Apple prepping fix for iOS 7 mail attachment bug

Summary:Apple acknowledged a bug in iOS that leaves email attachments vulnerable and has committed to fixing it. Luckily the bug is difficult to exploit and doesn't affect iPhone 4s and later devices running iOS 7.1.

ios-711-passcode-ogrady

Last week ZDNet's Larry Seltzer wrote about  a bug in iOS 7 that left mail attachments unencrypted and thus vulnerable to potential hacks and other nefarious deeds. Today Apple acknowledged the bug and committed to fixing it. 

Apple devices, including iPhone 3GS and later, include hardware encryption. Adding a passcode protects the hardware encryption keys on the device and adds "an additional layer of protection for your email messages attachments, and third-party applications."

The bug, reported by Andreas Kurtz, means that iOS email attachments are stored unencrypted in certain instances:

I verified this issue by restoring an iPhone 4 (GSM) device to the most recent iOS versions (7.1 and 7.1.1) and setting up an IMAP email account1, which provided me with some test emails and attachments. Afterwards, I shut down the device and accessed the file system using well-known techniques (DFU mode, custom ramdisk, SSH over usbmux). Finally, I mounted the iOS data partition and navigated to the actual email folder. Within this folder, I found all attachments accessible without any encryption/restriction

In a statement, an Apple spokeswoman told iMore "We're aware of the issue and are working on a fix which we will deliver in a future software update."

When the update will be released is another question altogether. While the bug sounds scary on paper, in reality it's probably not on the top of Apple's to-do list. 

As Rene Ritchie deftly noted the flaw is difficult to exploit and would require an attacker to "a) steal your device and, b) brute force or jailbreak-bypass the passcode or password." Ritchie also notes that iPhone 4s and later devices running iOS 7.1+ aren't at risk.

Manage the influx of Apple devices into your workplace with the expert advice in this Tech Pro Research download.

Topics: Apple, iOS, iPad, iPhone, Security

About

Jason D. O'Grady developed an affinity for Apple computers after using the original Lisa, and this affinity turned into a bona-fide obsession when he got the original 128 KB Macintosh in 1984. He started writing one of the first Web sites about Apple (O'Grady's PowerPage) in 1995 and is considered to be one of the fathers of blogging.... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.