Andreas Kurtz of NESO Security Labs claims that the email attachments are not being encrypted in iOS 7, according to a report on ZDNet.
Kurtz, a security researcher has previously identified security issues in Apple’s mobile operating system, which was fixed in iOS 7.
Research by Andreas Kurtz, who has reported security issues to Apple in the past, shows that iOS, since at least version 7.0.4 and including the current version 7.1.1, does not encrypt attachments at rest.
Kurtz tested for the bug by creating an IMAP email account and putting some messages with attachments in its folders. He then shut the device down and accessed the file system using well-known tools. He was able to view the files in clear text.
It appears the tools used by Kurtz to access the files would need a jailbroken iPhone. He explains on his blog:
I verified this issue by restoring an iPhone 4 (GSM) device to the most recent iOS versions (7.1 and 7.1.1) and setting up an IMAP email account1, which provided me with some test emails and attachments. Afterwards, I shut down the device and accessed the file system using well-known techniques (DFU mode, custom ramdisk, SSH over usbmux). Finally, I mounted the iOS data partition and navigated to the actual email folder. Within this folder, I found all attachments accessible without any encryption/restriction:
Kurtz has reported the issue to Apple, and they said they’re aware of the problem but the Cupertino based company is yet to confirm when the issue will be fixed.
It does seem like a bug as Apple’s Knowledge base article on data protections explicitly mentions encryption of email attachment:
Data protection enhances the built-in hardware encryption by protecting the hardware encryption keys with your passcode. This provides an additional layer of protection for your email messages attachments, and third-party applications.
I wouldn’t get too paranoid as hackers would need physical access to the device to exploit the flaw. Apple is yet to give an official statement on the issue.[Andreas Kurtz’s blog via ZDNet]