updated 01:33 pm EDT, Sat May 3, 2014
Flaw is known by Apple, no timetable given for fix
Apple's "Data Protection" feature for email attachments in iOS 7 no longer appears to be functioning properly. Security researchers have tested the feature, as well as examined the data stored on the phone, and have discovered that while the feature is activated, it appears to be no longer properly encrypting data.
Researcher Andreas Kurtz discovered the issue. He claims that he "verified this issue by restoring an iPhone 4 (GSM) device to the most recent iOS versions (7.1 and 7.1.1) and setting up an IMAP email account, which provided me with some test emails and attachments."
Following initial test configuration, Kurtz "shut down the device and accessed the file system using well-known techniques (DFU mode, custom ramdisk, SSH over usbmux). Finally, I mounted the iOS data partition and navigated to the actual email folder." Files examined weren't encrypted at all.
To prove that the feature was enabled in the phone, Kurtz tried to access the "Protected Index" email message database, and was denied by the OS. The issue has since been reproduced on on an iPhone 5s, and an iPad 2, both running iOS 7.0.4. Further testing has been performed, and POP and ActiveSync email accounts also show the lack of attachment encryption.
Apple has been made aware of the issue, and responded to Kurtz that they were aware of the problem. No timetable has been made available as to when a fix will be completed for the issue, or if the lack of encryption is intentional.
The flaw doesn't allow for remote harvesting of data. Should a user's phone be lost, hackers could potentially circumvent Apple-provided security features and access the data by using methods similar to Kurtz's.