May 02, 2014
“Data protection is available for devices that offer hardware encryption, including iPhone 3GS and later, all iPad models, and iPod touch (3rd generation and later). Data protection enhances the built-in hardware encryption by protecting the hardware encryption keys with your passcode. This provides an additional layer of protection for your email messages attachments, and third-party applications.”
“A few weeks ago, I noticed that email attachments within the iOS 7 MobileMail.app are not protected by Apple’s data protection mechanisms. Clearly, this is contrary to Apple’s claims that data protection “provides an additional layer of protection for (..) email messages attachments”. “I verified this issue by restoring an iPhone 4 (GSM) device to the most recent iOS versions (7.1 and 7.1.1) and setting up an IMAP email account1, which provided me with some test emails and attachments. Afterwards, I shut down the device and accessed the file system using well-known techniques (DFU mode, custom ramdisk, SSH over usbmux). Finally, I mounted the iOS data partition and navigated to the actual email folder. Within this folder, I found all attachments accessible without any encryption/restriction” states Kurtz in a blog post.
# xxd Protected\ Index
xxd: Protected Index: Operation not permitted
Kurtz reported his findings to Apple, but received an anomalous response; Apple confirmed that it is aware of this issue, but hasn’t planned a date to release a patch to fix it. I’m surprised because I consider the issue as critical, email are probably within most sensitive information for mobile users especially in a business context.
Now, why to discuss of BYOD when the device we are using doesn’t protect of email attachment?
As a workaround, concerned users may disable mail synchronization (at least on devices where the bootrom is exploitable).
(Security Affairs – Apple iOS, Data protection)
