Apple prepping fix for iOS 7 mail attachment bug

Apple prepping fix for iOS 7 mail attachment bug

Summary: Apple acknowledged a bug in iOS that leaves email attachments vulnerable and has committed to fixing it. Luckily the bug is difficult to exploit and doesn't affect iPhone 4s and later devices running iOS 7.1.

TOPICS: Apple, iOS, iPhone, iPad, Security

Last week ZDNet's Larry Seltzer wrote about a bug in iOS 7 that left mail attachments unencrypted and thus vulnerable to potential hacks and other nefarious deeds. Today Apple acknowledged the bug and committed to fixing it. 

Apple devices, including iPhone 3GS and later, include hardware encryption. Adding a passcode protects the hardware encryption keys on the device and adds "an additional layer of protection for your email messages attachments, and third-party applications."

The bug, reported by Andreas Kurtz, means that iOS email attachments are stored unencrypted in certain instances:

I verified this issue by restoring an iPhone 4 (GSM) device to the most recent iOS versions (7.1 and 7.1.1) and setting up an IMAP email account1, which provided me with some test emails and attachments. Afterwards, I shut down the device and accessed the file system using well-known techniques (DFU mode, custom ramdisk, SSH over usbmux). Finally, I mounted the iOS data partition and navigated to the actual email folder. Within this folder, I found all attachments accessible without any encryption/restriction

In a statement, an Apple spokeswoman told iMore "We're aware of the issue and are working on a fix which we will deliver in a future software update."

When the update will be released is another question altogether. While the bug sounds scary on paper, in reality it's probably not on the top of Apple's to-do list. 

As Rene Ritchie deftly noted the flaw is difficult to exploit and would require an attacker to "a) steal your device and, b) brute force or jailbreak-bypass the passcode or password." Ritchie also notes that iPhone 4s and later devices running iOS 7.1+ aren't at risk.

Manage the influx of Apple devices into your workplace with the expert advice in this Tech Pro Research download.

Topics: Apple, iOS, iPhone, iPad, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • This can't be true

    All the iHoles I know say that iOS has no there!
  • iMail attachment? What about photos?

    This issue sounds very sophisticated. But what about the old issue that photos attached to outgoing emails sent from Apple devices appear EMBEDDED in the email and NOT as attachments on the receiving end, especially if the addressee has MS Outlook?

    Apple - could you please also fix this?