Is Your Data Really Encrypted?

Apple data security“Don’t worry, your data is safe with us!”

Big companies often make bold claims about how careful they are with your email and other data.  Unfortunately, just because a big, “brand name” company tells you something doesn’t necessarily mean that it is so.

Apple claims that their “data protection” system keeps all of your email attachments secure.  From the company’s webpage iOS: Understanding data protection:

Data protection is available for devices that offer hardware encryption, including iPhone 3GS and later, all iPad models, and iPod touch (3rd generation and later). Data protection enhances the built-in hardware encryption by protecting the hardware encryption keys with your passcode. This provides an additional layer of protection for your email messages attachments, and third-party applications.

No doubt many corporate users who have sensitive documents coming as email attachments felt good knowing that if somehow an employee’s phone was lost or stolen at least the secrets were safe.

The only problem is those email attachments and whatever proprietary information they may contain are NOT safe.  A data security researcher, Andreas Kurtz did a little poking around with an iPhone and the latest version of iOS and discovered that Apple’s “data protection” did not actually protect email attachments.  In a blog post on April 23, Kurtz announced:

I verified this issue by restoring an iPhone 4 (GSM) device to the most recent iOS versions (7.1 and 7.1.1) and setting up an IMAP email account1, which provided me with some test emails and attachments. Afterwards, I shut down the device and accessed the file system using well-known techniques (DFU mode, custom ramdisk, SSH over usbmux). Finally, I mounted the iOS data partition and navigated to the actual email folder. Within this folder, I found all attachments accessible without any encryption/restriction:

Apple has admitted that this flaw does in fact exist.  But the company has not changed language on its data protection page on the website, not do they seem to have made any effort to notify customers of this vulnerability.

There are several lessons that can be drawn from this event:

  1. Just because a company says your data is secure does not mean it really is secure.
  2. Companies may not be aware of all the data security flaws in their products.
  3. Even when companies are aware of flaws, they often prefer to hide the fact and downplay it, rather alerting customers that there may be a problem.

Current techniques for data security are full of potential leaks and holes.  Real security won’t come until there is a transition to a completely new model for protecting data.  PACid’s patented technology could plug those holes.