by Joe White
April 24, 2013
Update. Following the publication of this article Behera revised his hypothesis with an update, which Business Insider recently reproduced:
Behera has issued an update to his post: "After posting this on HackerNews some developers / users feel my hypothesis is wrong and one can not repeat the steps below without having physical access to an user’s phone or locked devices. I agree to this." The short version of the story is that this isn't a bug, flaw, or anything of the like. If someone physically possesses your phone, they'd have access to this information anyway.Read on for our original post. Mailbox is an attractive, popular email app for the iPhone, and back in February we gave it a positive review. However, it would appear that while Mailbox features an impressive design and user interface, its data protection and security leave rather a lot to be desired. In fact, according to one developer, Mailbox effectively "has no data protection." The opinion is that of Subhransu Behera, who describes Mailbox as "a security fail." Using the simple iExplorer app, which allows users to view an iOS application's Documents and Library directories on a desktop computer, Behera was able to pull up a file of unprotected email attachments that is located in the Documents directory. In this folder Behera discovered a further file, and here the user's email contacts, email contents, and more are available to open and view. The iPhone or iPod touch itself doesn't need to be jailbroken in order for Mailbox's contents to be searched via the above method, and the app can be explored via a USB connection. Of course, different people are going to have different reactions to the above. Because the infiltrator would need actual physical access to the iPhone or iPod touch in order to connect the iDevice to iExplorer, some might not perceive this case to be an issue. After all, if you have access to an unlocked iPhone, iPad, or iPod touch, you're going to be able to search through email apps, and by extension the user's email server, without having to hook the iDevice up to a computer. All of this, and more, could be done directly from the device itself, and the owner would be at fault for failing to have configured a passcode lock in advance. However, as Behera nevertheless points out, Apple's iOS SDK makes it possible to encrypt such sensitive information in iPhone, iPad, and iPod touch applications, and Mailbox's developer should have taken measures to ensure that users' personal details were safe before making the app available to download. Such is the subject of WWDC 2012's session number 714, which Behera draws attention to. For more information on the above, take a look at Subhransu Behera's blog, where the security failings of Mailbox are explained fully. Alternatively, for further reading on iOS security, see: Apple Faces Yet Another Security Issue In The Form Of iMessage DoS Attacks, Apple Finally Fixes iOS App Store Security Vulnerability, and Feel More Secure With Your iPad And These Apps.