Security expert claims iOS 7 doesn't encrypt email attachments

May 6, 2014 by Bob Yirka report

German security expert Andreas Kurtz, with NESO Security Labs, has posted an entry to his personal blog claiming that the latest version of iOS 7.1.1 (and older versions 7, 7.0.4 and 7.1) does not encrypt email attachments. If true, the revelation would run contrary to what Apple has been advocating on its website, that iOS "provides an additional layer of protection for (..) email messages attachments."

Kurtz describes how he hacked an iPhone in his possession, using what he describes as "well known techniques" and was able to gain access to email folders. Once that was accomplished, he found that he could read as none of them were encrypted. Kurtz says that he notified Apple about his discovery and was told that the company knew about the problem and was working on it but didn't give him a timeframe for when it might be fixed.

To be fair, the flaw is likely only going to be a problem for people who use their phone for sending sensitive attachments—also a would be hacker would have to gain physical access to the phone and would have to have the user's pass-code as well or a jailbreak of some sort. All this means that very few iOS device users are likely to be at risk, e.g. , or corporate engineers working on top secret development projects. Such people could conceivably be targeted specifically based on what they do or who knows about it. The odds that an average citizen would be hacked in such a manner would be almost nil.

Kurtz notes that he was able to read email attachments on an iPhone 4 and 5 and an on an iPad 2 running iOS 7.0.4, demonstrating that the flaw is device independent. He suggests that users wishing to send confidential attachments disable mail synchronization (though refraining from using their phone to do so might be a better option.)

Kurtz actually found the several weeks ago, and it was only after checking to see if it had been fixed and discovering that it had not been that he blogged about what he'd found, expressing disappointment at the slowness of a fix coming from Apple.

Explore further: The Apple iOS 7 'security flaw' is only a problem if you make it so

More information: Andreas Kurtz blog: www.andreas-kurtz.de/2014/04/what-apple-missed-to-fix-in-ios-711.html

Related Stories

Apple denies 'backdoor' NSA access

January 1, 2014

Apple said Tuesday it had no "backdoor" in its products after a security researcher and a leaked document suggested the US National Security Agency had unfettered access to the iPhone.

Video shows Find My iPhone kill effort without password

April 4, 2014

Could a thief bypass protections from the Find My iPhone system? YouTube user Miguel Alvarado this week posted a video "Delete iCloud Account from iPhone without Password iOS 7.1" showing what he did with an iPhone, indicating ...

Recommended for you

Interactive tool lifts veil on the cost of nuclear energy

August 24, 2015

Despite the ever-changing landscape of energy economics, subject to the influence of new technologies and geopolitics, a new tool promises to root discussions about the cost of nuclear energy in hard evidence rather than ...

Smart home heating and cooling

August 28, 2015

Smart temperature-control devices—such as thermostats that learn and adjust to pre-programmed temperatures—are poised to increase comfort and save energy in homes.

2 comments

Adjust slider to filter visible comments by rank

Display comments: newest first

dramamoose
5 / 5 (2) May 06, 2014
Why would anyone receiving top-secret or highly sensitive documents be running ios? Or even stock Android?
axemaster
5 / 5 (1) May 06, 2014
Why would anyone receiving top-secret or highly sensitive documents be running ios? Or even stock Android?

The answer is yes.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.