Apple's Mail app in iOS 7 is failing to encrypt email attachments, leaving user data
vulnerable to hackers, a recent study found.
Andreas Kurt, a security researcher, posted his findings on line, saying Apple's email app in the latest version of its iPhone and iPad software is not securing files that are attached to emails. This makes the files readily available to anyone with the proper software.
The researcher said he confirmed this by trying out a method on email stored in an iPhone 4 running the latest version of iOS 7. He said he was able to find the device's email attachments unprotected, and he said he later confirmed the process on an iPhone 5S and an iPad 2.
"I found all attachments accessible without any encryption/restriction," Kurt wrote.
This calls into question Apple's reputation for having secure software. It also seems to contradict an Apple Web page that explains the security of its iOS software.
"Data protection enhances the built-in hardware encryption by protecting the hardware encryption keys with your pass code," the page says. "This provides an additional layer of protection for your email messages attachments, and third-party applications."
Kurt said he notified Apple of the issue and wrote that Apple said it was aware of the problem. However, he said, the company did not say when it would be able to fix the problem. Apple could not be reached for comment.
Considering how long iOS 7 has been available and how sensitive the files that consumers send through email can be, Kurt said he expects Apple to release an update that fixes the problem some time soon.
But until then, Apple device owners may want to avoid using the Mail app in iOS 7 to send emails containing sensitive file attachments. Users can turn to apps made by their email providers, such as Gmail or Yahoo. Users can also turn to third-party email apps, such as Mailbox or myMail.
The reported issue with Apple iOS 7 Mail comes shortly after an email problem experienced by AOL.
In that instance, the company was hacked, with the cyber thief's taking all kinds of data, including email addresses and address books. This allowed hackers to send "spoof" spam email, which is designed to look like it is an email coming from someone the recipient knows even when it is coming directly from a spam mer.
To resolve the problem, AOL was forced to change one of its email policies.
© 2014 Los Angeles Times (CA)
syndicated under contract with NewsEdge. All rights reserved.