iOS Mail App: Breaking Down the Bug


Person hand taking chalk drawn email sign

I am sure that many of you suffer from one of the same issues that I do.  I am the de-facto tech guy for all of my family.  When they have a strange message on their computer - I get a call.  When the printer will not print - I get a call.  When they get a suspicious phishing email - I get a call.  When they see a news article about something that might affect them - I get a call.  Well that last one is the subject of today’s blog post.  

On April 22, 2020, ZenOps released a blog post detailing a new bug that they found that affects the iOS Mail app.  This has now made it all over the news and there is a bit of misinformation and misunderstanding by folks.  First, let me link directly to their report rather than news articles that have some issues getting their facts straight.  You can find that at  It gets very technical in the middle, but the beginning of the article (Impact & Key Details) and the end (FAQ) are both simple and easy enough to understand.  
Next, let me try to explain the issue simply and then talk about things you can do to protect yourself.  The basic premise off this exploit is that a bad actor can send you an email that will cause unintended actions because the developer at Apple did not handle a certain error condition correctly.  That bad email will cause the stock iOS Mail app to behave unexpectedly which, in turn, would allow remote code execution within Mail.  By this I mean that the bad actor can run commands within the Mail application that are hidden in the email.  That would give the bad actor the ability to read, copy, leak, modify, or delete any of your emails in that account, including covering their tracks that you have been hacked.  However, if they are in possession of another bug that allows for code execution between apps (something not allowed but there could be another bug we do not know about and have to assume exists) then they could potentially do anything on your phone.  
This only affects iPhones.  It is known to be an issue in all iPhones since the iPhone 5 and iOS 6.0 because that is as far back as these guys tested.  And it only affects those who are using the stock Apple Mail app.  The one that has an icon that looks like: blob And it is important to note, you do not have to open the app and read your email for this to be able to exploit your phone.  It is not like a phishing email where someone is trying to get you to click on a link that says it resets your Apple password but it really goes to some site in Russia to steal your password.  With this particular exploit in iOS 13, the current version of iOS, your phone simply has to receive this email to exploit your phone.  You do not even have to click on the email.  In the previous version of iOS, iOS 12, you have to actually read the email message before it is triggered.  So just having email set up on your phone puts you at risk of this bug.  
What can you do about this?  
First, it is important to keep your software versions updated to cover security holes like this.  Apple was made aware of this issue on March 31st and they created a patch on April 15th.  That patch was included in the beta version of iOS 13.4.5 and it successfully fixes the issue.  Apple will be releasing either the 13.4.5 update to everyone soon or they will create an interim update (possibly 13.4.2) even sooner.  This will be an important update to install when you see the notification that there is an update available.
But if you are running an older version like iOS 12, Apple may not provide a patch for that version.  This is especially important if you have an older iPhone or iPad like some of my family.  If you still have an iPhone 5, 5c, or 5s, then you will NOT be able to upgrade to iOS 13 that has the patch.  Hopefully, there will be an update to iOS 12 that also fixes this.  But if you have an iPhone 5 or 5c or an older iPad, you cannot even upgrade to iOS 12 that might (or might not) get a patch released.  If you are stuck on iOS 11 or older, there may be NO available patch for you.  Personally, I have this issue with a couple older iPads that my grandkids use.  But, for me, Mail is disabled on most of those devices.  And sometime later today, I guess I will be disabling it on all of them!
Second, if your want to address this issue today, you can do so by disabling the Mail application and moving to another email solution like Outlook, Spark, Gmail, or Yahoo Mail.  All of these are free solutions that may meet your needs.  Outlook and Spark are especially good if you have multiple email accounts and those accounts are not Gmail or Yahoo Mail.  They do not have this particular vulnerability but are just as likely to eventually have a similar vulnerability as Apple Mail was.  But while we wait for a patch, these might be the way to go.  
I do want to cover that the reason that this security research firm has published the info is that Apple has already demonstrated that they can/have fixed the issue.  But until the fix is pushed out and everyone installs it, most are still vulnerable.  The article is to help explain what your vulnerability might be so that you can address it how you think you need to.  My clients in the Financial industry all need to take some actions based upon this information.  But if you are retired and only get emails about next week’s quilting gathering, you might can wait for the update from Apple.
In summary:
  • There is a new vulnerability that was discovered in the Apple Mail app on iOS.  
  • This vulnerability pretty much affects everyone running an iPhone or iPad that has email set up within the Mail app.  
  • Apple is aware and has put out a beta version that has the fix within it.
  • You can use the Outlook, Spark, Gmail, or Yahoo Mail apps and turn off accounts in the Mail app to reduce your risk today.
For my Credit Union clients, your Incident Response Policy likely says that you will address this as an Incident that requires immediate action.  A well written Incident Response Procedure will likely say that if there is a critical vulnerability that is discovered for which there is no currently available patch, the system will be disconnected immediately.  In this case, this vulnerability was discovered not by looking through the code, but by investigating actual incidents where this was happening in the wild.  The knowledge of this bug and the ability to use it IS being used in the wild right now. 
If you need some assistance in how to respond to this threat, feel free to reach out to our team here at Pure IT.  We would be happy to assist you in that process.
Let's Chat