German security expert Andreas Kurtz, with NESO Security Labs, has posted an entry to his personal blog claiming that the latest version of iOS 7.1.1 (and older versions 7, 7.0.4 and 7.1) does not encrypt email attachments. If true, the revelation would run contrary to what Apple has been advocating on its website, that iOS "provides an additional layer of protection for (..) email messages attachments."
Kurtz describes how he hacked an iPhone in his possession, using what he describes as "well known techniques" and was able to gain access to email folders. Once that was accomplished, he found that he could read email attachments as none of them were encrypted. Kurtz says that he notified Apple about his discovery and was told that the company knew about the problem and was working on it but didn't give him a timeframe for when it might be fixed.
To be fair, the flaw is likely only going to be a problem for people who use their phone for sending sensitive attachments—also a would be hacker would have to gain physical access to the phone and would have to have the user's pass-code as well or a jailbreak of some sort. All this means that very few iOS device users are likely to be at risk, e.g. law enforcement, government workers or corporate engineers working on top secret development projects. Such people could conceivably be targeted specifically based on what they do or who knows about it. The odds that an average citizen would be hacked in such a manner would be almost nil.
Kurtz notes that he was able to read email attachments on an iPhone 4 and 5 and an on an iPad 2 running iOS 7.0.4, demonstrating that the flaw is device independent. He suggests that users wishing to send confidential attachments disable mail synchronization (though refraining from using their phone to do so might be a better option.)
Kurtz actually found the security flaw several weeks ago, and it was only after checking to see if it had been fixed and discovering that it had not been that he blogged about what he'd found, expressing disappointment at the slowness of a fix coming from Apple.
Explore further: Video shows Find My iPhone kill effort without password
More information: Andreas Kurtz blog: www.andreas-kurtz.de/2014/04/w… -fix-in-ios-711.html