apple security fail leaves email attachments unprotected

One of the nice things about Apple’s iOS platform is the “hardware level encryption” that protects “all of the information on the device.”  At least, that used to be the case.

Starting in iOS 7,  email attachments stored on iPhones, iPads, and iPod Touches (remember those?) are not stored in encrypted form.  A security researcher recently announced that he was able to retrieve plaintext attachments from encrypted iPhones using standard forensic tools.  Apple never corrected its previous statements indicating that all data in iOS was “protected by hardware encryption,” so millions of personal and business users have been working under a false assumption of security for a couple of months now.

When the researcher reported the issue to Apple, he was told that they were aware of it but had no date for a fix.

This is why I continue to recommend that corporate users stick with containerized solutions for their iOS and Android mobile users.  Consumer level mobile devices are not designed with the level of security appropriate for business (especially in highly regulated industries like Finance and Health Care).  Yes, it would be nice to use the native apps on personal devices to deliver corporate data from an ease of use point of view, but if your users are carrying around sensitive information in their email attachments, you have to consider the risk of an adversary extracting that information from the device relatively easily.

Apple really dropped the ball on this one.  They were not up front with their users regarding the loss of a key security feature and didn’t give them the chance to make an informed decision based on that information.   Not cool.  This incident underline’s Apple’s lack of commitment to and understanding of  the corporate market.  If they want to be a corporate player, they need to step up and accept the responsibilities that the role entails – otherwise, stop trying to do things half way, guys.

Leave a Reply