A security researcher has discovered that in some of the most recent versions of iOS 7, the default mail application does not adequately encrypt and protect emails. Andreas Kutz made his discovery public on his blog, writing that the Mail app is vulnerable in iOS 7.04, 7.1, and 7.1.1.
According to the blog post, Kutz restored an iPhone 4 to the previously mentioned versions of iOS 7. After doing so, he provided himself with test emails and attachments. Then, when he turned off the device and accessed the files within it, he found that none of the emails or attachments were secured in anyway, meaning that someone with access to an iPhone could view the files with ease.
Upon discovering the flaw–which could leave thousands, if not millions of people at-risk–Kutz notified Apple. Kutz was then informed that Apple knew of the issue, but the company did not provide any information regarding when an update would be released that addresses the problem.
Considering the long time iOS 7 is available by now and the sensitivity of email attachments many enterprises share on their devices (fundamentally relying on data protection), I expected a near-term patch. Unfortunately, even today’s iOS 7.1.1 did not remedy the issue, leaving users at risk of data theft. – Kutz
Apple data protection for emails is supposed to provide a very secure layer of protection, but as Kutz has found, it doesn’t actually do that in the most recent iterations of iOS 7.
Other researchers have clarified some points since Kutz’s blog post went up, stating that the vulnerability is an issue but that the potential for abuse is low. An attacker would need physical access to an iPhone and they would also need to know the user’s passcode before any access to the files could be provided. That being said, Apple should be trying to release a fix as soon as possible, because emails are the last type of file that should be left unprotected.
Summary: The latest versions of iOS 7 include a vulnerability in the default Mail app. An attacker can view emails and attachments with ease, since they are not being encrypted by Apple’s software, which is not how the system is meant to work.
image via ndtv