Apple not encrypting email attachments in iOS 7, study says

Apple not encrypting email attachments in iOS 7, study says
A study has found that Apple is not encrypting email attachments sent through the Mail app in iOS 7. (Apple)

Apple's Mail app in iOS 7 is failing to encrypt email attachments, leaving user data vulnerable to hackers, a recent study found.

Andreas Kurtz, a security researcher, posted his findings online, saying Apple's email app in the latest version of its iPhone and iPad software is not securing files that are attached to emails. This makes the files readily available to anyone with the proper software.


The researcher said he confirmed this by trying out a method on email stored in an iPhone 4 running the latest version of iOS 7. He said he was able to find the device's email attachments unprotected, and he said he later confirmed the process on an iPhone 5s and an iPad 2.

"I found all attachments accessible without any encryption/restriction," Kurtz wrote.

This calls into question Apple's reputation for having secure software. It also seems to contradict an Apple Web page that explains the security of its iOS software.

"Data protection enhances the built-in hardware encryption by protecting the hardware encryption keys with your passcode," the page says. "This provides an additional layer of protection for your email messages attachments, and third-party applications."

Kurtz said he notified Apple of the issue.

[Updated 4:54 p.m. PDT May 5: Apple confirmed the bug and said it is working on a fix that will be included in a future update. The company did not say when it will be released.

However, it appears that to exploit this vulnerability, a hacker must first have access to a user's device, and the device must either not have a passcode or the hacker must be able to crack the passcode.]

Considering how long iOS 7 has been available and how sensitive the files that consumers send through email can be, Kurtz said he expects Apple to release an update that fixes the problem some time soon.

But until then, Apple device owners may want to protect themselves by making sure they have enabled a passcode on their devices. This can be done by going into the Settings app, followed by "Passcode" and then tapping "Turn Passcode On."

Users who want to be safer should avoid using the Mail app in iOS 7 to send emails containing sensitive file attachments until Apple issues a fix. In the mean time, users can turn to apps made by their email providers, such as Gmail or Yahoo. Users can also turn to third-party email apps, such as Mailbox or myMail.

The reported issue with Apple iOS 7 Mail comes shortly after an email problem experienced by AOL.

In that instance, the company was hacked, with the cyber thiefs taking all kinds of data, including email addresses and address books. This allowed hackers to send "spoof" spam email, which is designed to look like it is an email coming from someone the recipient knows even when it is coming directly from a spammer.

To resolve the problem, AOL had to change one of its email policies.