This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Apple's iOS encryption claims 'are false'

Share this article:

The strength of Apple's email encryption is called into question by independent security research firm NESO Labs.

Apple's iOS encryption claims 'are false'
Apple's iOS encryption claims 'are false'

The strength of Apple's email encryption – a major selling point for the company – has been called into question by independent security research firm NESO Labs.

NESO CEO Andreas Kurtz, based in Germany, has revealed in a 23 April blog that, contrary to Apple's claims, email attachments sent from the latest Apple devices running iOS 7 such as the iPhone 4, iPhone 5 and iPad 2 are not encrypted. NESO found the problem affecting POP, IMAP and ActiveSync email accounts.

Kurtz said in his blog: “Clearly this is contrary to Apple's claims that data protection ‘provides an additional layer of protection for email messages attachments'.”

He discovered the bug when he used some “well-known techniques” - DFU mode, custom ramdisk and SSH over usbmux – to access test emails in an IMAP account and found all their attachments accessible without any encryption or restriction.

Kurtz notified Apple of the issue – then went public on it when they failed to commit to fix it quickly.

He told SCMagazineUK.com via email: “My repeated queries were responded with default replies only, stating either that they were aware of that issue or that they were still investigating this issue, up to today. As iOS 7.1.1 was released without fixing this bug, I decided to disclose details on it.”

Kurtz explained the significance of the flaw, telling SC: “The most serious point is that customers' trust in iOS data protection mechanisms is shattered by this email attachment issue and it might be a warning to not solely rely on iOS security mechanisms but to also apply additional defensive mechanisms to protect corporate data (such as a second layer of encryption/authentication), at least for in-house-developed apps.”

He explained: “Many enterprises share sensitive corporate data on their iOS devices, fundamentally relying on the data protection mechanisms provided by Apple. This is also why many enterprises deliver very restrictive MDM-enforced passcode policies to their devices, as the level of data protection highly depends on the passcode complexity.

“However, as iOS's data protection is an opt-in process, corporate data might still be at risk, when it is not applied correctly. And the current case demonstrates that even official iOS apps fail to apply it correctly.”

Kurtz warned: “The real implications of that email attachment issue are mainly confined to older iOS devices such as the iPhone 4, as files on these devices can be easily read out if a device is lost or stolen (due to a vulnerability in the bootrom of these devices). This means that in cases where no data protection is available (as this is the current state with email attachments in iOS 7), that data can be accessed without any restriction, no matter how long and complex the passcode is.”

UK security expert Sarb Sembhi, consultancy services director at research firm Incoming Thought, advised UK companies who are running iOS 7: “If they are using MDM technologies, the chances are those technologies have already taken this into account. In which case anything that's stored on the corporate side is most likely going to be stored securely.

“If they are not using MDM technologies the chances are there's not much they can do about it apart from, do not sync with anything else, because whatever you thought was secure is no longer secure.”

Sembhi said that Apple has made security one of its key selling points and this issue will affect its reputation - though not significantly.

He told SCMagazineUK.com: “Lots of people do use Apple products thinking they're secure. Apple have invested some time and resources in trying to build security, but something seems to have gone wrong in its marketing, stating functionality which doesn't match up to the reality. Some people may feel aggrieved about this but I don't think it's going to impact Apple in a big way.”

He explained: “Most email systems generally are not secure. If you really need email to be secure then encrypt it, and if you have encrypted it at the client end before you send it, then you should be secure if the encryption was implemented according to the standards.”

Kurtz advised: “As a workaround, concerned users may disable mail synchronisation (at least on devices where the bootrom is exploitable).”

Apple failed to respond to a request for comment on this issue at the time of writing.

NESO Security Labs is an independent information security consulting and research company based in Heilbronn in Germany. It has previously discovered several Apple security flaws including an iOS memory corruption vulnerability when importing Word documents (CVE-2011-3260) and the Apple iPhone OS and Mac OS X stack buffer overflow problem CVE-2010-0036.

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

Card and banking fraud back on the rise again

Card and banking fraud back on the rise ...

Banking and card fraud back on the rise again says the FFA UK as crime increasingly moves online.

Apple unveils iOS 8.0 - security from the ground upwards

Apple unveils iOS 8.0 - security from the ...

iOS 8.0 - 1.1GB large, but with Apple providing lots of security patches and upgrades...

eBay downplays significance of `old school' XSS attack on its auction portal

eBay downplays significance of `old school' XSS attack ...

eBay vulnerable to XSS attack enabling re-direction of users says BBC.