Update 2: The security researcher who discovered the privacy failure reports that Apple has now fixed it.
Since iOS 15.4 and watchOS 8.5, the Mail app on the watch no longer discloses the IP address when downloading remote content. Remote content is blocked on the watch even when Mail Privacy Protection is enabled…
Update: same team has now discovered that the Apple Watch also doesn’t use iCloud Private Relay.
If you open links sent to you via iMessage on the Apple Watch, your real IP address will be exposed.
A developer and security researcher has discovered that the official Apple Watch Mail app fails to use the company’s Message Privacy Protection feature…
The feature was introduced as part of iOS 15 and was touted by Apple as offering three forms of privacy protection.
About Email Privacy Protection
apple says the feature protects your location, prevents tracking, and prevents marketers from seeing whether or not you’ve opened an email.
Emails you receive may include hidden pixels that allow the sender of the email to obtain information about you. As soon as you open an email, information about your Mail activity may be collected by the sender with no transparency and no ability to control what information is shared. Email senders can find out when and how many times you opened their email, whether you forwarded the email, your Internet Protocol (IP) address, and other data that can be used to create a profile your behavior and know your location.
If you choose to turn it on, Email Privacy Protection helps protect your privacy by preventing email senders, including Apple, from obtaining information about your email activity. When you receive an email in the Mail app, rather than downloading remote content when you open an email, Mail Privacy Protection by default downloads remote content in the background, regardless of how you interact with email. Apple does not learn any information about the content.
Additionally, all remote content downloaded by Mail is routed through multiple proxy servers, preventing the sender from knowing your IP address. Rather than sharing your IP address, which may let the sender of the email know your location, Apple’s proxy network will randomly assign an IP address that only matches the region your email is located in. device. Therefore, email senders will only receive generic information rather than information about your behavior. Apple does not access your IP address.
The feature is enabled in Settings > Mail > Privacy Protection.
Apple Watch Mail app fails to use it
Once enabled, the feature works with the Apple Mail app on the iPhone. However, this makes do not applies if you view emails – or even previews of them – on your watch. The omission was discovered by mysk.
He was able to demonstrate this by hosting an image on his own server, embedding it in an email, and then sending it. He then checked the IP address that uploaded the image and discovered that it was the watch’s real IP address, not the proxy one that should be used with the privacy feature enabled.