According to a recent report by security researcher Andreas Kurtz, mail attachments are not encrypted in certain versions of Apple’s iOS 7.
This apparently affects users who are running Apple iOS 7.0.4 and also the current version which was recently released, Apple ioS 7.1.1.
A few weeks ago, I noticed that email attachments within the iOS 7 MobileMail.app are not protected by Apple’s data protection mechanisms. Clearly, this is contrary to Apple’s claims that data protection “provides an additional layer of protection for (..) email messages attachments”.
I verified this issue by restoring an iPhone 4 (GSM) device to the most recent iOS versions (7.1 and 7.1.1) and setting up an IMAP email account1, which provided me with some test emails and attachments. Afterwards, I shut down the device and accessed the file system using well-known techniques (DFU mode, custom ramdisk, SSH over usbmux). Finally, I mounted the iOS data partition and navigated to the actual email folder. Within this folder, I found all attachments accessible without any encryption/restriction.
This is something new, as previously versions of Apple’s mobile OS used to encrypt email attachments, and this feature was also present in Apple iOS 7.
According to Andreas Kurtz, he reported the issue to Apple, and they have confirmed that they are aware of the issue, although Apple has yet to confirm when a fix will be released for iOS devices.