The last two days word has spread about an iPhone Mail Security Flaw with the Apple Mail App.
So the question is, is it true? ZecOps, a digital security firm in San Francisco, claims to have found the security flaw with Apple Mail app on iPhones. They also claim that the flaw has existed for years and that it has been used to target some high value people. The flaw is being called the “zero day” flaw or zero day exploit by some and the “0-click” exploit by others.
This isn’t your typical “phishing” scheme where the sender claims to have your password, which they usually do or ask for money. This bug just slows down or locks up your phone. The rest is a little less clear.
Apple says “The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers.” in their response.
So which is it?
If you read the ZecOps report carefully, and take a look at your phone, chances are you have been hit once or twice, and didn’t even know it.
Have you ever had a message that said “This message has no content” and then it disappeared? That is the part of the “bug” that Apple has admitted too and claims will be corrected in iOS 13.4.5 which is currently in testing with developers.
The best you can update your phone to is 13.4.1 as of this morning, Monday April 27th, 2020.
What zero click does
ZecOps claims that the sender of a properly scripted email can cause the iPhone to slow down because the memory fills up. They also claim there is a potential the sender could make the email self delete. The only part that is proven and admitted by Apple is that a small message can fill up your phones memory by running a small script.
Finally ZecOps claims that the emails may potentially auto-delete. Reviewing logs, I have found that our anti-virus servers caught the email’s and deleted them. I could not find an instance where I did not delete the email. If the bug is so bad the sender could not only delete the email but delete the logs, that would be a bad thing.
How would I really know who deleted the emails? Simple human study. When I delete from any device I usually delete a lot of email at the same time. I get 30-40 messages an hour and twice a day very quickly delete 90% of them. I can see from the logs the offending emails are deleted in sequence at the proper time.
This doesn’t mean that ZecOps is wrong, it just means I haven’t seen it.
What we have seen and verified.
We did find a couple of old messages that we could reload. Yes the script is very small and yes our barracuda already filters them, making it difficult to find the messages to begin with.
The messages have no content, and they do cause the iPhone to become painfully slow. I have an 8Plus, X and 11Pro. They do auto open as well. ZecOps is right about that. We could not see any other effects, no emails were deleted, and none were sent out by the code.
That doesn’t mean that it can’t happen, I just haven’t seen it and could not find a version of the script that did it.
The temporary fix is this.
- Close the mail app when you are not using it. This is a good habit anyway as far as I am concerned. iOS 13 did not significantly improve memory management that I can see.
- If you see a “This Message Has No Content” message for an email, don’t open it, and forward it to an account that you do not access on your iPhone. I use a second gmail account to capture these emails.
- If you get one of these messages, after forwarding so you have a copy in case your phone goes really nuts and Apple needs evidence, quit mail. Close all apps and restart your phone to clear the memory and speed your phone back up.
Hopefully 13.4.5 will fix the bug and be available soon.