Following the publication of an NPR article detailing the security of major email services, Apple has informed the network that it is working on an update to its iCloud Mail service that encrypts emails in transit from other providers. As of right now, iCloud emails are solely encrypted in transit from one iCloud email account to another, but an email sent from iCloud to Gmail or Yahoo (as examples) or vice versa is not currently encrypted. This is what will change:
Apple encrypts e-mail from its customers to iCloud. However, Apple is one of the few global email providers based in the U.S. that is not encrypting any of its customers’ email in transit between providers. After we published, the company told us this would soon change. This affects users of me.com and mac.com email addresses.
The enhancement will come into effect “soon,” but Apple is not more specific than that on the timeframe. While the quote above oddly does not specify icloud.com addresses, that newer Apple email domain likely falls into the same category as me.com and mac.com. The lack of end-to-end iCloud Mail encryption with Gmail, for example, is shown on Google’s data protection transparency website:
iPad Air 2
The chart indicates that only inbound emails are encrypted, but outbound are not via iCloud. It is likely that Apple will need to work with Gmail and other email providers to provide complete in-transit email encryption. Apple currently provides end-to-end encryption for services such as iMessage and FaceTime and the Electronic Frontier Foundation has even lauded Apple with 5 out of 5 stars for its customer online data protection.
Apple has published transparency reports indicating the security of its iOS and OS X operating systems and various cloud services. These reports have come in response to government surveillance allegations over the past year. Apple also details specifics about its strong iCloud encryption offerings on its support website:
NPR, however, also notes that Apple has some work to do on encrypting some of its other cloud-based services, but these lapses in security are not nearly as severe as the lack of end-to-end iCloud email encryption between providers:
We found that many app installations and iOS updates are sent unencrypted to iPhones. The configuration files that let your telecom company control aspects of how your iPhone works is also unencrypted. Apple says these updates are authenticated and can’t be changed. All pre-login browsing/shopping traffic from the Apple Store is unencrypted, including all HTML content, images, etc. So if you are a huge Abba fan the NSA could find out.
Later this year, Apple will be rolling out OS X 10.10 Yosemite and iOS 8 with further security improvements for both consumers and enterprise users. iOS 8 will include Touch ID enhancements for developers while Yosemite will include a new Mail Drop feature for encrypting email attachments up to 5GB in size via iCloud. We have reached out to Apple for more clarity on the future iCloud email encryption improvements.