Solution Providers: Apple's Reputation Takes Hit After Kurtz Findings Of Weakness In iOS Security


Solution providers believe Apple's reputation may have taken a hit after a weakness was discovered in the iOS security system.

German security expert Andreas Kurtz revealed his findings, in a blog post on April 23, that email attachments are not always encrypted in the iOS.

He finds that someone with physical possession of a stolen or lost iPhone 4 can plug it into a computer and use "freely available tools" to get around the passcode of the device and view unencrypted documents -- in this case, email attachments.

[Related: Mobile Security Smackdown: iOS Vs. Android Vs. BlackBerry Vs. Windows Phone ]

"The most serious point is that customers' trust in iOS data-protection mechanisms might be shattered," Kurtz told CRN.com in an email. "It might be a warning to not solely rely on iOS security mechanisms but to also apply additional defensive mechanisms to protect sensitive data, such as using third-party apps that provide a second layer of encryption/authentication."

Solution providers agree with Kurtz that Apple should be worried about that trust fading.

"The biggest risk to any company is a hurt reputation," said Douglas Grosfield, president and CEO of Xylotek Solutions, a Cambridge, Ontario-based solution provider. "It's a trust thing. If their customers are now wondering what else may be ticking in the background, it’s a definite public relations problem for Apple."

Apple states on its website that the iOS data protection "provides an additional layer of protection for your email message attachments, and third-party applications." The findings of this bug appear to contradict this statement.

"When Apple's data protection feature is used, protected files cannot be accessed while the device is locked," Kurtz said an email. "However, the problem with that feature is that this is an opt-in process, and data might still be at risk when data protection is not applied correctly. The current case demonstrates that even official iOS apps fail to apply it correctly."

Kurtz said that the iPhone 4S devices or later are not as vulnerable to this bug as there is not yet a known way to access the file system in the more recent hardware models, although the email attachments on these devices are still unencrypted. As Kurtz does point out, however, there are many business owners and members of the enterprise who still use the iPhone 4 and are vulnerable to these attacks.

Since Kurtz's discovery of the bug, Apple has released the iOS 7.1.1 update, which does not resolve the problem.

As reported by iMore.com, an Apple representative said in a statement on Monday, "We're aware of the issue and are working on a fix which we will deliver in a future software update."

PUBLISHED MAY 8, 2014