Update: Subhransu Behera has drawn back his original hypothesis:
App developer Subhransu Behera has described the popular iOS Mailbox app as ‘a security fail’ after discovering that it allows anyone with access to the phone to extract email contacts, content and attachments …
File Protection API won’t be enough to protect data for unlocked phones. For which one might require to encrypt documents or files with a key and the key being stored in some secure location.
I am building some concept apps to try out few things. Stay tuned …
Behera used iExplorer, a tool designed to allow users to transfer music, movies and playlists between iOS devices and computers.
Behera says that the iOS SDK gives developers tools they can use to protect the data, so is surprised Mailbox doesn’t take advantage of them.
Mainstream users may not be overly concerned, as an attacker would still need physical access to the unlocked phone in order to extract the data. Although there have been lockscreen security issues, those were fixed and in any case offered very limited access to the phone. But those using their phones for sensitive emails might wish to take the cautious approach of not using the apps for those email accounts.
