A recently-discovered bug in Apples iOS 7 mobile operating system has revealed that any email attachments sent from an iOS 7 device will remain unencrypted, even if iOS 7s "Data Protection" feature is enabled.
The bug was found by Andreas Kurtz, a researcher for NESO Security Labs in Germany. According to Kurtz, he verified the claim by restoring an iPhone 4 to iOS 7.1 and setting up an IMAP email account. Kurtz then accessed the file system, where he discovered that every attachment was accessible and completely lacked any encryption or restriction.
A few weeks ago, I noticed that email attachments within the iOS 7 MobileMail.app are not protected by Apples data protection mechanisms. Clearly, this is contrary to Apples claims that data protection "provides an additional layer of protection for (..) email messages attachments".
The findings were reproduced on an iPhone 5s and an iPad 2, both running iOS 7.0.4. The bug was reported to Apple, who acknowledged that they were "aware of the issue" but did not provide a timeframe for when the bug is expected to be fixed.
According to Kurtz, the bug affects IMAP as well as POP and ActiveSync -- and while the vulnerability is fairly severe, even the recently released iOS 7.1.1 update didnt fix the issue.