Last week, it became clear that iOS 7 has a bug that leaves mail attachments unencrypted. Today, Apple Inc. (NASDAQ:AAPL) says that it’s working on it.
An Apple spokesperson told iMore today that Apple “is aware of the issue and are working on a fix which will be delivered in a future software update.”
Apple iOS 7: Data protection fails on older phones
The bug was discovered and first reported by Andreas Kurtz who found that he was allowed to access email attachments in iOS 7 without entering a passcode. Now, clearly the easiest way to fix this is to make sure that your iPhone is password protected but that’s not enough for Apple Inc. (NASDAQ:AAPL) which has promised to remedy the situation with a coming upgrade to iOS 7.whatever-is-next.
Clearly Apple Inc. (NASDAQ:AAPL) is not pleased with this as these attachments are meant to be protected by its Data Protection technologies. Data Protection, according to Apple, offers users “an additional layer of protection for your email messages attachments, and third-party applications.”
Kurtz discovered the problem when he was employing an iOS jailbreak tool that he didn’t specify.
How did he do it?
The size of the problem poses very limited risk because it requires physical access to your phone and jailbreak utilities. Rich Mogull and Adam Engst explained the process at Tidbits.com recently:
An attacker either needs your passcode (in which case they have everything anyway), or he needs a jailbreak that works without a passcode, allowing him access to the file system. That’s how Kurtz was able to attack an iPhone 4. It’s unclear how he was able to reproduce on an iPhone 5s and iPad 2 running iOS 7.0.4, since more recent devices running iOS 7 aren’t susceptible to a jailbreak without the passcode. It’s possible that Kurtz had already jailbroken his iPhone 5s and iPad 2, so they weren’t as protected as a normal device would be. The bug means that email attachments still aren’t encrypted on those devices, but there isn’t a way to get to them.
Kurtz explained how he was able to discover the problem as well:
I verified this issue by restoring an iPhone 4 (GSM) device to the most recent iOS versions (7.1 and 7.1.1) and setting up an IMAP email account1, which provided me with some test emails and attachments. Afterwards, I shut down the device and accessed the file system using well-known techniques (DFU mode, custom ramdisk, SSH over usbmux). Finally, I mounted the iOS data partition and navigated to the actual email folder. Within this folder, I found all attachments accessible without any encryption/restriction
At the end of the day, it’s not much of a threat, more an embarrassment to Apple Inc. (NASDAQ:AAPL) as it competes with Android for dominance.
