Mittwoch, 23. April 2014

What Apple Missed to Fix in iOS 7.1.1

A few weeks ago, I noticed that email attachments within the iOS 7 are not protected by Apple's data protection mechanisms. Clearly, this is contrary to Apple's claims that data protection "provides an additional layer of protection for (..) email messages attachments".

I verified this issue by restoring an iPhone 4 (GSM) device to the most recent iOS versions (7.1 and 7.1.1) and setting up an IMAP email account1, which provided me with some test emails and attachments. Afterwards, I shut down the device and accessed the file system using well-known techniques (DFU mode, custom ramdisk, SSH over usbmux). Finally, I mounted the iOS data partition and navigated to the actual email folder. Within this folder, I found all attachments accessible without any encryption/restriction:

# mount_hfs /dev/disk0s1s2 /mnt2
# cd /mnt2/mobile/Library/Mail/

# xxd IMAP-MY_MAILADDRESS/INBOX.imapmbox/Attachments/4/2/my_file.pdf 
0000000: 2550 4446 2d31 2e34 0a25 81e2 81e3 81cf  %PDF-1.4.%......
0000010: 81d3 5c72 0a31 2030 206f 626a 0a3c 3c0a  ..\r.1 0 obj.<<.
0000020: 2f43 7265 6174 696f 6e44 6174 6520 2844  /CreationDate (D
0000030: 3a32 3031 3330 3830 3532 3034 3830 3329  :20130805204803)
0000040: 0a2f 4d6f 6444 6174 6520 2844 3a32 3031  ./ModDate (D:201
0000050: 3330 3830 3532 3034 3830 3329 0a2f 5469  30805204803)./Ti
0000060: 746c 6520 2852 2047 7261 7068 6963 7320  tle (R Graphics 
0000070: 4f75 7470 7574 290a 2f50 726f 6475 6365  Output)./Produce
0000080: 7220 2852 2033 2e30 2e31 290a 2f43 7265  r (R 3.0.1)./Cre
0000090: 6174 6f72 2028 5229 0a3e 3e0a 656e 646f  ator (R).>>.endo

To verify that data protection was actually enabled, I also tried to access the Protected Index file (email message database). As expected, access to that file was not permitted.

# xxd Protected\ Index
xxd: Protected Index: Operation not permitted

Note: I was also able to reproduce this issue on an iPhone 5s and an iPad 2 running iOS 7.0.4.

I reported these findings to Apple. They responded that they were aware of this issue, but did not state any date when a fix is to be expected. Considering the long time iOS 7 is available by now and the sensitivity of email attachments many enterprises share on their devices (fundamentally relying on data protection), I expected a near-term patch. Unfortunately, even today's iOS 7.1.1 did not remedy the issue, leaving users at risk of data theft. As a workaround, concerned users may disable mail synchronization (at least on devices where the bootrom is exploitable).

1 It turned out that POP or ActiveSync email accounts behave the same way.


  1. It might related with iOS7 file sharing with managed app feature. (Which I thought great replacement to containerization.) This might not serious if you assume you will never lose your phone.

  2. Does anyone out there have the tools to test this for an Exchange account?

    1. Hello Mr. Seitzer,
      as the author, Andreas Kurtz, has written in Note1 in hier post, this also affects ActiveSync Accounts. According to [1], in my opinion, the shown security issue affects Exchange accounts in the same way it affects Pop/Imap acounts.
      Simon Streicher


  3. Hi Andreas,
    Thanks for this insight. Once again I wish Apple would be a bit more open in it's communication about such issues.
    Although I guess it is quite clear, that this issue is not fixed by the hardware update in later devices alone, since you have tested it with iOS 7.0.4: Does this also affect devices such as iPhone 5s with iOS 7.1.1.?

  4. This is an issue on corporate level in Iphone, And its big point raised that apple has not fixed that problem custom writing company. Apple should consider it on immediate basis to resolve the query of customer ASAP.