iOS' data protection not so protective, German security expert claims

According to security expert Andreas Kurtz, everyone with the ability to bypass your iPhone 4/4S's passcode is able to access the unencrypted contents of your device's file system, and more specifically, e-mail attachments. As Apple states, all iPhone 3GS and later, all iPad models, and iPod Touch models 3G and later offer hardware encryption with keys generated from the passcode. But Kurtz found out that bypassing the passcode on a locked iPhone 4 effectively decrypts the device and exposes its contents to anyone that might be interested in them. Here's the full posting off of Kurtz' personal blog:

A few weeks ago, I noticed that email attachments within the iOS 7 MobileMail.app are not protected by Apple's data protection mechanisms. Clearly, this is contrary to Apple's claims that data protection "provides an additional layer of protection for (..) email messages attachments". I verified this issue by restoring an iPhone 4 (GSM) device to the most recent iOS versions (7.1 and 7.1.1) and setting up an IMAP email account1, which provided me with some test emails and attachments. Afterwards, I shut down the device and accessed the file system using well-known techniques (DFU mode, custom ramdisk, SSH over usbmux). Finally, I mounted the iOS data partition and navigated to the actual email folder. Within this folder, I found all attachments accessible without any encryption/restriction.

Both Kurtz and CNN reported the issue to Apple, which responded that it's aware of this issue, but didn't state when a fix is to be expected. Thus, Kurtz suggests that users disable mail synchronization for the time being. Of course, the best way to protect your phone is to ensure no one else gets a grip on it.

source: Andreas Kurtz via CNN

Share:

Facebook Twitter Google plus