iOS bug leaves email attachments unencrypted, Apple working on a fix

By , May 5, 2014

iOS 7 (Mail, image 001)

Do you access sensitive document attachments on your iPhone, iPod touch or iPad, stuff like contracts, invoices, bank statements and what not?

If so, your security and privacy could be compromised because iOS is storing email attachments in the clear – that is, in the unencrypted form – thus making stored attachments easily readable by using a piece of software to browse a person’s on-device email folder for an IMAP account.

A researcher who claims to have discovered this security flaw has found that iOS 7.0.4 and later – including the latest iOS 7.1.1 – do not encrypt email attachments…

ZDNet quotes security researcher Andreas Kurtz as claiming that iOS 7, iOS 7.0.4, iOS 7.1 and even the latest iOS 7.1.1 don’t encrypt message attachments, despite this Apple support document stating that iOS provides “an additional layer of protection for your email messages attachments, and third-party applications.”

ios 7 security-flaw-email-attachments

Kurtz was able to confirm the issue by restoring a GSM iPhone 4 to iOS 7.1.1 and testing attachment security for an IMAP email account.

I shut down the device and accessed the file system using well-known techniques (DFU mode, custom ramdisk, SSH over usbmux). Finally, I mounted the iOS data partition and navigated to the actual email folder. Within this folder, I found all attachments accessible without any encryption/restriction.

Much to his surprise, he’s found that Apple’s data protection technology in iOS 7 does not extend to email attachments. He’s also verified the existence of the nasty bug on an iPad 2 and and iPhone 5s running iOS 7.0.4.

Apple is allegedly aware of the issue, according to the researcher, and is working on a fix. The company wouldn’t say when the fix might be ready, but it shouldn’t be long because attachment encryption is crucial for businesses that use iOS devices.

Are you surprise by this finding?

And, do you care about message attachment security?

  • Share:
  • Follow:
  • David Gitman

    7.1.2 on the way?

  • Jonathan

    Knowing Ryan Petrich, he’ll probably save the day again for us jailbreaks.

  • Siddharth Desai

    Include some further battery refinements while you’re at it.

    • Jonathan

      And Quick Reply, and theming, and….(20 pages later)…. and offline Siri.

      • David Gitman

        Yeah Offline siri! why the hell do siri need access to the internet while making calls? no sense at all

      • Kuje

        Because your voice has to be recognized by an online database

      • Jonathan

        Then what about Voice Control? That’s completely on the device. So, it is capable to do it on its own.

      • Kuje

        Then why not just use voice control? ;)

      • ✪ aidan harris ✪

        Exactly! It’s possible and just needs to be implemented. A while a go a developer (I think it might have been Chpwn but don’t quote me on it) created a tweak to execute activator actions via Voice Control…

      • Kuje

        By any chance do you remember what the tweak is called, or if its iOS 7 compatible?

      • ✪ aidan harris ✪

        VoiceActivator and if the change log is correct I don’t think it is compatible with iOS 7…

      • Kuje

        Yeah it is by chpwn but is not iOS 7 compatible

      • Jonathan

        Because Siri has a million more features. =P

      • Kuje

        Exactly

      • Nathan

        It’s because Voice Control has very basic things programmed & doesn’t need any online service to transcribe the works; however, Siri needs to use a transcribing service (Apple’s servers) to convert complex words and information (Weather, ‘view text messages’, and sports info). Voice control literally doesn’t need internet because of the simple commands it was pre-loaded with, like asking what time it is or shuffling your music.

      • Kuje

        I was going to reply something like that but couldn’t think of the words haha. It would be cool to have voice control while offline with added features Ex opening apps or doing math problems since those don’t require internet

      • ✪ aidan harris ✪

        It’s these Simple things that you’d want to do offline using Siri. I (and most other people) don’t want Apple to somehow put the whole of Wolframalpha and Yahoo in the palm of our hands offline on our iPhone. We just want to be able to use Siri offline in order to control our Music, check what the time is, convert some units, set a timer, etc. There’s no reason why this can’t be done in fact Apple if I remember rightly released offline dictation for OS X which was a 1-2gb download that could easily translate well to the iPhone. In fact there’s no reason Apple couldn’t add an option in the Setup process of iOS (and in the Settings app to be enabled / disabled at a later date) along the lines of “Offline Siri. This will speed up certain functions of Siri and reduce your mobile data costs”.

      • Nathan

        Siri doesn’t use much data anyways. A command is 50-100KBs. ;P

      • Kuje

        Which dictation only types words for you, Siri has to figure out what you say, AND what you mean. Its way more complex than Dictation

      • ✪ aidan harris ✪

        Not really. I’m no programmer but all it would involve is using offline dictation to figure out what the user said and then figure out what to do with this information. e.g “Send a TEXT to THE_SENDER saying MESSAGE_CONTENT” in this example ‘TEXT’ indicates the user wants to send an SMS, ‘THE_SENDER’ indicates the number or recipient from the Contacts app and ‘MESSAGE_CONTENT’ indicates what the actual message text should be…

      • Kuje

        It has a little more to it than that but i won’t go into all the details. But anyways, just one “feature” itself would be easy to do, but when you have many other different features it gets a lot more complex. One of the main reasons why this would be hard itself is the way apple gets its voice recognition. Not necessarily the complexity of having all the features offline, Because they have to store the thousands the words with different accents/languages/etc and adding all these to your phone would be a nightmare. So thats why they have servers for that

