Latest in Bug

Image credit:

iOS 7 isn't encrypting email attachments


According to Apple's own support documentation, iOS provides data protection on all devices that offer hardware encryption -- specifically the iPhone 3GS and later, all iPads, and the third-generation iPod touch and later. By adding a passcode to your device, data protection "enhances the built-in hardware encryption by protecting the hardware encryption keys with your passcode" and "provides an additional layer of protection for your email messages, attachments, and third-party applications." According to security researcher Andreas Kurtz, however, iOS version 7.0.4 and later -- including 7.1.1 -- has a bug that results in attachments not being encrypted.

Kurtz, who has reported other security mishaps to Apple in the past, said that:

"I verified this issue by restoring an iPhone 4 (GSM) device to the most recent iOS versions (7.1 and 7.1.1) and setting up an IMAP email account1, which provided me with some test emails and attachments. Afterwards, I shut down the device and accessed the file system using well-known techniques (DFU mode, custom ramdisk, SSH over usbmux). Finally, I mounted the iOS data partition and navigated to the actual email folder. Within this folder, I found all attachments accessible without any encryption/restriction"

Kurtz, in a note on his blog posting, said that "[Apple] responded that they were aware of this issue, but did not state any date when a fix is to be expected."

In the meantime, if you need reassurance that an attachment is being sent with full encryption, do not send it via email on your iOS device. Instead, consider using a file sharing service such as Dropbox or even Apple's own iCloud to send the encrypted file to the cloud for later downloading by your recipient.

From around the web

ear iconeye icontext filevr