The strength of Apple's email encryption – a major selling point for the company – has been called into question by independent security research firm NESO Labs.
NESO CEO Andreas Kurtz, based in Germany, has revealed in a 23 April blog that, contrary to Apple's claims, email attachments sent from the latest Apple devices running iOS 7 such as the iPhone 4, iPhone 5 and iPad 2 are not encrypted. NESO found the problem affecting POP, IMAP and ActiveSync email accounts.
Kurtz said in his blog: “Clearly this is contrary to Apple's claims that data protection ‘provides an additional layer of protection for email messages attachments'.”
He discovered the bug when he used some “well-known techniques” - DFU mode, custom ramdisk and SSH over usbmux – to access test emails in an IMAP account and found all their attachments accessible without any encryption or restriction.
Kurtz notified Apple of the issue – then went public on it when they failed to commit to fix it quickly.
He told SCMagazineUK.com via email: “My repeated queries were responded with default replies only, stating either that they were aware of that issue or that they were still investigating this issue, up to today. As iOS 7.1.1 was released without fixing this bug, I decided to disclose details on it.”
Kurtz explained the significance of the flaw, telling SC: “The most serious point is that customers' trust in iOS data protection mechanisms is shattered by this email attachment issue and it might be a warning to not solely rely on iOS security mechanisms but to also apply additional defensive mechanisms to protect corporate data (such as a second layer of encryption/authentication), at least for in-house-developed apps.”
He explained: “Many enterprises share sensitive corporate data on their iOS devices, fundamentally relying on the data protection mechanisms provided by Apple. This is also why many enterprises deliver very restrictive MDM-enforced passcode policies to their devices, as the level of data protection highly depends on the passcode complexity.
“However, as iOS's data protection is an opt-in process, corporate data might still be at risk, when it is not applied correctly. And the current case demonstrates that even official iOS apps fail to apply it correctly.”
Kurtz warned: “The real implications of that email attachment issue are mainly confined to older iOS devices such as the iPhone 4, as files on these devices can be easily read out if a device is lost or stolen (due to a vulnerability in the bootrom of these devices). This means that in cases where no data protection is available (as this is the current state with email attachments in iOS 7), that data can be accessed without any restriction, no matter how long and complex the passcode is.”
UK security expert Sarb Sembhi, consultancy services director at research firm Incoming Thought, advised UK companies who are running iOS 7: “If they are using MDM technologies, the chances are those technologies have already taken this into account. In which case anything that's stored on the corporate side is most likely going to be stored securely.
“If they are not using MDM technologies the chances are there's not much they can do about it apart from, do not sync with anything else, because whatever you thought was secure is no longer secure.”
Sembhi said that Apple has made security one of its key selling points and this issue will affect its reputation - though not significantly.
He told SCMagazineUK.com: “Lots of people do use Apple products thinking they're secure. Apple have invested some time and resources in trying to build security, but something seems to have gone wrong in its marketing, stating functionality which doesn't match up to the reality. Some people may feel aggrieved about this but I don't think it's going to impact Apple in a big way.”
He explained: “Most email systems generally are not secure. If you really need email to be secure then encrypt it, and if you have encrypted it at the client end before you send it, then you should be secure if the encryption was implemented according to the standards.”
Kurtz advised: “As a workaround, concerned users may disable mail synchronisation (at least on devices where the bootrom is exploitable).”
Apple failed to respond to a request for comment on this issue at the time of writing.
NESO Security Labs is an independent information security consulting and research company based in Heilbronn in Germany. It has previously discovered several Apple security flaws including an iOS memory corruption vulnerability when importing Word documents (CVE-2011-3260) and the Apple iPhone OS and Mac OS X stack buffer overflow problem CVE-2010-0036.