[subhb]

On any app that consists of sensitive information, one should probably implement passcode security on the application itself. Now this might annoy some users, but if you know you are going to use it for something special, you won't mind it!

[tmpajk]

So therefore, your article could have been titled "{Mailbox|GMail|iMail|all_other_mail_clients_ever} is a Security Fail!"?

Because as far as I am aware, few mail clients either support or (if they do) actively encourage an extra password layer, and your users do not want it. Given an average un-password-protected phone, you will be able to read their email even if they were using the iOS encrypted files framework, just by opening the app.

I apologize, but it appears that your headline is deliberate sensationalism. If you want to have a discussion about how we need to secure email apps in general, I'm interested. If you want to just pick the latest 'big thing' and take pot shots at it, nah.

[subhb]

@tmpajk How does it make Mailbox more secure. Let's talk about the scenario where you have access to an iPhone for few minutes. In one case, you can go through some contents, in another case you can copy all emails and contacts. My whole point is files or attachments on information on every app that has sensitive information should be protected. There are various ways to do it on iOS! One can use keychain to store some secret key and protect these files using that secret key.

[DanBC]

The risk is that people assume their email is secure because the email storage on the iPhone is secure.

[tmpajk]

Where is the key kept then? One possibility, the user has to know it, at which point we're back to the fact that users dont seem to want a password for their email app (again, happy to see an interesting post on the generalities of email app security). The other approach is to store it somewhere on the phone, at which point connecting the phone to a computer as you describe is still an attack vector; you just need to find the key.

Of course, I am not highly versed in security, so if there's another option I'm interested to hear it.

[subhb]

One can keep a secret key anywhere other than Document or Library directory of such apps. One of the obvious place will be device keychain.