A developer and security researcher has discovered that the default Apple Watch Mail app does not use the company’s own Mail Privacy Protection feature. The team also discovered that the Apple Watch also doesn’t use iCloud Private Relay.
Heads-up: The mail privacy protection introduced in iOS 15 doesn't apply to the Mail app on the Apple Watch. Both the Mail app and the notification preview on the Apple Watch download remote content using your real IP address.#Cybersecurity #iOS pic.twitter.com/o0lh9rPQTd
— Mysk 🇨🇦🇩🇪 (@mysk_co) November 15, 2021
Heads-up Part II: iCloud Private Relay doesn't cover the Apple Watch. If you open links sent to you via iMessage on the Apple Watch, your real IP address will be exposed.#Cybersecurity #iOS pic.twitter.com/9dP3d4A0l4
— Mysk 🇨🇦🇩🇪 (@mysk_co) November 16, 2021
The official Apple Watch Mail app fails to use the company’s own Mail Privacy Protection feature. The feature was introduced as part of iOS 15.
About Mail Privacy Protection
Apple says the feature protects your location, prevents tracking, and stops marketers from seeing whether or not you’ve opened an email. The feature can be enabled in “Settings” -> “Mail” -> “Privacy Protection.”
Emails you receive may include hidden pixels that allow the email’s sender to learn information about you. As soon as you open an email, information about your Mail activity can be collected by the sender without transparency and an ability to control what information is shared. Email senders can learn when and how many times you opened their email, whether you forwarded the email, your Internet Protocol (IP) address and other data that can be used to build a profile of your behaviour and learn your location.
If you choose to turn it on, Mail Privacy Protection helps protect your privacy by preventing email senders, including Apple, from learning information about your Mail activity. When you receive an email in the Mail app, rather than downloading remote content when you open an email, Mail Privacy Protection downloads remote content in the background by default regardless of how you engage with the email. Apple does not learn any information about the content.
In addition, all remote content downloaded by Mail is routed through multiple proxy servers, preventing the sender from learning your IP address. Rather than share your IP address, which can allow the email sender to learn your location, Apple’s proxy network will randomly assign an IP address that corresponds only to the region your device is in. As a result, email senders will only receive generic information rather than information about your behaviour. Apple does not access your IP address.
When the feature is enabled, the feature works with the Apple Mail app on the iPhone. However, Mysk found that the feature does not work if you view email or email previews on your Apple Watch.
