back to article Researcher says Apple fibs about crypto for iOS email attachments

Apple has been busted for falsely claiming that email attachments sent from iOS are encrypted. German researcher Andreas Kurtz found email attachments for POP, IMAP and ActiveSync accounts were available in clear text on iPhone 4, 5s and iPad 2 devices. "A few weeks ago, I noticed that email attachments within the iOS 7 …


This topic is closed for new posts.
  1. Anonymous Coward

    It's not a bug, it's a feature.

    Our encryption algorithm is so sneaky...encrypted attachments look just like the plain text of a message you really sent. Really messes with those hacker's minds.

    Besides - you were holding it wrong. Squeeze tighter if you want a different encryption algorithm - d'uh!

    1. WonkoTheSane

      Re: It's not a bug, it's a feature.

      Maybe Apple are using double ROT-13?

      1. Ralph B

        Re: It's not a bug, it's a feature.

        It's done this way so that if the cops obtain your encryption keys, and use them, they won't be able to read your email attachments.

      2. VinceH

        Re: It's not a bug, it's a feature.

        "Maybe Apple are using double ROT-13?"

        Double ROT-13 is now a bit old-hat. and considered too weak. Much better to use the new quadruple ROT-13 standard - and for added security, overlay it with a double-exclusive-or.

      3. Tromos

        Re: It's not a bug, it's a feature.

        Double ROT-13 has been cracked. They're upgrading to quadruple.

    2. SuccessCase

      Re: It's not a bug, it's a feature.

      "Our encryption algorithm is so sneaky it's doing exactly what we said it would."

      Another shameless sham of a security story by The Register. The data protection feature on the iPhone refers to the ability to switch on file system encryption, in which case the entire contents of the user directory in the underlying OS is encrypted. If you don't opt for data protection (it's an option in settings anyone can use - personally I don't bother) and jailbreak the device, then the filesystem is accessible just like it is on OSX, Linux and Windows and you can, duh, read your files that are stored there. The contents of the mail and personal files folders, including attachments, will be sitting there unencrypted, just as they are on your Linux machine, PC and Mac (though each of those likewise have disk encryption options). Outrageous huh !

      Stories like this really show The Register up for what it is. Melodrama above truth every time.

      1. DaLo

        Re: It's not a bug, it's a feature.

        Not quite, did you read his blog post?

        It had data protection on and he could not access the data protected areas. Therefore trying to access the e-mail messages themselves via the file system were not allowed

        # xxd Protected\ Index

        xxd: Protected Index: Operation not permitted

        However the attachments fell outside of the protected area and were accessible.

  2. AndyTempo

    I read the story on here yesterday that the whole file system is encrypted. I think that is all the apple web page linked from this article is claiming. Or did I miss something?

    1. Velv

      There's actually a very good Apple document on the security of iDevice hardware and iOS (various versions) which explains just what is and what isn't covered.

      In summary, the device is encrypted using keys generated at user install (new, or after a factory reset) and the private keys are kept in a tamper-proof chip. So you cannot open an iPhone, strip out the chips and read the storage in another device.

      Once you set a password, it's linked with the keys and grants you access to the content.

      As always, if you've got the keys, you can get into the vault. If you then put a hole in the wall of the vault (e.g. jailbreak the phone) then don't be surprised if someone else can see in.

  3. nematoad

    Just a warning.

    "Apple has been contacted for comment."

    Don't hold your breath.

    "Security by obscurity", maybe Apple should seek a patent on the concept. After all they are the chief exponents.

  4. FastLaneJB

    Apples not wrong on this if you ask me...

    Is not everything on an iPhone encrypted so if you wipe the device it actually just wipes the encryption keys? Hence in this sense Apple is correct.

    Obviously if the device hasn't been wiped and you've jailbreaked it then you can access the file system where items are available unencrypted at that point in time.

    This seems to me to that Apple is not wrong in their claim and the researcher is expecting double encryption on email attachments? I don't see the point. How's the phone user supposed to easily open an encrypted attachment file (Also encrypted with full drive encryption) easily and quickly but the attacker with their device cannot? You'd need to have another encryption key tied to a long password you'd have to key in each time.

    Sorry but I'm with Apple on this one. Security is good enough already and any more would get in the way of usability too much.

    1. 45RPM Silver badge

      Re: Apples not wrong on this if you ask me...

      Aww - you spoilsport. Come on - get with the game. It's called the fun knee-jerk reaction game - and the best thing is that you don't even need to be able to think. You just need to be able to spew ill-informed bile.

    2. Robert Helpmann??

      Re: Apples not wrong on this if you ask me...

      Apple says on its web site that "Data protection is available for devices that offer hardware encryption.... This provides an additional layer of protection for your email messages attachments, and third-party applications." The researcher was able to get into the e-mail attachments but not other parts of the disk. It would seem that Apple's claims on this issue are at least misleading and probably simply false.

  5. Anonymous Coward
    Anonymous Coward

    proves their claim that they do not suffer from Heartbeat enryption error.

    No flies on them, they simply removed the security full stop.

    1. Mike Bell

      Re: proves their claim that they do not suffer from Heartbeat enryption error.

      You clever, clever person. Did you not read the reply above?

      Everything on the iPhones' filing system is encrypted.

  6. Anonymous Coward
    Anonymous Coward

    I thought there was no jailbreak after 7.0.6

    Email attachments were exposed on firmware iOS 7.1.1, 7.1 and 7.0.4 which Kurtz probed by jailbreaking devices using free tools.

  7. This post has been deleted by its author

This topic is closed for new posts.

Other stories you might like