Apple admits flaw in email attachment encryption on iPhones and iPads

Apple admits iOS 7 encryption flaw

Apple admits iPhone encryption flawApple is under pressure to patch a security flaw in iOS 7, after researcher Andreas Kurtz published his discovery that email attachments are unencrypted on iPhones and iPads, and can be accessed by an attacker using “well-known techniques.”

Apple usually doesn’t talk about any security bugs until it has issued a patch, although in this case the company confirmed the vulnerability and said it is working on a fix.

This probably isn’t a show-stopping hole – it seems that an attacker can’t use the bug to read your email attachments remotely – but it was serious enough to get Apple’s reaction.

Apple security patching getting better?

The security community often criticizes Apple for its slow reaction to vulnerabilities and infrequent patching.

But the Silicon Valley tech giant seems to be responding with more security updates in recent months than in the past.

Already iOS 7 has had five major updates (iOS 7.0.1 – 7.0.4, and iOS 7.1.1), including multiple fixes for security bugs.

In iOS 7.0.2, Apple fixed two bugs that allowed anyone to make phone calls or share user photos from the lock screen, without using the passcode.

Kurtz said he had disclosed the email attachment bug in iOS 7 to Apple two weeks prior to the iOS 7.1.1 update, meaning Apple has known about the flaw for more than a month.

With four weeks to fix a security bug, you could argue that Apple has had plenty of time already, and should push out its patch quickly now that the vulnerability has attracted attention.

Microsoft, for example, just last week released a patch for a zero-day vulnerability in all versions of Internet Explorer after only a few days (even in IE 6 and XP).

The IE zero-day, CVE-2014-1776, was actively being exploited in targeted attacks, Microsoft said.

Apple has made a quick turnaround of a serious security bug quite recently – the encryption flaw called the Goto fail bug, because of an erroneous line of code that repeated the phrase “goto fail.”

The extra “goto fail” caused an important security check to be bypassed that meant a phony TLS certificate from a phishing website could trick OS X into giving it the all clear.

Apple discovered the bug in iOS and released a patch, for iPhones and iOS devices, but researchers soon discovered the error wasn’t patched in OS X 10.9 Mavericks for the Mac.

Apple responded to the bug with a security patch for Mavericks in just three days.

Keep your iDevices secure

Smartphone PINs cracked with microphone and camera - a game-changer for phone security?The easiest way to keep your iPhones and iPads secure is, of course, to enable data protection and use a passcode to lock the device.

On the iPhone 5s, you have the option to use fingerprint authentication instead of a passcode, which Apple is touting as a more secure option.

Even the fingerprint scanner can be hacked though – researchers found out that it’s possible to create a fake fingerprint from a photo of the victim’s print.

(The same trick also works on the fingerprint scanner on the Samsung Galaxy S5.)

Creating a secure passcode is really important – the longer the better.

But the most effective kind of data protection relies on more than just a password or passcode. Two-factor authentication (also called two-step authentication, or 2FA) provides an extra layer of security.

Wherever possible you should enable two-factor authentication for your mobile apps, especially banking apps.

You can listen to our Sophos Techknow podcast about 2FA to learn more (and you should!).

If you’re an Apple user concerned about security on your Macs, you can also try our five security tips for better Mac security.