Federal Ministry for Information Security warns of security vulnerability in the iOS e-mail app - possible solutions.
Germany’s Federal Ministry for Information Security (BSI) is currently warning against using the iOS Mail app due to the discovery of two critical security vulnerabilities that enable attackers to compromise iOS and iPadOS devices. MacOS is not affected.
Written by
Note: Apple has apparently closed the vulnerability mentioned in the article with iOS 13.5. A patch is also available for older devices, these can be updated to iOS 12.4.7. The information is provided with ZecOps from the security company that originally reported the vulnerabilities in iOS.
Security vulnerabilities in all iOS versions from iOS 6 and later.
All an attacker needs to do to compromise a device is send an e-mail which would enable them to potentially read, edit and delete e-mails resulting in the BSI categorising this vulnerability as critical. It is not yet known if devices can be further compromised.
No patch available.
Apple has not yet made a patch available. The only option for protecting devices is to deactivate e-mail synchronisation or to delete the app. BSI president Arne Schönborn made the following statement on the BSI website:
“BSI has categorised this vulnerability as critical as it gives attackers the possibility to manipulate e-mail communication on affected devices. As there is currently no patch available, thousands of iPhones and iPads belonging to private people, businesses and authorities are at risk. We have contacted Apple and asked them to work on a solution to secure their products as quickly as possible”.
The BSI’s official recommendations are:
- Delete the Mail app or disable synchronisation
- For the time being, e-mails should be accessed and read using other apps or web browsers
- The latest Apple iOS update should be installed as soon as possible.
Solutions for customers with EMM/MDM systems.
Customers with an EMM device management system are advised to take the following steps: EMM should disable Mail app synchronisation centrally. The Mail app can also be hidden on supervised devices with advanced management interfaces.
In order to ensure continued access to e-mails, it is recommended to switch to using the e-mail app of the respective UEM provider.
EMM/MDM Provider | App Alternative |
MobileIron (Core & Cloud) | MobileIron E-Mail+ |
VMware Workspace ONE UEM | VMware Boxer |
Microsoft Intune / Endpoint Manager | Microsoft Outlook |
Citrix Endpoint Manger | Citrix Secure Mail |
BlackBerry | BlackBerry Work |
The app and its configurations can be automatically provisioned via the EMM system.
It’s possible to switch to an alternative even without a management system. The Microsoft Outlook App, for example, is available on iOS. HCL (formerly IBM) Notes customers can switch to HCL Verse.
iOS patch installation.
Update your devices as soon as Apple releases a patch. The EMM system can make use of compliance policies to force the update and automatically disable synchronisation on all unsafe devices.
The devil’s in the details.
A blanket and comprehensive solution is not currently available and each approach has its own challenges. The Bechtle Mobility Consultants are happy to answer any questions you may have.
