Despite Apple’s assurances that your phone’s files are protected behind that four-digit passcode, one German security expert says a lost or stolen iPhone might not be as safe as the company suggests. Specifically, any hacker who manages to get his or her hands on your phone could pretty easily access your email attachments.
Andreas Kurtz, of independent security research firm NESO Labs, wrote about this iPhone security flaw in a blog post on April 23. He said he realized that email attachments within the iOS 7 app are not being protected the way Apple claims they are.
Apple has said for years that passcode-protected phones have an extra layer of security for emails and message attachments as well as third-party applications. If someone were to get ahold of your passcode-protected phone and managed to access the email attachment files on the device by plugging it into a computer, they should see only gibberish if they didn’t enter the passcode to unlock the phone, according to Apple.
But Kurtz was able to restore an iPhone 4 with the latest versions of iOS (7.1 and 7.1.1), protect it with a passcode, and then access the iPhone’s files simply by plugging the phone into a computer and using password-bypass software. Instead of the gibberish of encrypted files, he said he was able to access unencrypted email attachment files stored on the phone.
Kurtz was able to replicate this same process on an iPhone 5s and an iPad 2, both running iOS 7.0.4, and he found the problem was affecting POP, IMAP and ActiveSync email accounts.
CNN Money reports the problem might not affect newer devices, which don’t allow computers to access raw files. Until hackers find a way to access that raw data via a computer, the phone’s files — including email attachments — will be encrypted. Whether or not you can accesses these files, however, the security flaw is still present on all devices, per CNN Money.
Kurtz says in his blog post that Apple told him it is aware of the problem. According to CNN Money, Apple “plans to fix the issue in a future update.”
9to5Mac notes that the security loophole could be a big issue for corporate and government users of iOS devices.
TidBITS, a blog covering Apple news, points out that this vulnerability is probably not an emergency for all iPhone users, since most civilian iOS users don’t receive email attachments with highly sensitive information.