According to Apple, email attachments in iOS 7’s default Mail application are encrypted when sent out; the company reaffirms this promise on its website, under the headline “Understanding data protection.” But according to security researcher Andreas Kurtz, iOS, including the most recent update (iOS 7.1.1) doesn’t encrypt email attachments at all, which is hugely worrying for privacy advocates—and worrying because Apple makes the claim saying attachments are indeed encrypted.
Kurtz said he was able to verify the issue by testing iOS 7.1 and iOS 7.1.1 on an iPhone 4 with an IMAP email account. The same method found similar results on an iPad 2 and iPhone 5s.
Afterwards, I shut down the device and accessed the file system using well-known techniques (DFU mode, custom ramdisk, SSH over usbmux). Finally, I mounted the iOS data partition and navigated to the actual email folder. Within this folder, I found all attachments accessible without any encryption/restriction.
Apple is apparently aware of the bug, according to Kurtz, though it’s unclear when a fix will be implemented. With the news now gaining widespread attention, a fix will likely be pushed out sooner rather than later. Encryption might not mean much to the average consumer — though it should be — but it’s certainly an issue for those using the iPhone as a work device. Companies such as Apple don’t just rely on sales direct to consumers; big orders from governments and others big business factors in, and play an important role in the smartphone war.
If Apple doesn’t address this encryption issue soon, its reputation among commercial users, and consumers who command privacy, could take a lasting hit. Seeing as Apple is aware of the issue, the scramble is likely on to implement a fix ASAP. If not, perhaps you’ll consider using a competing email client in the meantime.