Mail app

How to protect your data from Mail.app vulnerability in Apple devices

A recently discovered bug may allow your device to be compromised through Apple’s default Mail app. Until a patch is released, follow these steps to protect yourself.

Image: Carmen Murillo, Getty Images/iStockphoto

On Monday, a report released by the ZecOps research team shed light on a troubling finding their team found while scanning iOS for bugs. A vulnerability allows remote code execution via malformed email sent to a device and affects Apple’s default email client, Mail.app on iOS. Further analysis of the vulnerability revealed that all iOS versions ranging from 6 to 13.4.1 are affected.

More alarming is the fact that there are approximately 1.5 billion devices in use worldwide, according to Apple’s usage estimates. And even worse, an attack against Apple’s latest version of iOS 13.x can occur while the app is open in the background and doesn’t require user interaction to run the app. code and compromise your device. For users still using iOS 12.x, the attack requires the user to open the email before the malicious code runs in most cases.

SEE: Apple iPad Pro 2020: Cheat Sheet (Free PDF) (TechRepublic)

Although this issue should be considered a high-risk threat, Apple does not yet have a publicly available fix. Those using iOS 13.4.5 have reported that the flaw is indeed fixed in beta versions of the update, which Apple is preparing to release as soon as possible. In the meantime, below are tips on how to minimize your exposure to this attack, along with some steps you can take to mitigate this threat until a solution is made public.

Note: The vulnerability only affects Mail.app on iOS devices, including iPhone and iPad. Third-party email clients, such as Microsoft Outlook or Gmail, are not affected by this.

Minimize the threat to personal devices

Users who rely on Mail.app to manage email should stop using the app until Apple releases the official 13.4.5 update to fix the vulnerability. Since the attack can still occur without user intervention, users should remove the Mail app from their iOS devices by long-pressing the app icon until the context menu appears, then select Delete Application (Figure A).

Figure A

2020-08-figure-a.jpg

The iPad will ask you to confirm the deletion of the application, so press the Delete button to confirm its deletion. Note that deleting the app will remove all access to email from that app only. Your emails will still reside securely on the mail server for account setup (Figure B).

Figure B

2020-08-figure-b.jpg

Users can configure their email accounts from a third-party client to be able to access their emails until the finalized patch is available.

Minimize the threat to corporate devices

Although the steps listed above for personal devices also apply to company-owned devices, many companies use an MDM solution to manage their iOS devices remotely. If your organization does this, there are two solutions to remove Mail.app: one manual, the other without intervention.

Deleting the app

Allow users to manually remove Mail.app by deleting as shown above with personal devices. A caveat to this method is that users will only be able to reinstall the app if they have access to the App Store. Depending on how your organization is set up, access to the App Store may or may not be restricted, making it difficult to restore access later.

SEE: iPhone 11: a cheat sheet (free PDF) (TechRepublic)

Restrict app

A feature supported by many MDM platforms is application restriction. Although the steps to accomplish this task differ from provider to provider, the goal is to configure the restriction policy to deny access only to Mail.app, or its bundle ID com.apple.mobilemail, to effectively hide the app from the device and completely prevent it from being launched. This method is the most effective, easiest to undo and implement and remove without intervention.

Also see