Mail Attachments in iOS 7 are vulnerable

Independent developer Andreas Kurtz reports about vulnerability in the operating system iOS 7, which enables hackers get access to files that are attached to emails. According to the researcher, the vulnerability he found contradicts Apple’s statement that iDevices additionally encrypt email attachments.

“Email attachments within the iOS 7 MobileMail.app are not protected by Apple’s data protection mechanisms. Clearly, this is contrary to Apple’s claims the data protection provides an additional layer of protection for email messages’ attachments.”

Kurtz verified the issue by updating an iPhone 4 to iOS 7.1 and 7.1.1, setting up IMAP email account and shutting down the device. He then accessed the file system using the methods he described in his blog, mounted the iOS data partition, and in the email folder, he found that all attachments were accessible without any restrictions or encryption.

At the same time, Apple claims “Data protection is available for devices that offer hardware encryption, including iPhone 3GS and later, all iPad models, and iPod touch (3rd generation and later). Data protection enhances the built-in hardware encryption by protecting the hardware encryption keys with your passcode. This provides an additional layer of protection for your email messages attachments, and third-party applications.”

Nonetheless, Kurtz discovered that despite the company’s statements, email attachments in iOS starting with iOS 7.0 .4 until the current 7.1.1 are not encrypted whatsoever.

As a result, we now know that even users running the latest iOS versions are vulnerable to a very serious threat. Apple representatives answered Kurtz’ email but did not go into detail about the date of the patch release. In the meantime, the developer recommends you disable email synchronization feature until the patch is released.