Does that mean that basic security should not be in a company's mind, especially when it comes to the kind of data emails can contain? Mailbox is BIG. We are not talking of an average app here!
Sure, but that's also like saying "car accidents are inevitable, so let's not put on our seat belts".
A basic bit of security, especially one that doesn't put any more load on the user (to have to maintain or set up) is a pretty big no-brainer. Raising the bar for a successful hack is also worth doing when the cost is a single line of code and no effort on the user's part.
If we're using analogy it's more like telling bicycle riders to use anti-puncture tape. Sure, it'll reduce the chance of getting a puncture but does nothing when they go under a truck.
What's on offer here? 10 minutes extra tamper resistance? For a protocol which is inherently insecure?
What's on offer here is the ability to exclude a large class of attackers entirely - script kiddies with a commonly available file explorer tool.
Sure, if you're the CEO of some big company and a skilled attacker really wants at your email, this is only a stopgap - but this is also sufficient to stop less proficient attackers entirely. For most people this is all they need.
> "it's more like telling bicycle riders to use anti-puncture tape."
If anti-puncture tape has literally no downsides whatsoever to the bicycle rider's experience, and costs nothing, then yes. Why wouldn't you have it?
Email in may not be generally secure but it is still easier to plug a phone into a computer than to access someone's email account without knowing their credentials. 10 minutes could be the difference between someone copying your emails from your lost iPhone and said person being unable to copy anything because you remote wiped your phone.
“Does that mean that basic security should not be in a company's mind”
I wasn’t suggesting it shouldn’t be. My point is that the article’s headline is overly dramatic: Mailbox.app is not a complete security failure because of one hack that requires physical access. Given that Mailbox only supports GMail, I’d be more worried to put my email in Google’s hands than worrying over someone grabbing my phone out of mine.
“Mailbox is BIG. We are not talking of an average app here!”
Mailbox.app is a free app that has been downloaded a couple of million times, I wouldn’t call it “BIG” yet. It’s very new, it’s still on version 1, so it’s not expected to be perfect.
> Mailbox.app is not a complete security failure because of one hack that requires physical access
The problem is that we take mobile devices with us every place we go. So physical access is not difficult to obtain.
This really is a big deal primarily because the developers of Mailbox.app did not take steps to even obfuscate the stored data...which would deter all but the most determined of attackers.
