When it comes to encryption, Apple is a company that has been championing the security effort for years. But it turns out that encryption with the stock Mail app in macOS may not have been as good as the company was pushing.
The Verge has a report out today that details Apple’s dealing with encrypted emails with macOS and, specifically, the stock Apple Mail app. Apparently, with the right circumstances, it’s possible to read an encrypted email’s contents as if it weren’t encrypted at all. Worse, it sounds like Apple may have known about this for quite some time and is only now getting around to a fix.
But first, let’s get this out of the way:
Before we go any further, you should know this likely only affects a small number of people. You need to be using macOS, Apple Mail, be sending encrypted emails from Apple Mail, not be using FileVault to encrypt your entire system already, and know exactly where in Apple’s system files to be looking for this information. If you were a hacker, you’d need access to those system files, too.
The issue was first noted by Apple-focused IT specialist Bob Gendler on Medium earlier this week. According to Gendler, he discovered macOS database files that store information from apps like Mail and others, which are then used by Siri to suggest better information to the end user. That’s how it’s supposed to work, as Siri uses that information to learn about each user and offer suggestions based on that information.
However, Gendler found a database file called “snippets.db” which is storing the unencrypted text of emails that were meant to be encrypted.
The big issue here is not only that macOS is storing unencrypted email text in a database file, but that Gendler tested the last four major version releases of Apple’s desktop operating system –Sierra, High Sierra, Mojave, and Catalina— and discovered the issue present in all of them.
Gendler says he reported the issue to Apple on July 29 of this year. 99 days later, on November 5, Apple finally responded. And while there have been several updates for the desktop operating systems over the years, none of them have included a patch to this issue.
If you want to stop emails from being collected in snippets.db right now, Apple tells us you can do so by going to System Preferences > Siri > Siri Suggestions & Privacy > Mail and toggling off “Learn from this App.” Apple also provided this solution to Gendler — but he says this solution will only stop new emails from being added to snippets.db. If you want to make sure older emails that may be stored in snippets.db can no longer be scanned, you may need to delete that file, too.
If you want to avoid these unencrypted snippets potentially being read by other apps, you can avoid giving apps full disk access in macOS Catalina, according to Apple — and you probably have very few apps with full disk access. Apple also says that turning on FileVault will encrypt everything on your Mac, if you want to be extra safe.
It is worth repeating the important bit at the top of this article as we close out: this issue won’t affect a lot of people. However, that doesn’t make it any less important, especially considering how long it’s been present in macOS.
Apple told The Verge that a fix for the security issue is incoming, but didn’t give an exact date as to when we should expect new software to patch the issue.