Apple has been busted for falsely claiming that email attachments sent from iOS are encrypted. German researcher Andreas Kurtz found email attachments for POP, IMAP and ActiveSync accounts were available in clear text on iPhone 4, 5s and iPad 2 devices. "A few weeks ago, I noticed that email attachments within the iOS 7 …

COMMENTS

House rules Send corrections

This topic is closed for new posts.

Friday 2nd May 2014 03:39 GMT Anonymous Coward

It's not a bug, it's a feature.

Our encryption algorithm is so sneaky...encrypted attachments look just like the plain text of a message you really sent. Really messes with those hacker's minds.

Besides - you were holding it wrong. Squeeze tighter if you want a different encryption algorithm - d'uh!

8 5
1. Friday 2nd May 2014 05:32 GMT WonkoTheSane
  
  Re: It's not a bug, it's a feature.
  
  Maybe Apple are using double ROT-13?
  
  9 1
  1. Friday 2nd May 2014 06:25 GMT Ralph B
    
    Re: It's not a bug, it's a feature.
    
    It's done this way so that if the cops obtain your encryption keys, and use them, they won't be able to read your email attachments.
    
    6 1
  2. Friday 2nd May 2014 08:04 GMT VinceH
    
    Re: It's not a bug, it's a feature.
    
    "Maybe Apple are using double ROT-13?"
    
    Double ROT-13 is now a bit old-hat. and considered too weak. Much better to use the new quadruple ROT-13 standard - and for added security, overlay it with a double-exclusive-or.
    
    5 0
  3. Friday 2nd May 2014 10:05 GMT Tromos
    
    Re: It's not a bug, it's a feature.
    
    Double ROT-13 has been cracked. They're upgrading to quadruple.
    
    2 0
2. Friday 2nd May 2014 07:41 GMT SuccessCase
  
  Re: It's not a bug, it's a feature.
  
  "Our encryption algorithm is so sneaky it's doing exactly what we said it would."
  
  Another shameless sham of a security story by The Register. The data protection feature on the iPhone refers to the ability to switch on file system encryption, in which case the entire contents of the user directory in the underlying OS is encrypted. If you don't opt for data protection (it's an option in settings anyone can use - personally I don't bother) and jailbreak the device, then the filesystem is accessible just like it is on OSX, Linux and Windows and you can, duh, read your files that are stored there. The contents of the mail and personal files folders, including attachments, will be sitting there unencrypted, just as they are on your Linux machine, PC and Mac (though each of those likewise have disk encryption options). Outrageous huh !
  
  Stories like this really show The Register up for what it is. Melodrama above truth every time.
  
  6 9
  1. Friday 2nd May 2014 10:42 GMT DaLo
    
    Re: It's not a bug, it's a feature.
    
    Not quite, did you read his blog post?
    
    It had data protection on and he could not access the data protected areas. Therefore trying to access the e-mail messages themselves via the file system were not allowed
    
    # xxd Protected\ Index
    
    xxd: Protected Index: Operation not permitted
    
    However the attachments fell outside of the protected area and were accessible.
    
    2 0
Friday 2nd May 2014 06:46 GMT AndyTempo

I read the story on here yesterday that the whole file system is encrypted. I think that is all the apple web page linked from this article is claiming. Or did I miss something?

3 0
1. Friday 2nd May 2014 14:18 GMT Velv
  
  There's actually a very good Apple document on the security of iDevice hardware and iOS (various versions) which explains just what is and what isn't covered.
  
  In summary, the device is encrypted using keys generated at user install (new, or after a factory reset) and the private keys are kept in a tamper-proof chip. So you cannot open an iPhone, strip out the chips and read the storage in another device.
  
  Once you set a password, it's linked with the keys and grants you access to the content.
  
  As always, if you've got the keys, you can get into the vault. If you then put a hole in the wall of the vault (e.g. jailbreak the phone) then don't be surprised if someone else can see in.
  
  0 0
Friday 2nd May 2014 07:44 GMT nematoad

Just a warning.

"Apple has been contacted for comment."

Don't hold your breath.

"Security by obscurity", maybe Apple should seek a patent on the concept. After all they are the chief exponents.

2 3
Friday 2nd May 2014 08:14 GMT FastLaneJB

Apples not wrong on this if you ask me...

Is not everything on an iPhone encrypted so if you wipe the device it actually just wipes the encryption keys? Hence in this sense Apple is correct.

Obviously if the device hasn't been wiped and you've jailbreaked it then you can access the file system where items are available unencrypted at that point in time.

This seems to me to that Apple is not wrong in their claim and the researcher is expecting double encryption on email attachments? I don't see the point. How's the phone user supposed to easily open an encrypted attachment file (Also encrypted with full drive encryption) easily and quickly but the attacker with their device cannot? You'd need to have another encryption key tied to a long password you'd have to key in each time.

Sorry but I'm with Apple on this one. Security is good enough already and any more would get in the way of usability too much.

7 1
1. Friday 2nd May 2014 11:02 GMT 45RPM
  
  Re: Apples not wrong on this if you ask me...
  
  Aww - you spoilsport. Come on - get with the game. It's called the fun knee-jerk reaction game - and the best thing is that you don't even need to be able to think. You just need to be able to spew ill-informed bile.
  
  1 2
2. Friday 2nd May 2014 17:07 GMT Robert Helpmann??
  
  Re: Apples not wrong on this if you ask me...
  
  Apple says on its web site that "Data protection is available for devices that offer hardware encryption.... This provides an additional layer of protection for your email messages attachments, and third-party applications." The researcher was able to get into the e-mail attachments but not other parts of the disk. It would seem that Apple's claims on this issue are at least misleading and probably simply false.
  
  1 0
Friday 2nd May 2014 09:22 GMT Anonymous Coward

proves their claim that they do not suffer from Heartbeat enryption error.

No flies on them, they simply removed the security full stop.

0 1
1. Friday 2nd May 2014 11:09 GMT Mike Bell
  
  Re: proves their claim that they do not suffer from Heartbeat enryption error.
  
  You clever, clever person. Did you not read the reply above?
  
  Everything on the iPhones' filing system is encrypted.
  
  0 0
Friday 2nd May 2014 21:55 GMT Anonymous Coward

I thought there was no jailbreak after 7.0.6

Email attachments were exposed on firmware iOS 7.1.1, 7.1 and 7.0.4 which Kurtz probed by jailbreaking devices using free tools.

0 0
This post has been deleted by its author