Last week ZDNet's Larry Seltzer wrote about a bug in iOS 7 that left mail attachments unencrypted and thus vulnerable to potential hacks and other nefarious deeds. Today Apple acknowledged the bug and committed to fixing it.
Apple devices, including iPhone 3GS and later, include hardware encryption. Adding a passcode protects the hardware encryption keys on the device and adds "an additional layer of protection for your email messages attachments, and third-party applications."
The bug, reported by Andreas Kurtz, means that iOS email attachments are stored unencrypted in certain instances:
I verified this issue by restoring an iPhone 4 (GSM) device to the most recent iOS versions (7.1 and 7.1.1) and setting up an IMAP email account1, which provided me with some test emails and attachments. Afterwards, I shut down the device and accessed the file system using well-known techniques (DFU mode, custom ramdisk, SSH over usbmux). Finally, I mounted the iOS data partition and navigated to the actual email folder. Within this folder, I found all attachments accessible without any encryption/restriction
In a statement, an Apple spokeswoman told iMore "We're aware of the issue and are working on a fix which we will deliver in a future software update."
When the update will be released is another question altogether. While the bug sounds scary on paper, in reality it's probably not on the top of Apple's to-do list.
As Rene Ritchie deftly noted the flaw is difficult to exploit and would require an attacker to "a) steal your device and, b) brute force or jailbreak-bypass the passcode or password." Ritchie also notes that iPhone 4s and later devices running iOS 7.1+ aren't at risk.