NOTE: I’ve updated this post in a few places below today, 6/13/2011, based on help from commenters. Also see the follow-up article Sending and Receiving S/MIME Encrypted Email on iOS 5 (Beta).

During the 2011 Apple Worldwide Developer Conference keynote address, Scott Forstall indicated that iOS 5 would have support for S/MIME encrypted email. (Skip to 63:10 in the presentation.) This morning I successfully upgraded to the iOS 5 Beta and started being able to read my S/MIME encrypted email. Here is how I did it.

What you need:

–       Xcode 4.2 and iOS SDK 5 beta (requires iOS Developer Program account)

–       iOS 5 beta for your iOS device’s platform (requires iOS Developer Program account)

–       iTunes 10.5 beta (requires iOS Developer Program account)

–       iPhone Configuration Utility 3.3

–       Your S/MIME encryption and signature certificates exported in PKCS12 (.p12) format

(Note there is some discussion about not needing to pay for a developer program account to install iOS 5. I went the legitimate route.)

Click to read the whole walk-through of how I did it.

Installing iOS 5 Beta

To install the iOS 5 Beta, make sure you have a backup; this will wipe your device. I used Apple’s guide. First, install Xcode 4.2. Launch Xcode and plug in your iOS device. You should see a window similar to the following:

New Device Detected

Click “Use for Development”. If it doesn’t automatically bring you to the device organizer, click Window->Organizer. Your device should appear there in a Summary view. Under “Software Version”, click Other Version… and then choose the .ipsw file relevant to your device. Once you see the 5.0 (9A5220p) choice under Software Version, click “Restore”. This will erase the contents of your iOS device including all pictures, music, videos, and apps. Make sure you have a backup. Allow the restore to complete. Once it is complete, Xcode will again display the “New Device Detected” dialog, and you should click “Use for Development”. To complete the installation, launch iTunes 10.5 beta and set up the device.

Once you’ve set up the device, and either synced your Mail settings or manually configured them, go ahead and try and open up an encrypted email message. Here’s one that Joey sent me:

Top Secret email I can't decrypt

As you might guess, going to Settings > General > Profiles doesn’t do you much good. On my system, the only profile installed was the Provisioning Profile put there via my Developer account. So, we need to create one.

Create and Install Configuration Profile

Note: If you don’t wish to deal with a configuration profile, you can also email yourself the .p12 file containing your certificate. Thanks to Oleg for the tip.

If you don’t already have it installed, install the iPhone Configuration Utility and launch it. Make sure your iOS device is plugged in.

On the left side of the iPhone Configuration Utility, click on “Configuration Profiles”. Then click the “New” button at the top.

iPhone Configuration Utility

In the general section, it would be good to give your configuration profile a name. You will definitely need to provide a unique identifier for your configuration profile, so they are not confused across devices. While you can set a number of other required configurations on the device using this tool, the important one for S/MIME is the “Credentials” configuration. On the left scroll down to “Credentials” and click it.

Configuring Credentials

Click “Configure” on the right-hand side to add your encryption certificate to the device. You will be prompted with a file selection dialog where you can choose your PKCS12 file containing your encryption certificate and private key.

Once your certificate appears in the window, you can scroll down and enter the password used to protect the PKCS12 file, or not. If you enter it, you will not be prompted to enter it when inputting the certificate on the device, but there will be a copy of your password stored with the profile. I chose not to enter my password at this time.

You should repeat this process for your signing certificate as well; click the + button toward the upper right to add a second certificate. In my experience, I could not read signed and encrypted emails unless I put both my signing and encryption certificates into the profile.

To install the configuration profile on your device, click your device on the left-hand side of the window, and go to the “Configuration Profiles” tab.

Configuration Profiles

You should see the profile you just created. Click “Install” and your iOS device will beep or click at you. Look at the screen and you will see:

iOS Device Install Profile

Click the “Install” button on your iOS device. You will get a warning that it will change settings on your device, click “Install Now”. You will then be prompted to enter the password used to protect your PKCS12 file if you didn’t save it as part of the configuration profile. Enter it, click “Return” and then “Done”.

Now when I re-launch Mail I can read Joey’s message:

Encrypted Email

Hooray! I’m reading encrypted email on an iOS device!

Hopeful Future Improvements

First, there is no indication on this encrypted email that it had been encrypted. Note: See follow-up post for how to fully enable and see these UI changes, thanks to Allan for pointing this out. So, I don’t know if the sender thought it was sensitive. I think this will be changed in a future release. In the below still image I took from the keynote address, you can see a lock and the word “Secure” in the title bar of the message. Obviously it’s important that Apple provides this visual cue.

Second is of course sending encrypted and signed email. Note: Again, see follow-up post for how to fully enable S/MIME. Despite my best efforts (installing my CA as a root on the device, installing certificates for my co-workers, installing certificates for other email addresses of mine) I could not get the little lock icon to appear next to anyone’s name in the “To” field of any emails, nor could I get it to send encrypted emails.

I look forward to a future beta from Apple which has these features enabled. Stay tuned here, because once I figure them out I’ll document them.

Let me know if it worked for you, and please provide any other comments below!

