Assured: The Isode Blog

Along with many others, we speculated that the iPhone would support push email by use of IMAP IDLE (see the Isode white paper "IMAP IDLE: The best approach for 'push' email" for more details).

We've been tracing an iPhone, and it turns out that this is not the case. With IMAP servers other than Yahoo!, the iPhone works by polling (at user configured interval) and so you need to wait to see new messages. Use of IMAP (Internet Mail Access Protocol) by iPhone is very good approach, and we hope that Apple will add IMAP IDLE support in an iPhone software update.

With Yahoo!, the iPhone authenticates using a private protocol called XYMPKI, used in conjunction with IMAP.  Yahoo! do not provide a general IMAP service - they use IMAP only for iPhone access and although the iPhone supports TLS (Transport Layer Security), Yahoo! IMAP does not, which leads to a replay attack.

Anyone able to eavesdrop on the authentication exchange, such as when using any open (public or private) wi-fi service, can easily gain full access to the user's email account until the user changes their password. We would advise against using the Yahoo! service with an iPhone, because of this security risk.

XYMPKI provides Yahoo! IMAP with information on the phone, that enables an alert about new email to be sent by an out of band alert mechanism (which we speculate is SMS).

One of Isode's engineers, Dave Cridland, has posted a more detailed explanation of the vulnerability (which we have, of course, reported to Apple, Yahoo! and CERT) on his personal blog here and here.

This proprietary approach with a significant security vulnerability is bad.

Apple and Yahoo! should know better.

   Slashdot It!