Disclaimer: This news item was originally posted on Monday, Sep 24, 2018. Its content may no longer be timely or accurate.

Apple’s native iOS Mail app has a security risk. Here’s how to fix it.

Posted: 17:25:17, Monday, Sep 24, 2018   Expiration: 17:25:17, Monday, Oct 1, 2018

The UW-Madison Office 365 team identified a security issue with Apple’s native iOS Mail app that could expose NetID credentials on the network the device is connected to. Apple is aware of this security issue and has mitigated the risk in the newly released iOS 12 update. Here’s what you need to do:

If you use the iOS Mail app, follow these steps to fix it:

  1. Update to iOS 12 - https://support.apple.com/en-us/HT204204.
  2. Delete and recreate your Outlook/Office 365 account from your Apple device settings.

If you have an older device that is not on the list as being compatible for iOS 12, follow these steps to fix it:

  1. Delete Outlook/Office 365 from your iOS Mail profile on your device.
  2. Download and install the Microsoft Outlook app.

Learn more

If you have any questions or concerns, please contact the DoIT Help Desk.


Frequently Asked Questions (FAQ)

What applications on the Apple device are affected?

The native Mail app on iOS is affected. It is a flaw in Apple iOS Mail’s implementation of the AutoDiscover protocol for connecting to Exchange using ActiveSync.

What Apple devices are affected?

All iOS devices are potentially affected. iPhone, iPad, iPod Touch. We have observed instances of devices with the latest version of iOS 11 being affected.

Who can observe the unencrypted passwords?

Anyone on the same network is able to observe and record user passwords. It is possible for a malicious actor to monitor a network over a long period of time to obtain passwords from affected Apple devices. An active attacker could manipulate the user into misconfiguring their device. Faculty and researchers traveling overseas could be at risk for this scenario.

On which networks are users at risk?

The vast majority of networks pose a risk for users. Public WiFi, coffee shops, airports, hotels are particularly concerning. Sending unencrypted traffic over any network, even campus WiFi, is risky.

What applications on the device can people use instead?

The app “Outlook for iOS” (named “Outlook” in the App Store) is safe to use and it is the recommended client for iOS users. It has been recommended by Microsoft and the UW-Madison Office 365 support team for the most reliable user experience.

How does Apple iOS Mail get into a vulnerable state?

The problem can be simulated on devices running iOS 11 (or lower) by unchecking “Use SSL” in the Exchange/ActiveSync account advanced settings. It is possible that people are accidentally disabling SSL. Another theory is that devices are “downgraded” to an insecure configuration based on incidental (e.g. firewalls, captivators) or malicious (e.g. man-in-the-middle) failed HTTPS network responses during the Exchange/ActiveSync Autodiscover process.

Can people fix Apple iOS Mail on their device?

Yes. Ensure that “Use SSL” is enabled in the Exchange/ActiveSync account advanced settings. We recommend people with devices running the latest version of iOS 11 or iOS 12 delete the Exchange/ActiveSync account in Settings and configure the account to ensure it’s using Office 365 Modern Authentication. This also adds compatibility with the Duo multi-factor authentication service that is being deployed at UW-Madison. People with older devices should strongly consider switching to the Microsoft Outlook app, or purchase a newer device that is capable of running iOS 12.

Did Apple fix the problem in iOS 11?

No. Apple introduced the ability for Exchange/ActiveSync accounts to use Microsoft’s new “Modern Authentication” protocol (AutoDiscover V2). However, iOS 11 still allows SSL to be disabled during the configuration of legacy/manual setup of an Exchange/ActiveSync account (AutoDiscover V1).

Can all iOS devices be upgraded to iOS 12?

No. People are actively using older hardware than cannot upgrade to iOS 11 or iOS 12. Even if Apple completely fixes the problem in iOS 12 there will be devices that remain on the network transmitting passwords in the clear.

Is this a problem with Microsoft Exchange or Office 365?

No. The Exchange/ActiveSync server is redirecting the client to use HTTPS, but this occurs after the iOS device initiated the request over HTTP with the credential mistakenly included within the request. iOS 12 fixes this flaw by not sending the password before being redirected to HTTPS. In an ideal world, Microsoft should completely disable non-SSL connections to further protect users from misbehaving email clients, but there are legacy email clients that Microsoft needs to support. Similarly, Apple cannot completely remove the ability to disable SSL in iOS 12 due to legacy Exchange servers that Apple needs to support.

Can this problem happen with non-Microsoft email servers?

Potentially, yes. This problem could occur for non-Microsoft users any time a user configures their Apple device for an Exchange/ActiveSync account in their settings.

What can DoIT do about vulnerable devices?

In Spring 2018, all users who were not using ActiveSync have had the Activesync option disabled on their UW-Madison Office 365 account. New user mailboxes are created with ActiveSync disabled, as well. People may re-enable ActiveSync on their mailbox if they choose.

-- Office 365: Christina Gomez

Created: 12:41:02, Monday, Sep 24, 2018 (by Christina G.)
Updated: 17:53:22, Monday, Sep 24, 2018 (by Christina G.)