Computer & Network Security>Apple|Compliance>Encryption|Compliance>HIPPA|Compliance>PCI|Compliance>Privacy

Apple iOS and Email Attachment Encryption: A Question of Compliance

UPDATED: 7/1/2014 Apple has released iOS 7.1.2 which is supposed to resolve the issue where a user can access unencrypted mail attachments.  We recommended updating all Apple mobile devices as soon as possible.

It was reported a few days ago by Andreas Kurtz, that since iOS 7.0.4  and including the most recent Apple iOS 7.1.1 email attachments using the native mail clients are not encrypted.  He was able to access these files even though the device’s disk is encrypted.  What does this mean for compliance?  How many users are emailing patient information (HIPPA), finance data or other protected data thinking that their devices are encrypted and the data is protected?

I have reached out to a number of MDM vendors to find out if there are any known mitigation techniques.  I will update this post once I have them.  For now the only suggestion I have heard or have come up with is to stop using any native clients.  I am trying to confirm if containerization resolves the problem.

RECOMMENDATION: Require and enforce passcodes of at least 6 characters on an iPhone, especially in a corporate environment.  If you are sending or receiving sensitive information, do not use an iPhone 4, for which a method to jailbreak without a passcode is available.

UPDATED: I have received word from one vendor that containerization will solve the problem.  I have not tested this myself, but I assumed it would be the case since the containers are not utilizing the native client.  This could be a huge issue for organizations that use MDM solutions that do not use containers.

UPDATED 5/9/2014: Apple released a statement reported by iMore, “We’re aware of the issue,” an Apple spokeswoman told iMore, “and are working on a fix which we will deliver in a future software update.” This is well and good, but considering Apple’s history for fixing patches, it could take some time to release the fix.  Additionally, security researchers, Adam Engst and Richard Mogull, suggested that the scope of the vulnerability is limited.  According to their article, physical access to the device is required, which we knew, but with a strong passcode the device would still be protected because the passcode would need to be known before the data could be accessed.  This is good in theory, but in practice, most consumers that I know do not utilize a passcode, and many organizations lack an MDM solution.  Of those that do have an MDM solution, very few require PIN codes over 4 characters which still makes the device very susceptible to guessing.

UPDATED 5/21/2014: Proof of concept reported for untethered jailbroken iPhone 5c running iOS 7.1.1 via CNET