Mandatory encryption at rest can be bypassed (UI) in Wire app
Description
Wire iOS versions prior to 3.70 fail to enable encryption at rest when no device passcode is set, silently bypassing the feature.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Wire iOS versions prior to 3.70 fail to enable encryption at rest when no device passcode is set, silently bypassing the feature.
Vulnerability
Wire iOS versions before 3.70 have a flaw in the encryption at rest feature. The app attempts to generate encryption keys using the Secure Enclave upon launch, but this step fails silently if the device has no passcode set. As a result, the mandatory encryption at rest is not activated, and users receive no indication that their data is not encrypted [1].
Exploitation
An attacker with physical or remote access to an unlocked device can exploit this issue by simply ensuring the device has no passcode enabled. No authentication bypass or additional privileges are needed beyond the user having disabled the device passcode. The vulnerability is automatically triggered when the app launches and fails to enable encryption at rest [1].
Impact
When successful, the attacker gains access to all Wire messages, media, and data stored on the device without encryption. This leads to full disclosure of confidential user communications and violates the intended security guarantee of mandatory encryption at rest. The integrity and availability of the data are unaffected, but confidentiality is completely lost [1].
Mitigation
Wire has fixed this vulnerability in version 3.70 of the iOS app [1]. Users should update to the latest version from the App Store. For those unable to upgrade, setting a device passcode is a necessary but only partial workaround because the app may still silently fail if the passcode is not enabled before launch. No KEV listing is currently available [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Silent failure when generating encryption keys via the Secure Enclave on a device without a passcode, leaving encryption at rest inactive without user notification."
Attack vector
An attacker with physical access to a device that has no passcode set can bypass the mandatory encryption-at-rest feature. The app attempts to generate encryption keys via the Secure Enclave on launch, but fails silently when no device passcode is configured, leaving user data unencrypted without any visible warning to the user [ref_id=1].
Affected code
The commit modifies `AppRootRouter` to handle a new `biometricPasscodeNotAvailable` case, and adds a new alert string `account_deleted_missing_passcode_alert` in the localization files. The underlying issue is in the encryption-at-rest initialization path that silently fails when no device passcode is set.
What the fix does
The patch adds a new `biometricPasscodeNotAvailable` case to the `AppRootRouter` that displays an alert titled "No device passcode" with the message "In order to use Wire, please set a passcode in your device settings." [ref_id=1]. This closes the vulnerability by informing the user that encryption at rest cannot be enabled, rather than silently failing and leaving data unprotected.
Preconditions
- configThe user's iOS device has no passcode set.
- networkThe attacker must have physical access to the unlocked device.
Generated on May 30, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/wireapp/wire-ios/commit/5ba3eb180efc3fc795d095f9c84ae7f109b84746mitrex_refsource_MISC
- github.com/wireapp/wire-ios/security/advisories/GHSA-h4m7-pr8h-j7rfmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.