Update 2: The security researcher who discovered the privacy failure reports that Apple has now fixed it.
As of iOS 15.4 and watchOS 8.5 the Mail app on the watch no longer leaks the IP address when downloading remote content. Remote content is blocked on the watch even when Mail Privacy Protection is on …
Original story:
Update: The same team has now discovered that the Apple Watch doesn’t use iCloud Private Relay either.
A developer and security researcher has discovered that the official Apple Watch Mail app fails to use the company’s own Mail Privacy Protection feature …
If you open links sent to you via iMessage on the Apple Watch, your real IP address will be exposed.
The feature was introduced as part of iOS 15 and was touted by Apple as offering three forms of privacy protection.
About Mail Privacy Protection
Apple says the feature protects your location, prevents tracking, and stops marketeers seeing whether or not you’ve opened an email.
The feature is enabled in Settings > Mail > Privacy Protection.
Emails you receive may include hidden pixels that allow the email’s sender to learn information about you. As soon as you open an email, information about your Mail activity can be collected by the sender without transparency and an ability to control what information is shared. Email senders can learn when and how many times you opened their email, whether you forwarded the email, your Internet Protocol (IP) address and other data that can be used to build a profile of your behaviour and learn your location.
If you choose to turn it on, Mail Privacy Protection helps protect your privacy by preventing email senders, including Apple, from learning information about your Mail activity. When you receive an email in the Mail app, rather than downloading remote content when you open an email, Mail Privacy Protection downloads remote content in the background by default regardless of how you engage with the email. Apple does not learn any information about the content.
In addition, all remote content downloaded by Mail is routed through multiple proxy servers, preventing the sender from learning your IP address. Rather than share your IP address, which can allow the email sender to learn your location, Apple’s proxy network will randomly assign an IP address that corresponds only to the region your device is in. As a result, email senders will only receive generic information rather than information about your behaviour. Apple does not access your IP address.
The Apple Watch Mail app fails to use it
Once enabled, the feature works with the Apple Mail app on the iPhone. However, it does not apply if you view emails – or even previews of them – on your Watch. The omission was discovered by Mysk.
He was able to demonstrate this by hosting an image on his own server, embedding it into an email, and then sending it. He then checked the IP address that downloaded the image and found that it was the real IP address of the Watch, not the proxy one which ought to be used with the privacy feature enabled.
Heads-up: The mail privacy protection introduced in iOS 15 doesn’t apply to the Mail app on the Apple Watch. Both the Mail app and the notification preview on the Apple Watch download remote content using your real IP address.#Cybersecurity #iOS pic.twitter.com/o0lh9rPQTd
— Mysk 🇨🇦🇩🇪 (@mysk_co) November 15, 2021