Apple aware of email attachment encryption issue in iOS 7.1.1Recent releases of Apple's iOS platform, including the latest iOS 7.1.1 update, include a bug that prevents email attachments saved on the device from being properly protected with encryption, and a fix is presumably on the way.
Security researcher Andreas Kurtz revealed last month that he has reported the flaw to Apple, and the company responded by saying they were aware of the issue. To date, the problem has not yet been fixed, and Apple has not offered a timetable for when it might be addressed.
Apple's statement on the issue simply said, "We're aware of the issue and are working on a fix which we will deliver in a future software update."
Using an iPhone 4, Kurtz was able to verify that the attachments could be read without any encryption or restriction after accessing the device's file system in both iOS 7.1 and iOS 7.1.1. The same vulnerability was then discovered on an iPhone 5s as well as an iPad 2 running iOS 7.0.4. The flaw was highlighted last week by ZDNet.
Apple advertises data protection on its iOS platform for devices that offer hardware encryption, which includes the iPhone 3GS and later, as well as all iPad models. Data encryption can be enabled by turning on a passcode lock on an iOS device.
Exploiting flaw requires physical access or iPhone 4-only jailbreak
Of course, this security flaw requires that a malicious hacker have physical access to the iPhone in order to read the root file system. Accessing the unencrypted attachments requires the device to be placed in "DFU" mode and accessed via SSH. That step requires that a malicious user would either need the device passcode or perform a hardware jailbreak of the device to take exploit the bug.
Apple's latest iOS 7.1.1 release is currently only possible to jailbreak on iPhone 4
Apple's latest iOS 7.1.1 release is currently only possible to jailbreak on iPhone 4, according to International Business Times, which notes that "owners of newer iOS devices running iOS 7.1 and above continue to be without luck as no jailbreak has been developed for the latest version of iOS on devices such as the iPhone 5S and iPad Air."
Earlier this month, a separate SSL security flaw was discovered in both iOS and OS X. Apple worked to quickly patch the issue in subsequent updates to both platforms.
On Topic: Security
- Apple's differential privacy in iOS 10 is opt-in, limited to four use cases
- Inside iOS 10: Apple doubles down on security with cutting edge differential privacy
- No warrant needed to obtain location data held by cellphone carriers, US court rules
- Courts predicted to side with law enforcement on fingerprint warrants for Apple's Touch ID
- US regulators probe Apple, Google, Verizon & others on security patches