Mail app

Apple downplays iOS Mail app security flaw, says ‘no evidence’ of exploits

Apple has found no evidence that recently discovered security flaws in the native iOS Mail app have been exploited by hackers, the company said in a statement. “We found no evidence that they were used against customers,” the company said. It also cast doubt on whether the issues, which it admitted were present on both the iPhone and iPad versions of its Mail app, were enough to circumvent the security protections of both devices.

Apple’s response directly contradicts claims by ZecOps security researchers, who said they found evidence the exploit was being used against at least six high-profile targets. The flaws allowed a hacker to infect a device simply by sending it a specially crafted email and for the victim to open it. At the time, ZecOps said it had “high confidence” that the vulnerabilities had been exploited in the wild by “advanced threat operators”.

Apple said the vulnerabilities, which ZecOps says date back to iOS 6, pose no immediate risk to its users and will be addressed in an upcoming software update. When initially disclosing the vulnerabilities, ZecOps said Apple had already fixed the issues in the Apple Mail beta.

After the research firm’s initial report, some members of the security community — including a researcher from Google’s Project Zero — questioned its claims that the issues had been exploited in the wild. ZecOps said the unidentified targets included a mobile operator executive in Japan and people from Fortune 500 companies in North America.

Apple’s full statement can be found below:

“Apple takes all reports of security threats seriously. We have thoroughly investigated the researcher’s report and, based on the information provided, have concluded that these issues do not pose an immediate risk to our users. The researcher identified three issues in Mail, but on their own they are insufficient to circumvent iPhone and iPad security protections, and we found no evidence that they were used against customers . These potential issues will soon be resolved in a software update. We appreciate our collaboration with security researchers to help keep our users safe and we will thank the researcher for their assistance.