The Apple Mail app on the most recent Macs appear to be storing copies of encrypted emails in plaintext, an Apple IT specialist found. There is a way to turn this off, temporarily.
Apple’s voice assistant Siri can look at information stored on the machine and things the user has done in the past to make tailored suggestions. The suggestions feature is possible because the operating system collects information from various Apple applications, such as Spotlight, Mail, and Messages, and stores them in special database files. The information is used for things like news personalization and Siri recommendations.
One such database file contains copies of emails sent by Apple Mail, including encrypted messages, Bob Gendler, an Apple IT specialist, wrote on Medium last week. He could read S/MIME encrypted emails sent using Apple Mail in the snippets.db database file without needing his private key to first decrypt the message.
"Secret or top-secret information, which was sent encrypted, would be exposed via this process and database, as would trade secrets and proprietary data," Gendler said.
An app storing copies of encrypted data as plaintext is problematic, but proper framing is still important. In this case, several things have to be true for the issue to be a problem: the Mac user has to be using Apple Mail to send encrypted emails, and also not using FileVault to encrypt the entire system.
This issue affects just a small segment of Mac users.
Add in the fact that someone interested in those plaintext copies will still need a way to access system files on the machine and the risk seems less immediate.
This may be why Apple hasn’t pushed out a fix yet, despite having known about the issue since July and having rolled out several operating system updates since then. Apple told The Verge the fix will be in a future software update—but did not provide any other details.
Even so, this feels like an unforced error by Apple, the company that has staked out a reputation for itself as the tech company that cares the most about user privacy. If nothing else, providing the temporary workaround sooner would have been helpful.
“It brings up the question of what else is tracked and potentially improperly stored without you realizing it,” Gendler said.
Another database file, entities.db, contained contacts information such as names, emails, and phone numbers that were collected from email messages—such as signature blocks and forward blocks.
The presence of an automatically built addressbook “could be touchy, as it may allow quick and easy access to some potentially sensitive information,” Gendler said.
It doesn’t matter if Siri is not enabled on the machine. The machine is still collecting the information so that if Siri ever gets enabled, the reference data is ready to go. This is counterintuitive—it is reasonable to expect that disabling Siri would disable data collection for Siri. Gendler said he observed this behavior on the four most recent Mac releases—Catalina, Mojave, High Sierra, and Sierra.
"This is a big deal for governments, corporations and regular people who use encrypted email and expect the contents to be protected," Gendler wrote.
Apple also told The Verge that only portions of emails are stored, but that itself isn’t very reassuring. The copying defeats the purpose of utilizing and sending an encrypted message in the first place.
Gendler was unable to confirm whether information from these database files were sent to iCloud if users have both iCloud and Siri enabled.
Apple provided Gendler with a workaround earlier this month, stating that it was possible to tell Siri to not learn from specific apps. That setting is under
System Preferences > Siri > Siri Suggestions & Privacy > Mail. Toggling off
Learn from this App will ensure that Siri will not be making copies of messages sent by Apple Mail.
Fixing it checkbox by checkbox is not scalable for administrators managing a fleet of Macs. A future update could also potentially re-enable the feature. Gendler created a configuration script to "permanently disable" the feature.
“For an operating system that you generally have to change controls to make it less secure, this is a setting that requires you to set to make it more secure and behave correctly,” Gendler said.
Disabling the learning setting just prevents new messages from being added to the database file. To remove older messages that have already been collected, users will need to delete the snippets.db file from
Gendler noted that there are some protections in place so that the information is not completely exposed, such as turning on FileValut to encrypt everything on the disk. System Integrity Protection is enabled by default, so scripts such as bash and python can't be used to access the contents of the database files.
"So there are protections in place and even a way to stop it, but it’s still an incorrect behavior because even with Siri enabled or disabled it should not be storing encrypted messages completely unencrypted," Gendler said.