Flaw in iPhone email encryption causes stir

Germany’s NESO Security Labs spots potential email security flaw

don't send sensitive data as attachments -boyd

The news sites are alight with the news that a researcher working for the NESO Security Labs in Germany, Andreas Kurtz, has spotted a potential vulnerability in the security of email attachments for those using the latest Apple iOS software. He apparently managed to prove the bug worked even with an iPhone 5  running iOS 7.0.4.  Apple has acknowledged the bug’s existence but it’s still not clear what will happen next.

Kurtz appears to have first mentioned the vulnerability on his blog here last week.

He wrote, “I noticed that email attachments within the iOS 7 MobileMail.app are not protected by Apple’s data protection mechanisms.”

He added, “Clearly, this is contrary to Apple’s claims that data protection “provides an additional layer of protection for (..) email messages attachments.”

However, in its own story here about the problem, the UK’s Daily Mail quoted unnamed experts as pointing out that it is difficult to exploit the flaw because the attacker would need access to the device and need to know the passcode.

So it isn’t really too much of hack given the intimate knowledge you’d need to possess.

GoMo News has been speaking to Malwarebytes’ malware intelligence analyst, Chris Boyd, about the subject and he’s going to give given us his insight below.

Chris used to work for ThreatTrack see our previous story here.

Chris says, “The latest iOS 7 bug that leaves encrypted email attachments unencrypted could affect an untold number of iPhone users.”

He continued, “Although this particular bug is difficult to exploit and doesn’t affect certain devices, the potential scale of the vulnerabilities should not be downplayed.” Okay, Chris.

“Security should be a priority for handset manufacturers as smartphones grow in popularity.

“Email usage only continues to grow in importance which makes this type of flaw a real concern. iOS 7 mail users are advised not to send sensitive data as attachments until the bug has been confirmed as fixed.”

About Hans Cett

Hans Cett is an established freelance author and consultant specialising in the mobile communications industry. He also writes for Countdown2MWC - http://countdown2mwc.wordpress.com/
This article was published in Apple, iOS, iphone, mobile security and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>