Mail Privacy Protection Seemingly Undermined by Apple Watch [Updated]

by

The security provided by Apple's Mail Privacy Protection feature is seemingly undermined by a lack of Apple Watch support, security researchers have found.

ios15 mail privacy feature
Mail Privacy Protection is a new feature introduced with iOS 15, iPadOS 15, and macOS Monterey that hides your IP address so senders are not able to determine your location or link email habits to your other online activity. It also prevents senders from tracking whether you opened an email, how many times you viewed an email, and whether you forwarded the email.

The feature works by routing all content downloaded by the Mail app through multiple proxy servers to strip your IP address, and then it assigns a random IP address that corresponds to your general region, making email senders see generic information rather than specific information about you.

Apple's legal documentation on Mail Privacy Protection indicates that the feature is available for iPhone, iPad, and Mac only, but security researchers and developers Talal Haj Bakry and Tommy Mysk have discovered that since the Apple Watch does not hide a recipient's IP address, it can compromise the overall security provided by Mail Privacy Protection.

The Apple Watch downloads remote content, such as images, using the recipient's real IP address, both when receiving a Mail notification and when opening an email, meaning that even for users who have enabled Mail Privacy Protection on their ‌iPhone‌, their IP address is exposed.

While Mail Privacy Protection is a feature exclusive to iOS 15, iPadOS 15, and macOS Monterey, the fact that simply receiving a Mail notification on the Apple Watch can reveal a user's IP address and bypass Mail Privacy Protection on other devices seems to be an oversight and we have reached out to Apple for comment.

Update: The same security researchers have now highlighted that iCloud Private Relay is also unavailable on the Apple Watch, meaning that a user's IP address can be exposed when opening links in the Messages app.

‌iCloud‌ Private Relay is an Apple service that ensures Safari traffic leaving an ‌iPhone‌, ‌iPad‌, or Mac is encrypted. It uses two separate internet relays to ensure that companies cannot access personal information like IP address, location, and browsing information to create a detailed profile about you.

Users who have ‌iCloud‌ Private Relay enabled on their other devices should be aware that their IP address is still discoverable from Apple Watch activity.

Related Roundups: watchOS 10, watchOS 11
Related Forum: Apple Watch

Popular Stories

iPhone SE 4 Vertical Camera Feature

iPhone SE 4 Production Will Reportedly Begin Ramping Up in October

Tuesday July 23, 2024 2:00 pm PDT by
Following nearly two years of rumors about a fourth-generation iPhone SE, The Information today reported that Apple suppliers are finally planning to begin ramping up mass production of the device in October of this year. If accurate, that timeframe would mean that the next iPhone SE would not be announced alongside the iPhone 16 series in September, as expected. Instead, the report...
Read Full Article68 comments
iPhone 17 Plus Feature

iPhone 17 Lineup Specs Detail Display Upgrade and New High-End Model

Monday July 22, 2024 4:33 am PDT by
Key details about the overall specifications of the iPhone 17 lineup have been shared by the leaker known as "Ice Universe," clarifying several important aspects of next year's devices. Reports in recent months have converged in agreement that Apple will discontinue the "Plus" iPhone model in 2025 while introducing an all-new iPhone 17 "Slim" model as an even more high-end option sitting...
Read Full Article160 comments
Generic iPhone 17 Feature With Full Width Dynamic Island

Kuo: Ultra-Thin iPhone 17 to Feature A19 Chip, Single Rear Camera, Semi-Titanium Frame, and More

Wednesday July 24, 2024 9:06 am PDT by
Apple supply chain analyst Ming-Chi Kuo today shared alleged specifications for a new ultra-thin iPhone 17 model rumored to launch next year. Kuo expects the device to be equipped with a 6.6-inch display with a current-size Dynamic Island, a standard A19 chip rather than an A19 Pro chip, a single rear camera, and an Apple-designed 5G chip. He also expects the device to have a...
Read Full Article162 comments
iPhone 16 Pro Sizes Feature

iPhone 16 Series Is Less Than Two Months Away: Everything We Know

Thursday July 25, 2024 5:43 am PDT by
Apple typically releases its new iPhone series around mid-September, which means we are about two months out from the launch of the iPhone 16. Like the iPhone 15 series, this year's lineup is expected to stick with four models – iPhone 16, iPhone 16 Plus, iPhone 16 Pro, and iPhone 16 Pro Max – although there are plenty of design differences and new features to take into account. To bring ...
Read Full Article130 comments
icloud private relay outage

iCloud Private Relay Experiencing Outage

Thursday July 25, 2024 3:18 pm PDT by
Apple’s iCloud Private Relay service is down for some users, according to Apple’s System Status page. Apple says that the iCloud Private Relay service may be slow or unavailable. The outage started at 2:34 p.m. Eastern Time, but it does not appear to be affecting all iCloud users. Some impacted users are unable to browse the web without turning iCloud Private Relay off, while others are...
Read Full Article82 comments

Top Rated Comments

BootsWalking Avatar
BootsWalking
35 months ago
My Apple Watch notified me that my heart rate increased unexpectedly while I was reading this article.
Score: 20 Votes (Like | Disagree)
antiprotest Avatar
antiprotest
35 months ago
Slipping more and more on privacy and security while adding more and more "safety" and "child protection" features that could compromise privacy and security.
Score: 13 Votes (Like | Disagree)
nwcs Avatar
nwcs
35 months ago
I found mail on the watch is kinda useless. It doesn't stay in sync very well and often shows me old content. Easy enough to just disable the notification and turn off load remote images for the watch. Problem solved until a better fix comes along.
Score: 9 Votes (Like | Disagree)
GermanSuplex Avatar
GermanSuplex
35 months ago
Apple is great, but some of their oversights are mind-boggling. For instance - you still can't mass-delete messages from the watch. Does nobody in Apple wearing an Apple Watch get tired of having to do that? I surely can't be the only one?

And given that virtually everyone with an Apple Watch use an iPhone and other iOS/Mac OS devices, this comes close to making the mail privacy features useless.
Score: 7 Votes (Like | Disagree)
_Spinn_ Avatar
_Spinn_
35 months ago
This seems like a major oversight.
Score: 6 Votes (Like | Disagree)
mazz0 Avatar
mazz0
35 months ago
Apple have always been bad at this.

I have automatic downloading of images etc disabled so as not to inform spammers that they've hit an active address, which Mail allows you to do.

The problem is Mail doesn't show you the target of links in the email until you mouse-over (or long-touch) them, which also, by default, loads of a preview of the destination, thus giving the game away.

I hope Apple's servers are preloading/caching any of the proxied content, thus giving the game away before you've even opened the email. Anybody know for sure when they first download the content?

Edit: Oops! That should say I hope they aren’t pre-loading/caching!
Score: 6 Votes (Like | Disagree)
Read All Comments