Mailbox app security fail exposes your contacts, attachments and email messages

By , Apr 24, 2013

Mailbox 1.0 for iOS (iPhone screenshot 005)Mailbox 1.0 for iOS (iPhone screenshot 001)

Orchestra’s Mailbox has quickly become my default iPhone email application. As you know, Mailbox offloads backend email management to the cloud so the thin client running on your device can let you zip through your inbox at a rapid pace while rethinking the workflow with abilities such as snoozing individual messages as if they were reminders and more. So is there anything not to like about Mailbox?

Apparently there is. According to one app developer, a database Mailbox maintains on your device is unsecured, potentially exposing your contacts, attachments and message contents to anyone who has physical access to your device, using just a simple file transfer tool like iExplorer or DiskAid

Writing on his blog, developer Subhransu Behera describes Mailbox as a “security fail.”

Specifically, he was able to use the iExplorer tool to browse the app’s Document and Library folder on an iPhone and extract contacts, email messages and attachments because “there’s no data protection at all.”

He explains:

On top level of the Documents directory there’s a folder called ‘Attachments‘. It consists of all the attachments that I received or sent. Be it a source code of some app, my bank statements or some confidential information. All these files are there unencrypted and unprotected, ready to be stolen if you lose your phone for some reason!

He then used an SQlite manager tool to extract contacts and additional email details from a database.

Mailbox security fail

“Depending on what you do with your emails, this can be pretty scary,” he observed.

Being an app developer himself, Behera sums it up by advising fellow developers to take advantage of Apple’s iOS software development kit which provides a set of APIs specifically designed for data protection.

He claims it’s all about “adding few extra lines of codes” to the Mailbox app in order to increase the security level. There’s no word from Dropbox, which now owns Mailbox, whether or not they will fix this glaring omission in the next Mailbox update.

If potential security implications are concerning you, just delete your accounts from Mailbox, which will wipe out the underlying data on the device.

  • Share:
  • Follow:
  • MarcPhilippeB

    If someone has access to my iPhone and gets through the security code, I’m screwed up anyway.

    • http://twitter.com/Jack_maredit Jackson Grong

      You can read and copy app data even if you have a pass code using iFunBox, try it out yourself!

    • inc188

      AMEN.

      Remember those videos of people breaking in to iPhone thru the lock screen loophole?

      ya. I always said, if they got my phone, they deserve to break in….

  • Jeremiah sarpong

    GREAT TO KNOW

  • http://twitter.com/N_2the_ATE Nate

    Uhhhh ohhhhh….

  • http://twitter.com/mrmberman Marc

    Another security fail from Dropbox. Can’t be good for business.

    • http://twitter.com/oo7plasma Brandon

      uhhh, they didnt develop the app lol.

    • queen_ir3ne

      You’re so intelligent.

    • iDon’tWantToShareMyDetails

      It’s not a security flaw as getting Filesystem access to your phone is impossible without jailbreak. In reality they don’t have a lot of options as they need the content stored on your phone. They can encrypt it, but still browsing through the binary would give out the key.

      The only real solution is for Apple to create an extended keychain in iOS where everything sensitive is saved through a special service and no one has access to this data even jailbroken without getting the keys.

  • http://twitter.com/MikeeeeyJ Michael Jack

    If someone has physical access to your device and enough time and skill to break the Apple encryption, then browse file systems and extract SQL data, them reading your email is going to be the least of your worries.

    “Be it a source code of some app, my bank statements or some confidential information. All these files are there unencrypted and unprotected”

    Email, in transition, is unprotected anyway. I mean who the hell is sending bank statements via email?

    If you email confidential information without first encrypting the text you need to take a look at your security best practices never mind worrying about a vulnerability like this.

    • http://www.facebook.com/pateldarshit Darshit Patel

      No offence, but these days all Banks are sending statements through Email (only if you have opted for), but they are encrypted, hence no need to worry.

  • http://www.facebook.com/profile.php?id=100004797691284 John Smith

    Yea this is a non-issue. If anyone one has access to my device, I’m screwed either way.

  • http://twitter.com/jacobkwright Jake

    “So is there antything not to like about Mailbox?”

    Microsoft Exchange support anyone???

  • http://twitter.com/HiTekkSteff Stephaughn Alston

    I’d be interested in learning those lines of code for better security.

  • http://twitter.com/PrsnSingh Prasoon

    You spelled anything wrong.

  • http://www.facebook.com/pateldarshit Darshit Patel

    Are we missing Sparrow App???

  • http://twitter.com/malan_raja Malan Raja

    Over the last few days, Push notifications stopped working for Mailbox, anybody else having this problem?

    • http://www.facebook.com/brandon.lee.790256 Brandon Lee

      Yes! I’ve had to uninstall and download the app again… Twice. Have you found a fix?

  • wowthatisrandom