Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MacRumors

macrumors bot
Original poster
Apr 12, 2001
57,450
20,287



Apple states that it uses data encryption to protect email message attachments, but a report from security researcher Andreas Kurtz, via ZDNet, claims iOS 7.0.4 and later does not include this security feature.

security-flaw-email-attachments.png
Kurtz detected this flaw in iOS by accessing the file system on an iPhone 4 running iOS 7.1 and 7.1.1. Browsing through the email folder for an IMAP account, Kurtz discovered that the email attachments were stored in an unencrypted state. Besides the iPhone 4, Kurtz also was able to reproduce this vulnerability on an iPhone 5s and an iPad 2 running iOS 7.0.4.
I verified this issue by restoring an iPhone 4 (GSM) device to the most recent iOS versions (7.1 and 7.1.1) and setting up an IMAP email account1, which provided me with some test emails and attachments. Afterwards, I shut down the device and accessed the file system using well-known techniques (DFU mode, custom ramdisk, SSH over usbmux). Finally, I mounted the iOS data partition and navigated to the actual email folder. Within this folder, I found all attachments accessible without any encryption/restriction
Kurtz reported this issue to Apple, which acknowledged the flaw, but provided no timetable for patching it. This isn't the first security issue Apple has faced this year. The company recently patched a serious SSL connection verification flaw in both iOS and OS X that allowed an attacker with a "privileged network position" to capture data protected by SSL/TLS.

Update 3:11 PM PT: In a statement given to iMore, an Apple spokesperson said the company is working on a fix for the issue.
"We're aware of the issue," an Apple spokeswoman told iMore, "and are working on a fix which we will deliver in a future software update."

Article Link: iOS 7 Security Flaw Leaves Stored Email Attachments Unencrypted [Updated]
 

H2SO4

macrumors 603
Nov 4, 2008
5,148
6,396
One of Apples biggest problems is that they remain schtum.
People want some acknowledgement and feedback, this along with the regular changing of OS versions will prevent them from ever being the major force in enterprise.
 

marvz

macrumors 65816
Aug 27, 2012
1,001
443
Berlin
Oh noes... if someone steals my iPhone and then is using some not so easy technique to access the file system of my iPhone then navigating to my email folder can then read my email attachments......

Probably this security flaw affects 0.0001% of iOS users but everyone will think "OMG another security flaw!!!11" :rolleyes:
 

GeneralChang

macrumors 68000
Dec 2, 2013
1,565
1,283
Every time someone says “This consumer electronic device isn’t secure for (x) reason!” and then follows it up with a description that pretty much requires direct hardware access, I have to wonder. How easy do you think it is to steal stuff in my pockets?
 

MyopicPaideia

macrumors 68020
Mar 19, 2011
2,154
975
Sweden
Really disappointing.

So 7.1.2 will have to come out to reinsert security code something that was accidentally removed from in 7.0.3?

Not especially reassuring - lots of security problems of late.
 

Rogifan

macrumors Core
Nov 14, 2011
23,148
29,279
Oh noes... if someone steals my iPhone and then is using some not so easy technique to access the file system of my iPhone then navigating to my email folder can then read my email attachments......

Probably this security flaw affects 0.0001% of iOS users but everyone will think "OMG another security flaw!!!11" :rolleyes:

Good click bait. :)
 

MyopicPaideia

macrumors 68020
Mar 19, 2011
2,154
975
Sweden
Oh noes... if someone steals my iPhone and then is using some not so easy technique to access the file system of my iPhone then navigating to my email folder can then read my email attachments......

Probably this security flaw affects 0.0001% of iOS users but everyone will think "OMG another security flaw!!!11" :rolleyes:

Hmmm...pretty sure he only used that method to verify the weakness was real. My thinking is that anyone capable of accessing your phone remotely (via the SSL weakness that was recently fixed, for example) could have exploited this weakness as well had it been present.

Very happy to be proven wrong by someone with creditable knowledge of the subject?
 

2984839

Cancelled
Apr 19, 2014
2,114
2,230
Every time someone says “This consumer electronic device isn’t secure for (x) reason!” and then follows it up with a description that pretty much requires direct hardware access, I have to wonder. How easy do you think it is to steal stuff in my pockets?

