people don't have a right to know in this situation. They would like to know (some wouldn't though), but they by no means have a right to.

I guess people have the right to know, about as much as Apple have the right to keep this private :)

jasondefaoite said,
I guess people have the right to know, about as much as Apple have the right to keep this private :)

That's the thing, people do not have a right to know and Apple is not in breach of any legislation if they keep it to themselves. So, if anything, "Apple wanting to keep it private" > "people wanting to know".

I'd go back to what I originally posted on this. Personally I would only respect Apple's wish (and I mean wish, not right) to keep this private if they were working on a fix for the problem. Without that information, I believe Kurtz did the correct thing in publicising the issue.

The encryption isn't working the way Apple stated it was. People/companies making decisions of allowing the iPhone to access their work email have a right to this information.

Exactly jasondefaoite! Consumers (whether individuals or companies) spent a large amount of money on these devices and they expect it to work as advertised. Consumers are entitled to this sort of information to make an educated decision on whether to continue to use said device(s) or wait until a fix is available.

Apple wanting to keep it private does not outweigh the rights of the consumer to know whether there's something wrong with a product their using.

jasondefaoite said,
I'd go back to what I originally posted on this. Personally I would only respect Apple's wish (and I mean wish, not right) to keep this private if they were working on a fix for the problem. Without that information, I believe Kurtz did the correct thing in publicising the issue.

The encryption isn't working the way Apple stated it was. People/companies making decisions of allowing the iPhone to access their work email have a right to this information.


I think a knee-jerk reaction to Apple saying that they were aware of the problem but not saying that they were working on a fix should not be coming out to every man and his dog on the Internet about it. And all because he did not get an answer he wanted? At best, it is irresponsible. Publicly disclosing a security vulnerability is a double-edged sword. It may kick Apple into action (just because they did not tell him that they were doing something about it does not mean that they weren't), but it also exposes an additional attack vector which, while complex to leverage due to needing physical possession of a device, is by no means impossible for those with means and determination.

jasondefaoite said,
Completely disagree. See previous post.

Fair enough, to each their own. Keep in mind that even Microsoft does not release detailed information about security issues found and nobody is kicking up a fuss, are they? This is why people are encouraged to install updates ASAP while the bad guys reverse engineer the update packages to find out what has been fixed. People do not have a right to know. People have a right to live, to free speech, etc. They do not have a right to know about security vulnerabilities, especially if doing so makes things more vulnerable until a patch is released.

Again, you are missing the point.

There are many cases where MS have worked with the folks who discovered a flaw in their software, and nothing was announced until the fix was available. I'm fine with this.

Kurtz got a reply from Apple saying they were already aware of the issue. That's it. No request was made to keep it quiet. No information saying they are working to fix this. No indication this wasn't an intentional change.

Kurtz even waited till the next update, 7.1.1 was released, and it did not address the problem. Therefore, he did the responsible thing. Not knowing if there would be a fix for it, he announced the vulnerability to make it publicly known. Again, I am fine with this.

Two different scenarios in my opinion.

What are you talking about that nobody does this to Microsoft? http://www.theverge.com/2014/4...y-flaw-affects-all-versions With all due respect, do you live under a rock? There's plenty of vulnerabilities found in Windows and related products that get articles published before Microsoft addresses the flaws. That IE Zero Day Flaw was published just a week and a half ago.

And we DO have the right to know. If I buy a car and there's a flaw in the cars design (e.g. GM's resent debacle comes to mind), do I not have the right to know about this flaw, even if GM doesn't have a fix for the flaw yet? The only way to make an educated decision is to be educated and if a security firm withholds the information for me to be educated, I am in the dark, but more than likely, those who do hack already know about the flaw and are trying to exploit it.

Heartbleed is a prime example of this, but did you complain that it was announced before there was a fix? The NSA knew about it for years and used it against the American people, but I suppose that's okay because we didn't have a RIGHT to KNOW.

jasondefaoite said,
Again, you are missing the point.

There are many cases where MS have worked with the folks who discovered a flaw in their software, and nothing was announced until the fix was available. I'm fine with this.

Kurtz got a reply from Apple saying they were already aware of the issue. That's it. No request was made to keep it quiet. No information saying they are working to fix this. No indication this wasn't an intentional change.

Kurtz even waited till the next update, 7.1.1 was released, and it did not address the problem. Therefore, he did the responsible thing. Not knowing if there would be a fix for it, he announced the vulnerability to make it publicly known. Again, I am fine with this.

