iOS 7 Doesn’t Encrypt Email Attachments

According to German security researcher Andreas Kurtz, email attachments covering a range of various distribution methods in iOS 7 have been cracked, and apparently contain no proper encryption method while the device is supposed to be locked from the outside.

This bug affects all current versions of the mobile OS, including 7.0.4, 7.1, and 7.1.1. From what’s been found so far anyone still on the iOS 6 architecture will remain safe, however they were quick to note that the same attack path could be exploited on the lower tier if hackers chose to take that route instead.

“A few weeks ago, I noticed that email attachments within the iOS 7 MobileMail.app are not protected by Apple’s data protection mechanisms,” Kurtz said in a blog. Considering the long time iOS 7 is available by now (sic) and the sensitivity of email attachments many enterprises share on their devices – fundamentally relying on data protection – I expected a near-term patch.”

The bug works across POP, IMAP, and ActiveSync accounts, and clearly visible in open text on all devices tested including the iPhone 4, 5, 5s, and iPad 2. It took advantage of jailbroken devices (which had been configured to operate in such a fashion by Kurtz, regardless of what you’ve done to the device beforehand), and could be probed on an entirely remote basis without any physical access to the phone or tablet required.

Despite iOS 7’s originally shaky (read: buggy) start, the new design eventually proved a hit with customers, and so far Apple has seen a whopping 87 percent adoption rate, dwarfing all others that came before it in downloads by a factor of a few and then some. It’s this larger number of active participants that make the platform more attractive to malware manufacturers, who by volume alone still assault Android in a nearly 10:1 ratio than they do iOS.

This isn’t for lack of trying of course, but it’s the sheer variety of hardware layouts available for Android that makes it so enticing to criminal empires who depend on unloading spyware to maintain their ever expanding business model based on boatloads of bandwidth baddies.

“I reported these findings to Apple. They responded that they were aware of this issue, but did not state any date when a fix is to be expected. Considering the long time iOS 7 is available by now and the sensitivity of email attachments many enterprises share on their devices (fundamentally relying on data protection), I expected a near-term patch. Unfortunately, even today’s iOS 7.1.1 did not remedy the issue, leaving users at risk of data theft.”

Until Apple issues a patch for the problem, your best bet and Kurtz’s main recommendation to avoid the bug from plaguing your device is to disable the automatic mail synchronization service in your Settings application. This will prevent your Email app from going to providers and pulling down whatever messages are sent (save for what gets sorted into spam by default) without your explicit consent beforehand.

Apple has been pressed for comment on the discovery, but still has yet to come forward and publicly confirm Kurtz’s findings.