The Hacker News Logo
Subscribe to Newsletter

Apple iOS 7 Updates Silently Remove Encryption for Email Attachments

Apple iOS 7 Updates Silently Remove Encryption for Email Attachments
There is no question that Mobile devices have become a staple in everyday living around the world. But have you ever asked yourself, How Secure are the Android, iPhone or any other Smart devices? It is really important for us to think about the Security and Privacy of our Data stored in Smartphones.

In June 2010, Apple introduced 'Data protection' feature in iOS 4.0 devices that offer hardware encryption for all the data stored on the devices. "Data protection enhances the built-in hardware encryption by protecting the hardware encryption keys with your passcode. This provides an additional layer of protection for your email messages attachments, and third-party applications." Apple claimed in an old announcement.

But unexpectedly, In last few updates Apple has silently removed the email attachment encryption from data protection mechanisms. Noticed by Security Researcher - Andreas Kurtz, claims that since at least version 7.0.4 and including the current version 7.1.1, does not encrypt email attachments anymore.
"I verified this issue by restoring an iPhone 4 (GSM) device to the most recent iOS versions (7.1 and 7.1.1) and setting up an IMAP email account1, which provided me with some test emails and attachments. Afterwards, I shut down the device and accessed the file system using well-known techniques (DFU mode, custom ramdisk, SSH over usbmux). Finally, I mounted the iOS data partition and navigated to the actual email folder. Within this folder, I found all attachments accessible without any encryption/restriction" he explained in a blog post.
That means, email attachments are not encrypted on the iOS devices by a unique 256-bit crypto engine, and if someone else gets access to your device, he will be able to get access to your private content.
Apple iOS 7 Updates Silently Remove Encryption for Email Attachments
He also tested the encryption mechanism with iOS forensics tool called 'iPhone Data Protection' for POP or ActiveSync email accounts, and verified that iOS latest versions are not able to encrypt email attachments.

At this point, even we can't answer that why Apple removed the encryption for Email attachments, but this disclosure is definitely right now hitting my mind with more controversial questions about relationship with Apple and NSA.

Andreas Kurtz has already reported the issue to Apple Security team and they replied that Apple were aware of it. But I guess Apple has no plan to patch the issue in upcoming iOS updates, as they have not indicated anything related in email conversion with Kurtz.

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.
SHARE
Comments
Latest Stories
Best Deals

Newsletter — Subscribe for Free

Join over 500,000 information security professionals — Get the best of our cyber security coverage delivered to your inbox every morning.