U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Security

Be aware, Apple iOS Data protection doesn’t protect email attachments

Security Researcher Andreas Kurtz noticed that email attachments within different iOS versions are not protected by Apple’s data protection mechanisms. Mobile platform security is becoming even more crucial due to the large number of applications daily used by billion of users, but we must be aware of security flaws that could also affect the mobile OS. […]

Be aware, Apple iOS Data protection doesn’t protect email attachments

Security Researcher Andreas Kurtz noticed that email attachments within different iOS versions are not protected by Apple’s data protection mechanisms.

Mobile platform security is becoming even more crucial due to the large number of applications daily used by billion of users, but we must be aware of security flaws that could also affect the mobile OS. Modern mobile OSs, including Android and iOS manage a huge quantity of user’s data that could be exposed with serious consequences for user’ security and privacy.
Data protection” feature, implemented by Apple since June 2010, allows hardware encryption for user’s data stored on the Smartphone as explained by Apple:
“Data protection is available for devices that offer hardware encryption, including iPhone 3GS and later, all iPad models, and iPod touch (3rd generation and later). Data protection enhances the built-in hardware encryption by protecting the hardware encryption keys with your passcode. This provides an additional layer of protection for your email messages attachments, and third-party applications.”
Apple Data protection 2
Security Researcher Andreas Kurtz made an interesting discovery, Apple has silently removed from the official release, in the last updates, the email attachment encryption from data protection mechanisms. Kurtz noticed that at least version 7.0.4 and current version 7.1.1 don’t support anymore encryption for email attachments. The expert used for its test the iOS forensics tool ‘iPhone Data Protection‘ which allowed him to deepen the analysis.

“A few weeks ago, I noticed that email attachments within the iOS 7 MobileMail.app are not protected by Apple’s data protection mechanisms. Clearly, this is contrary to Apple’s claims that data protection “provides an additional layer of protection for (..) email messages attachments”. “I verified this issue by restoring an iPhone 4 (GSM) device to the most recent iOS versions (7.1 and 7.1.1) and setting up an IMAP email account1, which provided me with some test emails and attachments. Afterwards, I shut down the device and accessed the file system using well-known techniques (DFU mode, custom ramdisk, SSH over usbmux). Finally, I mounted the iOS data partition and navigated to the actual email folder. Within this folder, I found all attachments accessible without any encryption/restriction” states Kurtz in a blog post.

Apple Data protection test
Email attachments are stored in clear text on the iOS devices, this is very risky for user’s privacy. The researcher Andreas Kurtz made further investigation on the real protection offered by Apple devices, to verify that data protection was really enabled, he also tried to access the Protected Indexfile, the database used to archive email messages, fortunately the access was blocked by the iOS.
# xxd Protected\ Index
xxd: Protected Index: Operation not permitted

Kurtz reported his findings to Apple, but received an anomalous response; Apple confirmed that it is aware of this issue, but hasn’t planned a date to release a patch to fix it. I’m surprised because I consider the issue as critical, email are probably within most sensitive information for mobile users especially in a business context.

Now, why to discuss of BYOD when the device we are using doesn’t protect of email attachment?

As a workaround, concerned users may disable mail synchronization (at least on devices where the bootrom is exploitable).

Pierluigi Paganini

(Security Affairs –  Apple iOS, Data protection)