Apple may have omitted encryption protections for email attachments in the latest versions of its operating system for the iPad and iPhone despite claims to the contrary, according to an independent security research firm in Germany.
“A few weeks ago, I noticed that email attachments within the iOS 7 MobileMail.app are not protected by Apple’s data protection mechanisms. Clearly, this is contrary to Apple’s claims that data protection ‘provides an additional layer of protection for (..) email messages attachments’,” wrote NESO Labs CEO Andreas Kurtz.
“I verified this issue by restoring an iPhone 4 (GSM) device to the most recent iOS versions (7.1 and 7.1.1) and setting up an IMAP email account1, which provided me with some test emails and attachments. Afterwards, I shut down the device and accessed the file system using well-known techniques (DFU mode, custom ramdisk, SSH over usbmux). Finally, I mounted the iOS data partition and navigated to the actual email folder. Within this folder, I found all attachments accessible without any encryption/restriction,” Kurtz explained.
In an attempt to verify that she actually did have data protection enabled on her device, Kurtz subsequently tried to similarly gain access the Protected Index file (email message database) and found that access to that file was not being permitted, an indication that data protection was indeed enabled, but not protecting the email attachments.
Kurtz notified Apple of her findings, and the company confirmed they were cognizant of the lack of encryption for attachments, but did not provide any details on when mitigation may occur.
“Considering the long time iOS 7 is available by now and the sensitivity of email attachments many enterprises share on their devices (fundamentally relying on data protection), I expected a near-term patch,” Kurtz continued.
“Unfortunately, even today’s iOS 7.1.1 did not remedy the issue, leaving users at risk of data theft. As a workaround, concerned users may disable mail synchronization (at least on devices where the bootrom is exploitable).”
Several weeks ago, security researcher Kristin Paget wrote a highly critical piece slamming Apple for delaying a patch for iOS that had already been issued for Safari and OS X three weeks earlier, leaving mobile users at risk from attackers executing arbitrary code if the user mistakenly browsed a malicious website.
Paget noted that multiple vulnerabilities fixed in a late-April iOS 7.1.1 update were the same that had already been addressed in the April 1st releases for Safari 6.1.3 and 7.0.3 for OS X, likening the practice to Apple using OSX to drop zero-day on iOS, and then compounding the matter further by not alerting users to the risks.