Not very hard when there's a gun or knife pointed at your face. Although, most criminals would just try to sell it, so they probably won't be trying to view your emails.

However, in many countries, your phone can simply be confiscated and searched by the police with no real reason. This is a genuine problem as far as privacy is concerned, and becomes more serious when you're dealing with oppressive governments.

Apple needs to fix this.
 

jrswizzle

macrumors 603
Aug 23, 2012
6,107
129
McKinney, TX
Hmmm...pretty sure he only used that method to verify the weakness was real. My thinking is that anyone capable of accessing your phone remotely (via the SSL weakness that was recently fixed, for example) could have exploited this weakness as well had it been present.

Very happy to be proven wrong by someone with creditable knowledge of the subject?

But even that was a tough sell - one had to be within your vicinity and had to be connected to the same network as you were.

Point being, public wireless networks are often not the best place to do online banking and such. That's the case for everyone - not just Apple.

Moral of the story - if someone has the know how and determination, no matter of security patches and software will keep them out. For 99.9999% of iPhone users, its a secure device.

Maybe this would affect Apple's contract with government workers....I don't know.

Still - to have to be able to have access to the file system on the iPhone (either physically possessing it or remotely) seems like a relatively difficult task in and of itself.
 

00sjsl

Contributor
Jul 23, 2011
142
55
Hampshire, UK
I'm not sure why there would be encryption specific to emails / attachments. I always assumed that it would have whole disk encryption or none at all.
 

jrswizzle

macrumors 603
Aug 23, 2012
6,107
129
McKinney, TX
Not very hard when there's a gun or knife pointed at your face. Although, most criminals would just try to sell it, so they probably won't be trying to view your emails.

So added security patches will fix you not giving up information at gun/knife point? I'm pretty sure they could just ASK you what they wanted to know without having you give up your phone so they can hack it....

However, in many countries, your phone can simply be confiscated and searched by the police with no real reason. This is a genuine problem as far as privacy is concerned, and becomes more serious when you're dealing with oppressive governments.

Apple needs to fix this.

I agree Apple needs to fix it - and they always do. But to blow this out of proportion as some massive issue we all should be afraid of is propaganda. The people with the means and know how are going to do what they want to do. Fortunately, this doesn't affect the VAST majority of iPhone users.
 

TEG

macrumors 604
Jan 21, 2002
6,602
138
Langley, Washington
Meh.

I don't see where this is a big deal. They aren't encrypted on your computer either, and it is much more difficult to hack into a phone for the average person than a computer.
 

SmileyDude

macrumors regular
Jul 24, 2002
194
61
MA
When you email an attachment its not encrypted.

This is a huge point that is being ignored. Sure, it would probably be marginally better if attachments are encrypted on the device, but it was transmitted over an insecure channel to begin with.

Another point missed -- on iOS, the entire filesystem is encrypted and can't be accessed if there is a pincode or fingerprint securing the device. In this case, the files are unencrypted on the filesystem, but the front door to the house was left unlocked.

For average users, the filesystem encryption is more than enough security. This is just nitpicking now.
 

itickings

macrumors 6502a
Apr 14, 2007
947
183
Oh noes... if someone steals my iPhone and then is using some not so easy technique to access the file system of my iPhone then navigating to my email folder can then read my email attachments......

Probably this security flaw affects 0.0001% of iOS users but everyone will think "OMG another security flaw!!!11" :rolleyes:

They also need your passcode in order to access the file system...

It just works

Well, it actually does. It is just that some people can't read properly and assumes that it works in another way than it says.
 

HenryDJP

Suspended
Nov 25, 2012
5,084
843
United States
Don't question Apple. They know what's best for your emails!

You're also ignoring the fact that unless you're working in a enterprise environment where they have the software tools to encrypt emails the majority of people send attachments that are not encrypted. Thanks for that "comical" post. :p
 

BruiserB

macrumors 68000
Aug 9, 2008
1,683
634
I agree this shouldn't be blown out of proportion. The likelihood of an individual being affected is low.

With that being said, I'm guessing it's not just the physical phone that would be vulnerable....wouldn't backup files either on a PC/Mac or in iCloud also have the same unencrypted attachment issue? Or is the whole backup file encrypted again as it is archived?
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.