Security expert claims iOS 7 doesn't encrypt email attachments

May 06, 2014 by Bob Yirka report

German security expert Andreas Kurtz, with NESO Security Labs, has posted an entry to his personal blog claiming that the latest version of iOS 7.1.1 (and older versions 7, 7.0.4 and 7.1) does not encrypt email attachments. If true, the revelation would run contrary to what Apple has been advocating on its website, that iOS "provides an additional layer of protection for (..) email messages attachments."

Kurtz describes how he hacked an iPhone in his possession, using what he describes as "well known techniques" and was able to gain access to email folders. Once that was accomplished, he found that he could read as none of them were encrypted. Kurtz says that he notified Apple about his discovery and was told that the company knew about the problem and was working on it but didn't give him a timeframe for when it might be fixed.

To be fair, the flaw is likely only going to be a problem for people who use their phone for sending sensitive attachments—also a would be hacker would have to gain physical access to the phone and would have to have the user's pass-code as well or a jailbreak of some sort. All this means that very few iOS device users are likely to be at risk, e.g. , or corporate engineers working on top secret development projects. Such people could conceivably be targeted specifically based on what they do or who knows about it. The odds that an average citizen would be hacked in such a manner would be almost nil.

Kurtz notes that he was able to read email attachments on an iPhone 4 and 5 and an on an iPad 2 running iOS 7.0.4, demonstrating that the flaw is device independent. He suggests that users wishing to send confidential attachments disable mail synchronization (though refraining from using their phone to do so might be a better option.)

Kurtz actually found the several weeks ago, and it was only after checking to see if it had been fixed and discovering that it had not been that he blogged about what he'd found, expressing disappointment at the slowness of a fix coming from Apple.

Explore further: The Apple iOS 7 'security flaw' is only a problem if you make it so

More information: Andreas Kurtz blog: www.andreas-kurtz.de/2014/04/w… -fix-in-ios-711.html

add to favorites email to friend print save as pdf

Related Stories

Video shows Find My iPhone kill effort without password

Apr 04, 2014

Could a thief bypass protections from the Find My iPhone system? YouTube user Miguel Alvarado this week posted a video "Delete iCloud Account from iPhone without Password iOS 7.1" showing what he did with ...

Apple denies 'backdoor' NSA access

Jan 01, 2014

Apple said Tuesday it had no "backdoor" in its products after a security researcher and a leaked document suggested the US National Security Agency had unfettered access to the iPhone.

Recommended for you

Share button may share your browsing history, too

Jul 22, 2014

One in 18 of the world's top 100,000 websites track users without their consent using a previously undetected cookie-like tracking mechanism embedded in 'share' buttons. A new study by researchers at KU Leuven ...

Tokyo police make arrest in massive data leak case

Jul 17, 2014

Tokyo police said Thursday they had arrested an engineer for allegedly stealing massive amounts of personal data from an educational services firm, a leak that may ultimately affect more than 20 million people.

User comments : 2

Adjust slider to filter visible comments by rank

Display comments: newest first

dramamoose
5 / 5 (2) May 06, 2014
Why would anyone receiving top-secret or highly sensitive documents be running ios? Or even stock Android?
axemaster
5 / 5 (1) May 06, 2014
Why would anyone receiving top-secret or highly sensitive documents be running ios? Or even stock Android?

The answer is yes.