      • ✪ aidan harris ✪

        If Siri can say “Siri not available connect to the Internet” without an Internet connection then He / She / It can probably say other things offline too…

        All an offline Siri would require is someone to program it and Apple has plenty of programmers it’s just a question of whether they want to do it or not and if they do where to put it on their priority list (for all I know this could be a work in progress but not one of Apples high priorities)…

      • Kuje

        She says that because Siri can read all words on your phone. If you have the text to speak on your iDevice, she can read anything you hilight. BUT thats completely irrelevant because the thing is, trying to get siri to figure out what you are saying would require ALOT of data and thats why apple has dedicated servers for it

      • Nathan

        Converting units (like money) requires internet to pull the conversion things. These are all apart of one framework in Siri. Either it needs internet, or it doesn’t. In this case, it does.

      • Jonathan

        You sound like you work for Apple lol. I love your idea!

      • Jonathan

        But, wouldn’t Voice Control have to understand your voice to translate it into text? It would be the same for Siri, just with what you said as well. Translating it into complex requests, like sports and stuff.

      • Kuje

        Yes and no. Theres not much you can do with voice control. so you don’t need servers for voice recognition because you can only say so many things on voice control and doesn’t take much storage. but with siri, you can say anything so you need a lot more storage for all the different words/accents/language/conversion/etc thats updated frequently. thats why apple has dedicated servers for it

      • Jonathan

        Hmmmm… good thought.
        But, in the beginning, you could just choose one language (like US English) and then it will only have that voice. It’s true because I iLex Rat restore my iPod, so when I used Siri, she had her cheaper robotic voice. I wanted her better quality iOS 7 one, so I searched hours on the internet what to do. They all said to go into Accessibility and download the higher quality voice. It was about 270 MB. So not that large. (for whatever reason it didn’t work. What worked was just waiting. I came back an hour later and she had her voice. So I guess I just had to wait for it to download and install)
        What I think will be the file, is knowing how to reply when you say something. Google Search something, reply with a funny comment, show information about a contact, etc.
        If translating your voice is 1 GB for Mac, I’d guess it’d be the same for iOS, them maybe another GB in what to reply back.
        But hey, these are just guesses.

      • Kuje

        the thing is, dictation for the mac is a lot different from siri because it just types the voice for you. 2GB is a large file for a 16gb iPhone so i can see why they don’t have offline dictation for the iPhone. and on top of the 2GB you have to have the accent data so siri can know what you mean and what you want her to do. so with everything added, my best estimate is 6GBs of storage for offline siri. and IF apple updates their servers frequently, then it would have to update it in the background when your connected to the internet which could drain your battery

      • Jonathan

        Yeah… true. I guess you could have an option then..
        And another option to update Siri data only when plugged in?

      • Kuje

        That would probably be the best choice

      • David Gitman

        well thanks for the answer

      • Kuje

        Welcome I would like offline siri but it would take up a lot of memory.

      • Tom

        But they could do something to make it work offline? Store database offline? Idk, I’m not a programmer nor i know thess stuff. But surely offline siri will be good.

      • Kuje

        It definitely is possible but it would take up ALOT of memory. So you wouldn’t want to have a 16GB iPhone but I thing it should at least be an option to download it. Such as dictation for mac

      • Tom

        An option to download would be great.

      • Kuje

        And if they update their servers frequently with new info, then you’d have to do updates on the downloaded package every time their was a new update while
        connected to the internet

      • Rowan09

        Siri has its own server dedicated to it. I think they should allow you to do simple things like open an app, make a reminder, etc offline.

      • RarestName

        Improved battery life > these features

    • Freddie Webster

      Orrrrr you guys can just install assistantunrestrictor ….

  • Leeve

    I can’t believe that users need to suffer on these kind of problems on every new firmware release..

    • Rowan09

      There will always be bugs, so it’s not a surprise.

      • ✪ aidan harris ✪

        Except there’s bugs and then there’s bugs. This bug should have been found a lot sooner and it’s inexcusable how bugs like this exist. The iOS operating system goes through numerous iterations and is tested internally and given to developers and only now this has been discovered? It seems like in every iOS beta a trivial lockscreen bypass bug is found and that’s fair enough those are found by persistent teenagers that have nothing better to do than prod their iPhone all day all in the name of YouTube fame. They are not professional security researchers that do it for a living. So my question is how are these sort of bugs not found sooner?

        /Rant

      • Kuje

        My best guess is because security researchers search the whole phone, so they can’t check each app 100%. While some normal people search apps individually on their own time

      • Rowan09

        The good thing is we don’t have reports of someone’s email being compromised. If I have a gmail account on my computer it’s hacked all the time, so it’s wise to not leave important information on your email address. Some people and companies overlook things and sometimes being cocky also plays a huge role.

  • NaSty

    Its a good thing I never use email attachment on my iDevices, all that’s left to my laptop :)

  • mav3rick

    “The most advanced mobile OS…”
    “You are not using it right.”
    It is a “feature”…

  • http://darksair.org/ Darksair Sun

    Since when are mail attachments encrypted??