iOS 7 doesn't encrypt email attachments

A researcher has reported to Apple that email attachments stored on an iOS device are not encrypted at rest, contrary to Apple's claims.

In explaining the considerable measures Apple put in iOS to protect data, one claim the company makes is that encryption on the device protects "...your email messages attachments, and third-party applications." It seems that a bug in recent versions of iOS means that iOS doesn't completely live up to these claims.

Research by Andreas Kurtz, who has reported security issues to Apple in the past, shows that iOS, since at least version 7.0.4 and including the current version 7.1.1, does not encrypt attachments at rest.

Kurtz tested for the bug by creating an IMAP email account and putting some messages with attachments in its folders. He then shut the device down and accessed the file system using well-known tools. He was able to view the files in clear text.

In a blog post dated April 23, Kurtz reported that he had reported the problem to Apple and that they said they were aware of it, but had no schedule for fixing the bug. We contacted Apple about the same issue and they have not responded to our inquiry.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.
See All
See All