macOS stores unencrypted copies of encrypted mail in a local database. This could allow malicious users to view encrypted emails.
By Chand Bellur
November 12, 2019 at 4:04 p.m. PDT
Database Used By Siri Stores Unencrypted Email
Operating systems are extremely complicated these days. Loaded with features, it’s difficult for any one engineer to see the forest from the trees. Recently, IT expert Bob Gendler discovered a flaw in Apple Mail for macOS that could expose encrypted email.
The vulnerability centers around Siri’s database, which is used to offer suggestions and learn about the user. A temporary database file, snippets.db, contains excerpts of unencrypted emails. These bits of email were originally encrypted, however, are copied to snippets.db without encryption.
Difficult Security Vulnerability to Exploit
Needless to say, this is an extremely difficult security flaw to exploit. Unless you have opted out of default macOS security, it’s unlikely that a remote attacker can read your emails. Someone with physical access to your machine could possibly read small portions of your emails, but this is unlikely.
How to Secure Your Encrypted Email
If you’re concerned about email encryption, there are a few measures you can take to tighten security. First, you can encrypt your entire system with FileVault. Many macOS users have already done this. This will ensure that only the operating system can read stored data.
You can also prevent Siri from reading your emails, which will stop them from being copied to snippets.db. Click on System Preferences > Siri > Siri Suggestions & Privacy > Mail and switch off “Learn from this App”. This will prevent anyone from reading your encrypted email, for the small cost of Siri being less familiar with your life.
Apple Will Fix Email Encryption in Future Update
Apple has known about this issue for several months, but has done nothing about it. Update after update neglects the issue, for good reason — it’s not severe. It’s extremely difficult for anyone to read encrypted emails on macOS. At best, they will only get bits and pieces.
Nonetheless, Apple has pledged to fix this issue in a future release. There’s no word as to when it will be fixed.