iPhone and iPad owners, take notice: You may not want to send ultra-sensitive attachments through the default iOS mail app.
Security researcher Andreas Kurtz wrote a blog post in late April saying he’d discovered that Apple’s data protection mechanisms don’t encrypt email attachments in the iOS mobile mail app. This issue applies to iOS 7.1.1 (the current version), 7.1, and 7.0.4.
Kurtz reported the bug to Apple, which now says it is working to fix the vulnerability.
“We’re aware of the issue and are working on a fix, which we will deliver in a future software update,” an Apple representative told iMore.
Kurtz verified the bug on an iPhone 4. He also said he reproduced the issue on an iPhone 5S and an iPad running iOS 7.0.4, without mentioning whether he tried to reproduce it in newer versions of the OS.
I verified this issue by restoring an iPhone 4 (GSM) device to the most recent iOS versions (7.1 and 7.1.1) and setting up an IMAP email account, which provided me with some test emails and attachments. Afterwards, I shut down the device and accessed the file system using well-known techniques (DFU mode, custom ramdisk, SSH over usbmux). Finally, I mounted the iOS data partition and navigated to the actual email folder. Within this folder, I found all attachments accessible without any encryption/restriction.
The vulnerability contradicts Apple’s promise that its data protection “provides an additional layer of protection for your email messages attachments,” wrote Kurtz.
In the meantime, if you’re concerned about an attacker gaining access to your device, you might consider using a third-party mail app to send attachments.