iOS Mail App Doesn’t Encrypt Email Attachments

Source: Thinkstock

Source: Thinkstock

Be careful about opening attachments on an iPhone. Apple’s (NASDAQ:AAPL) iOS 7.0 and above has a little security flaw that makes users’ mail a little less secure than it has been in the past. In the current version of Apple’s mobile operating system, the iOS Mail app does not encrypt attachments, making them potentially vulnerable to hackers.

The affected devices include iPhone 4, iPhone 5, and the iPad 2. Attachments are not encrypted, meaning that opening one can leave the document vulnerable. Luckily, this issue primarily extends to hackers that have physical access to the device in question, or iPhone 4 smartphones that have had a jailbreak – an unlocking the software on the device. This means that a tech-savvy roommate or relative is more likely to exploit the security flaw than a hacker in another country. Apple is currently working on a fix for the bug.

The affected mobile operating systems, iOS 7 and above, are currently in use by the majority of iPhone and iPad users. Analytics firm Mixpanel reports that about 91 percent of iOS users have iOS 7 or higher as of Tuesday.

Apple was made aware of the security hole by security researcher Andreas Kurtz. He works as a security researcher at NESO Security Labs in Germany, reported British newspaper The Daily Mail. He wrote about his discovery in a post on his blog in late April. He hacked Apple devices he had on hand that used iOS 7.0.4. Last month’s iOS 7.1.0 update did not fix the flaw either, he noted.

In the post, Kurtz described the process. He reported the encryption flaw to Apple and concluded his post with the following advice: “Considering the long time iOS 7 is available by now and the sensitivity of email attachments many enterprises share on their devices (fundamentally relying on data protection), I expected a near-term patch. Unfortunately, even today’s iOS 7.1.1 did not remedy the issue, leaving users at risk of data theft. As a workaround, concerned users may disable mail synchronization (at least on devices where the bootrom is exploitable),” wrote Kurtz in the post.

Apple released a statement to The Daily Mail that the company was working on a patch for the security flaw. “We’re aware of the issue and are working on a fix which we will deliver in a future software update,” said Apple in its statement.

As the security flaw is difficult to exploit unless a hacker has physical access to the device, most users should not worry. If concerned, users can remove their email addresses from the Mail app until a bug fix is released in the form of an iOS update. No word yet on exactly when the next version of iOS will be out. Just keep a close eye on your iPhone and iPad, especially around pranksters with hacking skills.

More From Wall St. Cheat Sheet: