Apple's bundled Mail app in the latest versions of iOS 7 fails to encrypt email attachments, leaving them vulnerable to attackers, a security researcher has warned.
Security researcher Andreas Kurtz wrote in a blog post that he discovered a few weeks ago that attachments stored in the Mobile.Mail app in iOS 7.0.4, 7.1, and 7.1.1 were not adequately secured by Apple's data protection mechanisms.
Using an iPhone 4 running the most recent versions of iOS 7, Kurtz wrote that he was able to locate test email attachments without any encryption. He wrote that he was able to reproduce the same results on an iPhone 5s and an iPad 2 running iOS 7.0.4. Kurtz wrote that he was able to access the device's file system using "well-known techniques," including the device firmware upgrade mode, which allows devices to be restored from any state by plugging them into a computer.
Kurtz wrote that the issue contradicts an Apple promise that its data protection "provides an additional layer of protection for your email messages attachments, and third-party applications."
When he contacted Apple about the issue, Kurtz wrote that he was told that it was a known problem but he wasn't told when a fix was expected to be issued.
"Considering the long time iOS 7 is available by now and the sensitivity of email attachments many enterprises share on their devices (fundamentally relying on data protection), I expected a near-term patch," Kurtz wrote. "Unfortunately, even today's iOS 7.1.1 did not remedy the issue, leaving users at risk of data theft."
An Apple spokesperson said the company was aware of the issue and was working on a fix that would be delivered in a future software release.
However, security researchers suggested Monday that the scope of the vulnerability is limited. Adam Engst and Richard Mogull noted that an attacker would need to have physical possession of the device to take advantage of the vulnerability. An attacker also would need to have the user's passcode or a jailbreak that works without a passcode.
"It's unclear how he was able to reproduce [the results] on an iPhone 5s and iPad 2 running iOS 7.0.4, since more recent devices running iOS 7 aren't susceptible to a jailbreak without the passcode," the pair wrote, suggesting that Kurtz had already jailbroken the iPhone 5s and iPad 2, leading to reduced protections.