Most people with passcodes set auto lock after a few minutes. An attacker can pair a device left briefly unattended by just connecting it to their Mac in just a few seconds.
Then, even if the device is later locked, they can bulk copy unencrypted files using tools like iExplorer, and browse at their leisure.
It's funny how some business class apps store usernames and passwords in clear text in their app sandboxes.
This is correct @nezza. I should have verified this with my friend's iPhone first. But the original issue still remains the same which is the files are not protected!
There are so many things one can do if he/she has access to your entire mail folder or contacts (by copying it using iExplorer or similar forensic tools) Vs just browsing few emails. Talking about attachments, one can in this case get access to all your local attachments in another case probably he/she needs to forward those emails to an email id to access.
On any app that consists of sensitive information, one should probably implement passcode security on the application itself. Now this might annoy some users, but if you know you are going to use it for something special, you won't mind it!
So therefore, your article could have been titled "{Mailbox|GMail|iMail|all_other_mail_clients_ever} is a Security Fail!"?
Because as far as I am aware, few mail clients either support or (if they do) actively encourage an extra password layer, and your users do not want it. Given an average un-password-protected phone, you will be able to read their email even if they were using the iOS encrypted files framework, just by opening the app.
I apologize, but it appears that your headline is deliberate sensationalism. If you want to have a discussion about how we need to secure email apps in general, I'm interested. If you want to just pick the latest 'big thing' and take pot shots at it, nah.
@tmpajk How does it make Mailbox more secure. Let's talk about the scenario where you have access to an iPhone for few minutes. In one case, you can go through some contents, in another case you can copy all emails and contacts. My whole point is files or attachments on information on every app that has sensitive information should be protected. There are various ways to do it on iOS! One can use keychain to store some secret key and protect these files using that secret key.
Where is the key kept then? One possibility, the user has to know it, at which point we're back to the fact that users dont seem to want a password for their email app (again, happy to see an interesting post on the generalities of email app security). The other approach is to store it somewhere on the phone, at which point connecting the phone to a computer as you describe is still an attack vector; you just need to find the key.
Of course, I am not highly versed in security, so if there's another option I'm interested to hear it.
The very fact that so many apps (Facebook, Twitter, Mail etc) remain signed in while not in use prompted me to use a lock code (albeit with a 5 min grace period, a trade off for convenience). I can't see why anyone wouldn't want it enabled.
I think most devices paired with an ActiveSync (Exchange, GMail) account are required to use lock codes.
Having said the above, one can copy all the contacts and emails of someone in few seconds. This is different than just browsing an email on UI (one would need time for that). What if someone has got an access to an iDevice just for few seconds. Ohh sir, you dropped your phone. Here you go but thanks to iExplorer I have all your documents and contacts now! Is this an issue? Depends what you use your email for!
