While Apple’s default mobile email App for iPhones/iPads, simple called “Mail” is not praised by many, it’s still a fairly decent mobile App for users that are looking for a quick way of checking their emails, and certainly gets the job done. However, it might not be as safe as people would think, as a recent research conducted by two-year-old San Francisco based cybersecurity research company ZecOps suggests that a group of hackers has gained access to users’ iPhones and iPads through that very same email App. This ultimately suggests that Apple’s iPhone Mail App isn’t safe, or at least, as safe as it was thought to be.
One of ZecOps’ main cybersecurity services requires that its customers connect their iPhones to either a computer or kiosk and have them upload logs to the company’s server. After that upload is done, the data obtained from their clients’ phones is then thoroughly analyzed for any potential security breaches as well as any unusual activity.
During its latest cybersecurity research, ZecOps reported that it discovered several lines of code that appeared suspicious on one of its client’s iPhone. After taking a deeper look at that block of code, the cybersecurity company found numerous security loopholes in Apple’s mobile Mail App, which puts at risk both iPhone and iPad users.
This zero-click security vulnerability reported by the cybersecurity company has been found to leave hundreds of millions of iPhones and iPads vulnerable to remote code execution. That’s something that could consequently enable an attacker to remotely infect a device by sending emails that consume a significant amount of memory.
The official announcement was made at the company’s official blog and shared via a Tweet by ZecOps Co-Founder and current CEO (Chief Executive Office) Zuk Avraham, who then made a second Tweet where he shared his personal thoughts about his company’s cybersecurity investigation.
ZecOps’s official announcement reported that that same suspicious block of code found by the company’s researchers and I.T. engineers on one of its client’s iPhone was rather “unusual” as it was not found on any other of the company’s clients’ iPhones.
According to Avraham, these 0 click vulnerabilities “exist on iOS since iOS 6!”, for which ZecOps’ CEO also adds that this “is one of the deepest vulnerabilities ever discovered on mobile (including Android).”
Regardless of ZecOps opinion on the matter, Apple released its own short official announcement that directly denies any security vulnerabilities allegations made by ZecOps. Furthermore, Apple also stated that those security flaws could have not been used by hackers to gain access to Apple devices.
“Apple takes all reports of security threats seriously. We have thoroughly investigated the researcher’s report and, based on the information provided, have concluded these issues do not pose an immediate risk to our users. The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers. These potential issues will be addressed in a software update soon. We value our collaboration with security researchers to help keep our users safe and will be crediting the researcher for their assistance.”
After a few months of investigating the issue, ZecOps confidently concluded and reported that the suspicious block of code initially came up due to a security flaw within Apple’s iPhone/iPad Mail App.
While one of ZecOps’ announcements suggests that Apple still hasn’t fixed those same security loopholes that were recently found in its Mail App, the company’s CEO Zuk Avraham recently reported that Apple is already working on fixing the security loophole found in its Mail App.
On the other hand, just like Apple’s official announcement, Apple Director of Communications and Analyst Relations Todd Wilder also stated that the security loopholes “do not pose an immediate risk” to iPhone/iPad users, also adding that those code security flaws within the company’s mobile Mail App would simply not be enough for a hacker to be able to gain access to a user’s iPhone.
Both announcements made by Apple itself and Apple’s Director of Communications Todd Wilder are bold statements, as they directly contradict both of ZecOps’ original announcement and cybersecurity research about Apple’s Mail App vulnerability.
Lastly, Wilder also added that Apple would be fixing the new vulnerability issues with a software update in the immediate future.
Sadly, Wilder did not offer any details about a specific time schedule for that same software update, which, according to Apple’s latest statement, would reportedly patch the security loopholes found by ZecOps in Apple’s Mail App on both the iPhone/iPad.
While we wait for Apple’s Mail App update to fix the App’s previously mentioned security loopholes – which is said by the company to be coming in the nearby future – it’s suggested that iPhone/iPad users rely on other mobile email Apps like Spark, Outlook or Gmail.