iOS 7 doesn't encrypt email attachments

iOS 7 doesn't encrypt email attachments

Summary: A researcher has reported to Apple that email attachments stored on an iOS device are not encrypted at rest, contrary to Apple's claims.

TOPICS: Security, Apple, iOS

In explaining the considerable measures Apple put in iOS to protect data, one claim the company makes is that encryption on the device protects "...your email messages attachments, and third-party applications." It seems that a bug in recent versions of iOS means that iOS doesn't completely live up to these claims.

Research by Andreas Kurtz, who has reported security issues to Apple in the past, shows that iOS, since at least version 7.0.4 and including the current version 7.1.1, does not encrypt attachments at rest.

Kurtz tested for the bug by creating an IMAP email account and putting some messages with attachments in its folders. He then shut the device down and accessed the file system using well-known tools. He was able to view the files in clear text.

In a blog post dated April 23, Kurtz reported that he had reported the problem to Apple and that they said they were aware of it, but had no schedule for fixing the bug. We contacted Apple about the same issue and they have not responded to our inquiry.

Topics: Security, Apple, iOS

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • It Can Not Be!

    Apple would never lie to the flock!

    I demand an apology!

    PS: know why T Cook wears rubber boots?
    • Mujibahr

      I don't know, why does Tim Cook wear rubber boots?
  • Jailbroken?

    Doesn't the device have to be jailbroken, first?
    • jailbroken in order to do what?

      Larry Seltzer
      • whoops

        Doesn't it have to be jailbroken in order to read the filesystem? I think the only way you can grab email attachments or other files is to jailbreak the device - so this only applies to jailbroken devices.
        • If you already have it in your hands...

          ... then it is trivial to jailbreak or otherwise access the filesystem. Nothing is keeping you out unless full disk encryption + password is enabled.
  • encryption

    I don't know of ANY email system that encrypts email before it is sent. ANd it wouldn't be very useful if it remained encrypted after being received. This is about as BOGUS a complaint as I have ever heard.
    • Downloaded attachments

      What they are referring to is not attachments that you are uploading, but attachments that you have received.
    • BlackBerry

      BlackBerry has end-to-end data encryption through a single outbound port for all communications. This even includes browsing the corporate Intranet remotely via the BB web browser, without having to VPN in, it's all encrypted.
  • do other phones

    do that
  • Attachment encrypting

    The only place I need email or attachments to be encrypted is while they're in transit.

    Encrypting data on my device just makes data display/recovery slower and more difficult.

    The entire device is encrypted while locked anyway.
  • You Want iPhone Security?

    Secure Work Space for iOS, by BlackBerry, meets Federal Information Process Standard (FIPS) 140-2, issued by NIST. FIPS validation assures that the BBB encryption technology has passed rigorous testing in order to be used to encrypt and secure sensitive information.

    BlackBerry just earned to Govie awards from Security Products magazine, one for Secure Work Space for iOS and Android, and one for Data Security and Access Control for BES 10.

    Don't fret, Apple users. Car Play runs on BlackBerry QNX already.