Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
iOS 7 Security Flaw Leaves Stored Email Attachments Unencrypted [Updated]
- Thread starter MacRumors
- Start date
- Sort by reaction score
Yes.
----------
You cannot do that without the passcode that is used to encrypt all the data.
----------
The flaw that Apple claimed the attachments were encrypted when they weren't.
----------
+1. I don't know what happened 2 or so months ago, but all of a sudden, stuff's been hitting the fan.
----------
Even if you use SSL? I actually don't know the answer; I'm not being sarcastic because I hate sarcasm.
Oh noes... if someone steals my iPhone and then is using some not so easy technique to access the file system of my iPhone then navigating to my email folder can then read my email attachments......
Probably this security flaw affects 0.0001% of iOS users but everyone will think "OMG another security flaw!!!11"
That's the spirit, who cares about flaws and bugs in software, huh? They should stop fixing them. I know people that don't use antiviruses and get away with it - that must mean something.
SSL just encrypts the email during transit. The email is still in plaintext when it arrives at the intermediate mail relays and at the recipient. It can still be collected, indexed, searched, stored, etc by any relay (and your ISP WILL do this). It also is unprotected on the recipient's and sender's hard drive, as SSL only protects it during transit. It's also subject to man in the middle attacks using compromised certificates, malicious or coerced certificate authorities, and so on.
The only real way to secure the email from end to end is with PGP/GPG or S/MIME, and I'm not comfortable with S/MIME due to the requirement of a CA.
Well, if the storage area is encrypted and attachments are saved as files within the encrypted storage area, the attachment can most certainly be said to be stored encrypted.
As for your interpretation of the flaw, could you please provide references for exactly what you claim Apple claimed? No problem with the linked ht4175, so you must have read something somewhere else?
good to see Apple's working on this, but this just further says security isn't everything..
I thought iOS uses encryption everywhere, even in transit and storage...
I guess not mail attachments...oppsy....
Lets see other stuff we can uncover that is Not secure hey ?
I thought iOS uses encryption everywhere, even in transit and storage...
I guess not mail attachments...oppsy....
Lets see other stuff we can uncover that is Not secure hey ?
If you are in Enterprise I.T. like I am, you will quickly realize this is a non issue like Apple has. No need to panic. This flaw cannot be accessed OTA. Heck...if anything Apple might get accused of copying Android which largely runs an unencrypted OS.
in the Apple white paper: Feb2014:- http://images.apple.com/ipad/business/docs/iOS_Security_Feb14.pdf
This line "The Mail app implements Complete Protection for messages and attachments. App launch images and location data are also stored with Complete Protection."
This line "The Mail app implements Complete Protection for messages and attachments. App launch images and location data are also stored with Complete Protection."
This EXACT question is before the US Supreme Court right now.
Some guy was stopped for having expired tags then cops took his phone and searched it. In the US the cops don't need a warrant to do a search at the time they catch you in a criminal act. (even a trivial crime like expired plates) The reason for allowing a search is that the person might have a gun or something. But they searched his phone.
google Riley v. California, 13-132
Trust me when I say that when a vulnerability is discovered and published Apple can recreate/diagnose it right away. As I said before, we've discovered this vulnerability [or at least one just like it, if it's not the same one] a long time ago and reported it to Apple. Apple wouldn't give an ETA nor issue a patch for the fix - they operate like a black box.
Unfortunately that's about all I can say on the matter.
You're assuming that all email goes through gmail, hotmail, yahoo, etc. You don't consider corporate/government email. SSL is typically not subject to MIM attacks. This is especially true with corporate/gov't property, as I've stated.
Oh noes... if someone steals my iPhone and then is using some not so easy technique to access the file system of my iPhone then navigating to my email folder can then read my email attachments......
Probably this security flaw affects 0.0001% of iOS users but everyone will think "OMG another security flaw!!!11"
No, we're thinking something else entirely.... It's about people like you who say the typical fanatical lines any time anyone criticizes ANYTHING Apple does and then the other few dozen fanatics on here rush to click Vote UP on queue.
Off topic, but do the votes really even mean or do anything? Can't even see them on the mobile version, and barely notice them on the regular one, and even that is only on occasion.No, we're thinking something else entirely.... It's about people like you who say the typical fanatical lines any time anyone criticizes ANYTHING Apple does and then the other few dozen fanatics on here rush to click Vote UP on queue.
