iOS 7 Security Flaw Leaves Stored Email Attachments Unencrypted [Updated]

Discussion in ' News Discussion' started by MacRumors, May 5, 2014.

  1. macrumors bot


    Apr 12, 2001

    Apple states that it uses data encryption to protect email message attachments, but a report from security researcher Andreas Kurtz, via ZDNet, claims iOS 7.0.4 and later does not include this security feature.

    Kurtz detected this flaw in iOS by accessing the file system on an iPhone 4 running iOS 7.1 and 7.1.1. Browsing through the email folder for an IMAP account, Kurtz discovered that the email attachments were stored in an unencrypted state. Besides the iPhone 4, Kurtz also was able to reproduce this vulnerability on an iPhone 5s and an iPad 2 running iOS 7.0.4.
    Kurtz reported this issue to Apple, which acknowledged the flaw, but provided no timetable for patching it. This isn't the first security issue Apple has faced this year. The company recently patched a serious SSL connection verification flaw in both iOS and OS X that allowed an attacker with a "privileged network position" to capture data protected by SSL/TLS.

    Update 3:11 PM PT: In a statement given to iMore, an Apple spokesperson said the company is working on a fix for the issue.
    Article Link: iOS 7 Security Flaw Leaves Stored Email Attachments Unencrypted [Updated]
  2. macrumors 68020


    Aug 28, 2008
    Beverly, Massachusetts
    So iOS versions 7.0.3 and below encrypted attachments? Why would they drop that feature?
  3. macrumors 604

    Apr 23, 2011
    GVA, KUL, MEL (current), ZQN
    I predict that an NSA agent working for Apple will bang his head on his table, while thinking: "How many more loopholes that I inserted will be discovered by the public?"
  4. macrumors 65816


    Sep 20, 2002
    Apple's new motto:
    If things aren't broken, fix them till they're broken.
  5. macrumors 68020

    Nov 4, 2008
    One of Apples biggest problems is that they remain schtum.
    People want some acknowledgement and feedback, this along with the regular changing of OS versions will prevent them from ever being the major force in enterprise.
  6. macrumors 6502a

    Sep 4, 2010
    Another opportunity to force users to upgrade to iOS 7?
  7. macrumors 6502a


    Aug 27, 2012
    Oh noes... if someone steals my iPhone and then is using some not so easy technique to access the file system of my iPhone then navigating to my email folder can then read my email attachments......

    Probably this security flaw affects 0.0001% of iOS users but everyone will think "OMG another security flaw!!!11" :rolleyes:
  8. macrumors 6502a

    Dec 2, 2013
    Every time someone says “This consumer electronic device isn’t secure for (x) reason!” and then follows it up with a description that pretty much requires direct hardware access, I have to wonder. How easy do you think it is to steal stuff in my pockets?
  9. macrumors 65816


    Mar 19, 2011
    Trollhättan, Sweden
    Really disappointing.

    So 7.1.2 will have to come out to reinsert security code something that was accidentally removed from in 7.0.3?

    Not especially reassuring - lots of security problems of late.
  10. macrumors 68000


    Jun 29, 2007
    When you email an attachment its not encrypted.
  11. macrumors G5


    Nov 14, 2011
    Good click bait. :)
  12. macrumors 65816


    Mar 19, 2011
    Trollhättan, Sweden
    Hmmm...pretty sure he only used that method to verify the weakness was real. My thinking is that anyone capable of accessing your phone remotely (via the SSL weakness that was recently fixed, for example) could have exploited this weakness as well had it been present.

    Very happy to be proven wrong by someone with creditable knowledge of the subject?
  13. macrumors 65816


    Apr 19, 2014
    Not very hard when there's a gun or knife pointed at your face. Although, most criminals would just try to sell it, so they probably won't be trying to view your emails.

    However, in many countries, your phone can simply be confiscated and searched by the police with no real reason. This is a genuine problem as far as privacy is concerned, and becomes more serious when you're dealing with oppressive governments.

    Apple needs to fix this.
  14. macrumors 603


    Aug 23, 2012
    McKinney, TX
    But even that was a tough sell - one had to be within your vicinity and had to be connected to the same network as you were.

    Point being, public wireless networks are often not the best place to do online banking and such. That's the case for everyone - not just Apple.

    Moral of the story - if someone has the know how and determination, no matter of security patches and software will keep them out. For 99.9999% of iPhone users, its a secure device.

    Maybe this would affect Apple's contract with government workers....I don't know.

    Still - to have to be able to have access to the file system on the iPhone (either physically possessing it or remotely) seems like a relatively difficult task in and of itself.
  15. macrumors member


    Jul 23, 2011
    Hampshire, UK
    I'm not sure why there would be encryption specific to emails / attachments. I always assumed that it would have whole disk encryption or none at all.
  16. macrumors 603


    Aug 23, 2012
    McKinney, TX
    So added security patches will fix you not giving up information at gun/knife point? I'm pretty sure they could just ASK you what they wanted to know without having you give up your phone so they can hack it....

    I agree Apple needs to fix it - and they always do. But to blow this out of proportion as some massive issue we all should be afraid of is propaganda. The people with the means and know how are going to do what they want to do. Fortunately, this doesn't affect the VAST majority of iPhone users.
  17. TEG
    macrumors 604


    Jan 21, 2002
    Langley, Washington

    I don't see where this is a big deal. They aren't encrypted on your computer either, and it is much more difficult to hack into a phone for the average person than a computer.
  18. macrumors 603


    Jul 27, 2009
    Premià de Mar
  19. macrumors 65816

    Mar 17, 2009
    Don't question Apple. They know what's best for your emails!
  20. macrumors regular

    Jul 24, 2002
    This is a huge point that is being ignored. Sure, it would probably be marginally better if attachments are encrypted on the device, but it was transmitted over an insecure channel to begin with.

    Another point missed -- on iOS, the entire filesystem is encrypted and can't be accessed if there is a pincode or fingerprint securing the device. In this case, the files are unencrypted on the filesystem, but the front door to the house was left unlocked.

    For average users, the filesystem encryption is more than enough security. This is just nitpicking now.
  21. macrumors 6502a


    Apr 14, 2007
    They also need your passcode in order to access the file system...

    Well, it actually does. It is just that some people can't read properly and assumes that it works in another way than it says.
  22. macrumors 601

    Nov 25, 2012
    United States
    You're also ignoring the fact that unless you're working in a enterprise environment where they have the software tools to encrypt emails the majority of people send attachments that are not encrypted. Thanks for that "comical" post. :p
  23. macrumors 603

    The Doctor11

    Dec 15, 2013
    New York
    And the number of attachments in my box is...0
  24. macrumors 65816

    Aug 9, 2008
    I agree this shouldn't be blown out of proportion. The likelihood of an individual being affected is low.

    With that being said, I'm guessing it's not just the physical phone that would be vulnerable....wouldn't backup files either on a PC/Mac or in iCloud also have the same unencrypted attachment issue? Or is the whole backup file encrypted again as it is archived?
  25. macrumors 603


    Mar 11, 2013
    I wonder if this vulnerability is present in OSX...

Share This Page