How to protect yourself against the iOS Mail attack


insecure mailbox
Would you put your mail in this mailbox?
Photo: Pineapple L/Unsplash

Right now, you shouldn’t be using the Mail app on your iPhone or iPad. Thanks to a serious exploit, a hacker can take control of your iOS Mail app just by sending you a malicious email.

You don’t need to open that mail for it to do its bad business. In fact, you don’t even have to have the Mail app open for the attack to work. Yesterday, we covered the news of this attack, and you can read all about the consequences. Today we’ll show you how to protect yourself by changing just one setting.

To sum up, the vulnerability, reported earlier this week by security blog ZecOps, allows an attacker to deliver and run malicious code on your iOS device, just by sending an email that uses too much memory. The exploit works on both iOS 12 and iOS 13, although it’s slightly less dangerous on iOS 12. The flaw enabling this attack may have been around since iOS 6.

You can read the full details in this ZecOps blog post.

Apple has already issued a fix in the latest iOS 13.4.5 beta, but if you’re stuck on an older device running iOS 12, or you don’t run betas on your iPhone and iPad, then what can you do? The answer is that you must disable your Mail accounts.

How to disable your Mail accounts on iOS

To be clear, this exploit affects only the Mail app on iOS. If you use a third-party mail app, like Outlook, or Spark, then you’re safe. The problem is, even if you use Spark etc., you are probably still using the built-in Mail app.

You know how you can share a web page by tapping the share arrow in Safari, and then tapping the Mail icon to send an email? That uses the built-in Mail app. Maybe that’s safe, but maybe it also triggers a manual collection of your mail, in which case you’re vulnerable.

So, while it’s possible to switch off auto-downloading of new email, and to not open the Mail app, the only safe way is to disable your mail accounts altogether, so they can’t be used.

To do this, open up Settings > Passwords & Accounts. You’ll see a screen with all your internet accounts — mail, calendars, and so on. Find any that have “mail” in their description, and tap. You’ll see this screen, or something similar:

Switch off non-iCloud mail accounts here.
Switch off non-iCloud mail accounts here.
Photo: Cult of Mac

Just toggle off the switch next to Mail, and you’re done. Any email already in the Mail app should still be available. IT’s just that now the iPhone is disconnected from your email account.

You should also disable your iCloud Mail account, if you are using it. This is done in the same place, only you’ll see this screen:

And switch off your iCloud mail here.
And switch off your iCloud mail here.
Photo: Cult of Mac

When can you switch your Mail back on?

This is a real pain, but it shouldn’t last long, at least for iOS 13 users. Whenever the next release of iOS 13 comes out, you’ll be protected. Or you can just install the current iOS 13.4.5 beta, as mentioned. In the meantime, you can safely access your email via the web, or by using another app.

Hopefully Apple will also issue a security update for iOS 12, otherwise users of older devices — like the iPhone 6 — are screwed.


Daily round-ups or a weekly refresher, straight from Cult of Mac to your inbox.

  • The Weekender

    The week's best Apple news, reviews and how-tos from Cult of Mac, every Saturday morning. Our readers say: "Thank you guys for always posting cool stuff" -- Vaughn Nevins. "Very informative" -- Kenly Xavier.