Two different scenarios in my opinion.


Did he contact Apple after 7.1.1 was released and he discovered that the problem he reported was not fixed? If not, why not? It's what I would have done. How long was it between him reporting it to Apple and 7.1.1 release? It is possible that they already had code committed for that release to make any changes to it. Just because Apple has not indicated a time frame for this bug to be fixed, it does not mean that they are not working on doing so. Absence of proof is not proof of absence.

Hurmoth said,
What are you talking about that nobody does this to Microsoft? http://www.theverge.com/2014/4...y-flaw-affects-all-versions With all due respect, do you live under a rock? There's plenty of vulnerabilities found in Windows and related products that get articles published before Microsoft addresses the flaws. That IE Zero Day Flaw was published just a week and a half ago.

And we DO have the right to know. If I buy a car and there's a flaw in the cars design (e.g. GM's resent debacle comes to mind), do I not have the right to know about this flaw, even if GM doesn't have a fix for the flaw yet? The only way to make an educated decision is to be educated and if a security firm withholds the information for me to be educated, I am in the dark, but more than likely, those who do hack already know about the flaw and are trying to exploit it.

Heartbleed is a prime example of this, but did you complain that it was announced before there was a fix? The NSA knew about it for years and used it against the American people, but I suppose that's okay because we didn't have a RIGHT to KNOW.

You misunderstood me. You know how MS publishes brief descriptions in a bulletin the week before Patch Tuesday? They do not go into every nitty gritty detail and apparently that's fair enough. Apple does not disclose something publicly and everyone loses their minds.

Your example of a car is a bad one to use. This is because, as far as I know, car manufacturers are legally obliged to disclose such flaws. Last I checked, no such legal obligation is imposed on makers of consumer electronics where there is no bodily harm risk. And there is no credible evidence that NSA exploited Heartbleed vulnerability. There may be suspicion that they did, but this is pure speculation and not a fact.

In the context of this vulnerability, how Apple screaming from the rooftops would have helped you anyway? If you think you have lost your phone, you can remote wipe it.

Your comment isn't relevant to what's actually happened/happening. No one is screaming that Apple should disclose anything. The OP said that the security firm should have given this information to Apple and not the media, and they did. It is on Apple to fix the flaw in their OS, but that does not mean the public isn't entitled to have the information as well.

I don't trust the government, so I wouldn't be surprised if they did use security flaws in software and didn't disclose this for the purposes of using them as a backdoor, it is the same tactic that jailbreakers use to jailbreak iOS. And that is exactly my point. If legitimate security firms don't release this information to the public, Apple isn't obligated to fix it, there's no "rush" to address this because there's no public concern.

No one is asking Apple to scream it from the rooftops. But you said we have no right to know about it and that simply isn't true as a user of their devices. I do have a right and you can't always trust "remote wipe". What If I'm not in an area where I can access a computer to remote wipe it? What I don't realize my phone is missing? There are plenty of "what ifs" that negate the argument that I don't need or have the right to know.

No one has lost their mind here, we are simply defending the right to know from a private, third party security research firm to release this information publicly. They did everything properly: (1) found the flaw (2) contacted Apple, and (3) released the information publicly. Those are the proper steps.

The responsible plan of action should have been to push Apple privately to fix the problem and make a public announcement (if they have to make one) after it has been fixed. No, public is not entitled to have this information as well. They (public) may feel that they are entitled to it under the mantra of "let's be open about everything", but the reality (and law) does not align with such belief.

We all [should] know that Apple takes iOS security seriously. If you do not know just how seriously, you should research and educate yourself about this. There is absolutely no need for security firms to come out in the open before any problem has been fixed. Doing so is less about "Company A, you have problems X, Y and Z, fix them now!" naming-and-shaming and more about getting free publicity from tech news outlets in order to secure additional business.

Just like there are plenty of "what ifs" that you are posing, there are plenty of ways for you to make sure that you do not lose your phone. It should not take a public disclosure of a security vulnerability for you to take appropriate measures to avoid its loss.

You keep calling it a right until cows come home. Doing so will not make it such. I would rather not continue banging my head against a wall / kicking a dead horse (delete as appropriate).

vanx said,
I would rather not continue banging my head against a wall / kicking a dead horse (delete as appropriate).

And yet you continue to do so.