17 thoughts on “Using S/MIME on iOS 5 (Beta) UPDATED

  1. Mike Myers says:

    So then, the private key is definitely stored on the device. Is there a way to make it so a password is required every time you want to use the private key to decrypt an email?

  2. Peter Hesse says:

    @Mike:
    The private key is stored within the iOS device’s keychain, which I’m pretty sure uses encrypted storage – although I’m drawing a blank on giving you a reference to that.

    You can use the iPhone Configuration Utility to require a passcode to unlock the device, make it a complex passcode, and set a maximum number of tries before the device (and private key) are all securely erased.

    To my knowledge, there is no setting to require you to enter a password every time you want to use the private key to decrypt. However if you require a password to unlock and auto-lock the device after one minute, I think you end up with a pretty safe setup.

  3. Mike Myers says:

    I read some more, and it looks like it’s rather complicated. From what I have read at Elcomsoft’s blog, the iOS4 device storage encryption involves keys derived from two sources: passcode and hardware unique ID. Most of the filesystem is encrypted with the latter, and they claim to be able to defeat this encryption.

    They also claim to be able to brute-force (in-device, and bypassing the retry limitation) an iOS4 passcode if it is the simple 4-digit mode. If you use a complex password, which is apparently configurable if you use the iPhone Configuration Utility from Apple, then brute-forcing is no longer feasible. In that scenario, the portions of the Keychain encrypted with the passcode cannot be retrieved (this includes iOS Mail.app data, and I would assume the private key for S/MIME in iOS5).

    In short: if you take the extra step to enable a complex passcode, your private S/MIME key is safe on the device.

  4. Oleg says:

    Or you can just email the p12 file to yourself and open the attachment in Mail .. iPhone will import the cert and ask you for the password. Seems to work fine with E-mails as well as sites that use the same cert.

  5. Peter Hesse says:

    @Oleg thanks for that tip. That will simplify it for a lot of people.

    Mike correctly points out that a complex passcode is necessary to truly secure your device. The only way to set a complex passcode is through either the iPhone Configuration Utility or through your Exchange environment (if applicable)… So you might want to take that extra step anyway.

  6. Steve says:

    I can send encrypted and signed email from my iPhone and iPad..

  7. Peter Hesse says:

    @Steve, what PKI are you using?

  8. Parham says:

    @Steve, how did you get it to work for sending from your iOS device?

  9. Allan says:

    In order to see UI related to S/MIME and send encrypted messages, you need to turn on S/MIME in the Advanced settings for your email account. There, you can choose to sign and/or encrypt your outgoing messages and select the identity you’d like to use for those purposes.

    There are two ways to make it possible to send encrypted mail to a particular recipient. The easiest way is to use an Exchange account and have your recipients publish their certificates to GAL. The second way is to receive a signed message from some one, view the certificate, and use the Install button. That will map the certificate to the email address the sender used.

  10. Peter Hesse says:

    @Allan – You have got it right on! Thanks for spotting that in the detailed settings. We don’t use Exchange (and therefore have no GAL) but now I’m going to test that with a client of mine.

  11. Scott says:

    I installed the certificate 3 ways, the p12 cer with individual private and public and a combined private and public witha p12 file I am just testing this my sending it between two email accounts I have. I create a new email and it shows a lock at the top showing encrypted with no email addresses… once I add the email for an account for which I have both the public and private key, it shows a red name with a opened lock icon. That email will be signed, bit not encrypted. double clicking the red dame goes to a screen saying the email will not be encrypted because the keychain does not have the public key. Sending mails the same way from the desktop encrypts and decrypts fine.

    But I think I may have found the trick…
    I sent emails to myself from the accounts that I also had certificates installed on the phone for. When they arrived the from icon showed a lock and a check star for signature. When you click the recipient name like you would to add it to or create a contact there is an option to view the certificate. From there you will see the cert and the install button. Weird because it is already installed elsewhere as I imported it, maybe this is a bug, or its stored elsewhere?

    From this point I if I send an email to any of those accounts I get the lock icon.

    Hope this helps

  12. Jim says:

    Is there anyway to read encrypted emails on iOS 4.0 ?

    thanks

  13. Peter Hesse says:

    @Jim-
    There are a few IOS apps that enable it. I think one is called IReadSmime or something. Since they are acting contrary to Apple’s developer agreement by enhancing or replacing core functionality (mail) they tend to disappear quickly. Once IOS5 is released I suspect Apple will clamp down harder. Bottom line is it’s probably worth waiting till September for if you can.

  14. Andy says:

    ” I went the legitimate route.”

    An interesting article, but isn’t the iOS5 beta issued to the developer program under a NDA?

  15. KRvW says:

    Anyone have success at installing a CACERT.org certificate on iOS 5? I’ve tried pretty exhaustively, but the OS always says it can’t find any valid certificates. (Yes, I’ve put the cacert.org root cert onto my devices — that works fine, and all SSL connections (https, smtps, imaps) properly verify the cert just fine.)

    I’ve gone through this list of tips (thanks Peter!) as well as the second posting on the topic, but still no luck.

    Cheers,

    KRvW

Comments are closed.