iPhone IMAP Vulnerability; Does NOT Support IMAP IDLE

We speculated in an earlier bulletin that the iPhone would support push email by use of IMAP IDLE. This turns out not to be true. Also, the unusual way that the iPhone provides push email has a nasty security hole.

With IMAP servers other than Yahoo, the iPhone works by regular polling -- so you need to wait to see new messages and there's potentially an implication on battery life. Use of IMAP (Internet Mail Access Protocol) by the iPhone is a very good approach, and we hope that Apple will address this in a software update by supporting IMAP IDLE.

With Yahoo, the iPhone authenticates using a private protocol called XYMPKI, used in conjunction with IMAP. (Yahoo does not provide a general IMAP service -- it uses IMAP only for iPhone access.)

Of more concern, although the iPhone supports TLS (Transport Layer Security), Yahoo IMAP does not, which leads to a replay attack. Anyone able to eavesdrop on the authentication exchange, such as when using any open (public or private) Wi-Fi service, can easily gain full access to the user's email account until the user changes his or her password. We would advise against using the Yahoo service with an iPhone because of this security risk.

XYMPKI provides Yahoo IMAP with information on the phone, which enables an alert about new email to be sent by an out of band alert mechanism (which we speculate is SMS). Such a proprietary approach with a significant security vulnerability is bad: Apple and Yahoo should know better.

A side effect is that this type of push email will not work for Wi-Fi only use, as it relies on cell coverage.

We've reported the vulnerability to CERT, Yahoo, and Apple. It appears that the vulnerability is already being widely circulated in the public domain -- see for example https://blog.dave.cridland.net/?p=32 (beware if you are offended by four-letter words).

... Steve Kille, with Richi Jennings

Post a comment

You must be logged in to post a comment. To comment, first join our community.