Slashdot Mirror

← Back to Stories (view on slashdot.org)

iOS 7 Update Silently Removes Encryption For Email Attachments

Posted by timothy on from the giveth-and-taketh-away dept.

An anonymous reader writes "Apple has removed encrypted email attachments from iOS 7. Apple said back in June 2010 in regards to iOS 4.0: 'Data protection is available for devices that offer hardware encryption, including iPhone 3GS and later, all iPad models, and iPod touch (3rd generation and later). Data protection enhances the built-in hardware encryption by protecting the hardware encryption keys with your passcode. This provides an additional layer of protection for your email messages attachments, and third-party applications.' Not anymore."

12 of 68 comments (clear)

  1. Old. Needs an update. by Anonymous Coward · · Score: 3, Informative

    This 'news' is about a week or two old. Apple already issued a statement acknowledging the situation and is looking into it.
    Will probably fixed with an update.

    1. Re:Old. Needs an update. by Anubis+IV · · Score: 3, Informative

      The storage of the iPhone is always encrypted. In order to access any files, you must supply the encryption key. He supplied the key and could read the files.

      From what I understand, that's actually not what's happening here, and that's the problem. He was able to simply mount the disk and gain access to the files, without having to supply an encryption key. In contrast, the messages themselves were encrypted, just as you'd expect. More or less, it turns out that not everything that's stored on the iPhone is actually being encrypted.

  2. Title is Misleading by Anonymous Coward · · Score: 5, Informative

    The encryption for email attachment was not removed, it was never present.

    It's not nefarious, it's incompetent.

    Read the original (shorter!) post (http://www.andreas-kurtz.de/2014/04/what-apple-missed-to-fix-in-ios-711.html) instead of the rehashed ad-selling copy.

  3. I need more info by sgt+scrub · · Score: 2, Insightful

    At first glance it looked like there might have been a significant enough performance hit using hardware encryption the took it out. It didn't seem like a big deal. TFA makes it sound like encrypted email I pull from my email server is stored decrypted. That would be a big deal.

    --
    Having to work for a living is the root of all evil.
  4. Re:No problem by jonyen · · Score: 3, Interesting

    There's an app for that: http://ipgmail.com/

  5. Re:No problem by Dr.+Evil · · Score: 2

    None of that helps when you receive an attachment on your device.

  6. Again a clueless article... by gnasher719 · · Score: 4, Informative

    Fact is, you can't read the data on a locked iPhone. You _can_ read the data if you, as the owner, unlock the iPhone, for example for backing it up. But if the NSA gets your locked phone into their hands, there's nothing that they can do. All the data is _always_ read and written using hardware decryption.

    In addition, apps can use further encryption on a per-file basis. Mail does that for most files, but apparently not for attachments. Additional encryption means for example that entering the key code is needed again for that kind of file. But files without that additional encryption still can't be read.

    What the guy is complaining about is like sending unencrypted data over https, or putting unprotected documents into an unbreakable safe.

    1. Re:Again a clueless article... by DigiShaman · · Score: 2

      Doesn't the master code get stored on Apple's iCloud network for iOS devices? I know it's optional to have it backed up there when using FileVault for OSX. Anyways, all the NSA has to do is subpoena the information from Apple and they're in like Flynn!

      --
      Life is not for the lazy.
    2. Re:Again a clueless article... by Anonymous Coward · · Score: 3, Informative

      Do a little googling... It seems Apple bypasses the OS to read the encrypted data directly, then does a brute-force attack on the passcode. Most people use a 4 digit numerical passcode, and very very few use more than 8 alphanumeric digits so brute forcing is usually a matter of minutes. There are third-party forensics tools that can do the same, but most police departments aren't up to speed and have an easier time just shipping the device+warrant to Apple and waiting a few weeks. Your data is only as safe as the password you lock it with...

  7. Re:Or... by epyT-R · · Score: 4, Insightful

    When it comes to encryption, a paranoid default assumption rules the day.

  8. Silently. SILENTLY! by konohitowa · · Score: 4, Funny

    They forgot to use the phrases "much maligned" and "beleaguered". But "silently" is always a great fallback.

  9. Re:Or... by hebertrich · · Score: 2

    Yup, less trouble for the NSA .. Apple has collected it's 30 silver pieces .