A bug has been discovered in iOS 7 that causes email attachments to not be encrypted. Before anyone panics, however, in order for an attacker to exploit the bug they'd need to a) steal your device and, b) brute force or jailbreak-bypass the passcode or password, which c) currently means there's no risk to iPhone 4s and later devices running iOS 7.1 or later software. When reached for comment about the bug, Apple provided us with the following statement:
"We're aware of the issue," an Apple spokeswoman told iMore, "and are working on a fix which we will deliver in a future software update."
The bug was first reported by Andreas Kurtz:
Kurtz claims he successfully duplicated the tests on an iPhone 5s and an iPad 2 running iOS 7.0.4, though he makes no claim of testing them successfully or unsuccessfully on iOS 7.1.1. Given the requirements, anyone running an iPhone 4s or later (Apple A5* chipset or later) and iOS 7.1.x or later should not be vulnerable to this bug.
That means the only current, updated hardware affected is the iPhone 4, and an attacker would still need prolonged access to your device to perform this attack, which also means preventing Find my iPhone from wiping it. They'd also need to get around the passcode or password. (If you don't have a Passcode set they could just launch Mail.app and see all your attachments, and everything else on your device, anyway.)
With iOS, Apple has made the iPhone and iPad amazingly strong crypto bricks but bugs like this need to be squashed and fast to keep them that way.
Nick Arnott contributed to this story.
Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.
I should make double, triple clear that if someone has physical access to your iPhone, the passcode/password is your best friend. Make sure you're using one.
Ok, I'm confused. If they have the phone, and they're able to somehow get your password/passcode... what difference does it make if attachments are encrypted or not? They'll just log in at the lock screen and read your mail, right?
Pretty much. The subtle difference is if they can jailbreak the device, they can access the file system directly. But, yeah, physical access + passcode/password bypass is endgame.
And people wonder why Apple squashes the bugs that lead to jailbreaks so quickly.
I have passcode with TouchID on my 5s with 7.1.1.
Likewise, sounds like you're well protected :)
I've always been forced to have a password due to corporate Exchange polices, glad I'm covered. I was concerned when I first heard about this bug.
I think initial reports lacked a lot of context and, unfortunately, scared people without cause. Security is a topic that doesn't benefit from sensationalism :-/
Get the best of iMore in in your inbox, every day!
Thank you for signing up to iMore. You will receive a verification email shortly.
There was a problem. Please refresh the page and try again.