Mailbox iOS app is a security fail

<i>“if anyone else can get hold of your phone, he can access to files of those apps where data is not protected.”</i><p>As always, if someone has physical access and unlimited time, no device or computer is safe.<p>Also, Mailbox.app only supports GMail. Security minded people are obviously not the target market.

The original article misses the whole point of the NSFileProtection API: the strongest level of protection, NSFileProtectionComplete, prevents access to files <i>while the device is locked</i>. The whole point of the API is to protect things until the user has authenticated. (It's quite possible Mailbox is already using this API, given the evidence presented.)<p>In other words, this is the expected behaviour when your phone is unlocked.<p>See: <a href="https://developer.apple.com/library/ios/documentation/Cocoa/Reference/Foundation/Classes/NSFileManager_Class/Reference/Reference.html#//apple_ref/doc/constant_group/File_Protection_Values" rel="nofollow">https://developer.apple.com/library/ios/documentation/Cocoa/...</a>

I'm less concerned about physical access to the device, but more concerned about third-party services like Mailbox increasing the number of attack vectors on your inbox. Mailbox has total access to your email account. Now somebody can either attempt to hack Google's servers, or Mailbox's servers. It's enough to convince me not to sign-up for their service since email provides the gateway to virtually everything else.

An important fact is wrong: You actually need to unlock the device to access the data unless the iPhone and the computer were paired before.

I'd recommend "Hacking and Securing iOS Applications" by O'Reilly. It really explains well the security and permissions model on the phone.<p>The argument that 'once you've lost the phone you've lost the data anyway' isn't really fair. If a passcode is being used, data marked as being a security concern is protected with the passcode. A 4 digit code is trivial to brute force, yes, but the point is that it should be done anyway.<p>Using iExplorer to find files is a lot easier than loading a custom bootloader on to the phone, booting custom firmware, brute forcing the passcode and decrypting the files. If anything, the extra time will raise the chance that you can get to a computer and initiate a remote-wipe.

This is like telling someone you can access his ~/Documents/ and read the content of files within when he leaves his laptop unattended and logged in.

Mailbox.app is a security concern because it copies all of your Gmail to it's own cloud server, and delivers the email to the app from there. Sure, it's exposing your emails on the device. I'm more concerned about them exposing _everyone's_ emails when their cloud platform is exploited.

Can someone verify this with an iOS5 device. On iOS 6.1.3 this doesn't work anymore though. But someone just claimed this on the blog: "I ran a test using my iPhone 5 and a computer I’ve never synced with before. I didn’t need to unlock the phone before getting access to it I don’t believe. I did manage to browse all my mailbox files."

There is a secure store solution available from a company located in germany. They call it "Secure Incremental Store" - an enhancement for Core Data.

If you lose your phone is already game over. Here's a idea...if you have important data that you want to be secure.....DON"T KEEP IT ON YOUR PHONE.<p>How about that, huh ?