Justin Kahn
Posts: 752 +6
Apple currently states that "an additional layer of protection for your email messages attachments, and third-party applications," is in place on iOS 7, but according to a security researcher this is not the case. Andreas Kurtz said in versions of iOS 7 email attachments within the stock Mail app are in fact not covered by Apple's data protection mechanism.
According to the researcher the bug is present in iOS 7, 7.0.4, 7.1, and the latest 7.1.1, contrary to what Apple says on its site. Kurtz initially surfaced with this data after iOS 7.1.1 released last month, but is just now making headlines.
"I verified this issue by restoring an iPhone 4 (GSM) device to the most recent iOS versions (7.1 and 7.1.1) and setting up an IMAP email account1, which provided me with some test emails and attachments. Afterwards, I shut down the device and accessed the file system using well-known techniques (DFU mode, custom ramdisk, SSH over usbmux)." Kurtz wrote on his blog. "Finally, I mounted the iOS data partition and navigated to the actual email folder. Within this folder, I found all attachments accessible without any encryption/restriction:"
While most average consumers may not be overly concerned with email attachment encryption, this kind of a bug could be a somewhat major issue for enterprise clients with extremely sensitive content being passed around.
Kurtz reached out to Apple and apparently the company said it is aware of the problem but did offer a time frame in which it would be patched.
Some believe a data protection bug of this nature should have been spotted and fixed a long time ago, and that Apple has likely already been working on the fix. For a more technical breakdown of the data protection bug and a possible workaround until Apple gets a patch out, head over to Kurtz's blog post.
