Apple Prepares Fix for iOS 7 Email Encryption Bug
There is a bug in iOS 7 that prevents email attachments from being encrypted on your device. The good news is, Apple's already working on a solution.
An Apple spokesperson told iMore that Apple "is aware of the issue and are working on a fix which will be delivered in a future software update."
SEE ALSO: 10 Best iPhone Apps of 2013
The flaw was first reported by Andreas Kurtz, who noticed that he was able to access email attachments when accessing the iOS 7 file system without entering in a passcode.
This isn't supposed to happen because mail attachments are supposed to be protected by Apple's Data Protection technologies. Data Protection is supposed offer users "an additional layer of protection for your email messages attachments, and third-party applications."
In practical terms, that means that if someone steals your phone, they won't be able to pull the data off by connecting it to a computer without knowing your passcode.
The problem, Kurtz found, was that by using an iOS jailbreak tool, he was able to access the file system and found that message attachments are not encrypted.
A real problem but limited risk
This is definitely a real problem — and Apple should release a fix as soon as it can — but it's important to understand the real-world risk this vulnerability holds.
ThiThis is not something that attackers can access using malware or over a network.
Second, as Rich Mogull and Adam Engst point out, to access the data without a passcode, an attacker would need to use a jailbreak technique to bypass the device's security.
And given the state of iOS 7.1.x jailbreaks, that might be easier said than done.
Engst and Mogull explain:
An attacker either needs your passcode (in which case they have everything anyway), or he needs a jailbreak that works without a passcode, allowing him access to the file system. That's how Kurtz was able to attack an iPhone 4. It's unclear how he was able to reproduce on an iPhone 5s and iPad 2 running iOS 7.0.4, since more recent devices running iOS 7 aren't susceptible to a jailbreak without the passcode. It's possible that Kurtz had already jailbroken his iPhone 5s and iPad 2, so they weren't as protected as a normal device would be. The bug means that email attachments still aren't encrypted on those devices, but there isn't a way to get to them.
To reiterate — this is a real problem — but taking advantage of this bug requires the right set of circumstances and technical knowledge.
No comments:
Post a Comment