This is NOT a big deal. Email is never encrypted as it moves between email servers. If you sent an attachment it gets stored in mail servers and then at best is only encrypted near the end of its journey.
Think of email as like sending a post card, everyone in the post office can read it if they want to.
The ONLY way to avoid this is to use end-to-end encryption and hardy anyone does that.
I think the people most upset over this are the ones who really don't understand how email systems work.
Think of email as like sending a post card, everyone in the post office can read it if they want to.
The ONLY way to avoid this is to use end-to-end encryption and hardy anyone does that.
I think the people most upset over this are the ones who really don't understand how email systems work.
Yes in could be that in some cases where a user working at "mycompany.com" sends email to another person at mycompany.com and that the mail stays inside a company email server. But (1) this is a special case and (2) many times, maybe even most times that mail server is run by the company's ISP. Only the larger companies have their own in-house mail servers,most left someone like the ISP handle it.
So in the special case in internal emails where the company runs its own servers there is no exposure but in all other cases the PDF attachment is going to be stored many times at random unknown places all over the Internet.
Take a look at your own email. Look at the raw headers, but the smaller subset the mail reader shows. Look at the raw text files and see how many "Received By" header are in one of your typical emails. A half dozen such lines are not uncommon.
As always, email was/has never really meant to be good in terms of security, you always need something on top like gunuPGP to encypt, otherwise it is stored in the clear, its only the connection which is SSL. not the data.
so this is no surprise Apple has not stored attachments securely..
If anyone read the white paper, they would also know iMessgae is not truly secure either since the key is shared...
But that's Apple.
Personally, I would have made sure I used the same encryption throughout, from top to bottom, instead of a weaker encryption with imessage, or no encryption on email attachments...
Obviously, they could have done this if they really wanted to. but this just shows either something they overlooked, or just deliberately done because they may not care about the best security...
With iMessage though, this could be fixed to, but i don't think Apple wants it to be.
so this is no surprise Apple has not stored attachments securely..
If anyone read the white paper, they would also know iMessgae is not truly secure either since the key is shared...
But that's Apple.
Personally, I would have made sure I used the same encryption throughout, from top to bottom, instead of a weaker encryption with imessage, or no encryption on email attachments...
Obviously, they could have done this if they really wanted to. but this just shows either something they overlooked, or just deliberately done because they may not care about the best security...
With iMessage though, this could be fixed to, but i don't think Apple wants it to be.
At best, they give you a vague idea of the number of people that agree with something (e.g. you realize there's more than one person out there that feels strongly enough about something to bother voting up).
But since negative voting was removed, yeah, it really means almost NOTHING other than that since you could have 30 people strongly agree but have 500 that strongly disagreed who now get no voice what-so-ever so people that would feel "bad" about having hundreds strongly disagree with what they had to say now can feel good that 3 other people think like they do! Really, though, most people stopped using the system after negative voting was removed since it's now utterly pointless. Plus some people read the first page or two of threads or the first day or two and then never return to read anything else. This is why you often see positive votes on pages 1 or 2 of a thread, but then no more than 1 or 2 votes on succeeding pages. A 2/3 majority either wanted negative voting to stay or didn't care one way or another, so 1/3 got their way by screaming all day long about it and threatening to not donate money to the site anymore (apparently they felt bad having 200-300 people vote down their comments all the time because they were only emotionally charged and missing any logic). It was pathetic, IMO. Some of us asked for the system to be removed entirely rather than a dictatorship propaganda one-way voting only system in place, but we were ignored, probably because we weren't emotionally wrought enough to threaten to stop donating to the site if we didn't get our way with a tantrum.
So yeah, it means virtually nothing.
I disagree. It is a big deal, to some extent. It's just that the hilarious insecurity of email in general is a bigger deal. PGP has been around since 1991. It's ludicrous that it isn't the default at this point.
So much for Jon Ive's flat iOS design when there are so many security holes in iOS7, I just hope the IP6 and iOS8 are way better because 7 truly sucks on many levels.
The storage area is not encrypted if you do not use a passcode. The MacRumors article said that Apple claims that email attachments are encrypted when they aren't; I haven't done further research. Maybe they mean that using a passcode encrypts everything but the emails.