Security researcher Andreas Kurtz is claiming that the iOS 7 Mail app (including versions 7.1.1 and 7.0.4) doesn’t protect email attachments when users send messages using their iOS devices. Kurtz discovered this issue weeks ago after the release of the recent update, and posted the details in his blog.
Apple has noted—according to the corporate website’s page on data protection—that “… it provides an additional layer of protection for your email messages attachments, and third-party applications.” Kurtz claims otherwise.
Here’s an excerpt from his blog:
A few weeks ago, I noticed that email attachments within the iOS 7 MobileMail.app are not protected by Apple’s data protection mechanisms. Clearly, this is contrary to Apple’s claims that data protection “provides an additional layer of protection for (..) email messages attachments”. I verified this issue by restoring an iPhone 4 (GSM) device to the most recent iOS versions (7.1 and 7.1.1) and setting up an IMAP email account1, which provided me with some test emails and attachments.
Afterwards, I shut down the device and accessed the file system using well-known techniques (DFU mode, custom ramdisk, SSH over usbmux). Finally, I mounted the iOS data partition and navigated to the actual email folder. Within this folder, I found all attachments accessible without any encryption/restriction.
What’s disturbing about this issue is that Apple is aware of it and the patch to fix it is still unavailable. Kurtz said he already reported it and the company responded that they are aware of it. However, they didn’t provide a date for when a fix is expected.
In the meantime, Kurtz suggests disabling mail synchronization to avoid data theft. Attachments and messages sent between government officials and companies using iOS devices are at risk.
Let’s hope Apple will fix this issue soon.