Siri Stores Encrypted E-mails in Plain Text
The snippets.db database is storing encrypted Apple Mail messages…completely, totally, fully — UNENCRYPTED — readable, even with Siri disabled, without requiring the private key. Most would assume that disabling Siri would stop macOS from collecting information on the user. This is a big deal. This is a big deal for governments, corporations and regular people who use encrypted email and expect the contents to be protected. Secret or top-secret information, which was sent encrypted, would be exposed via this process and database, as would trade secrets and proprietary data.
[…]
Another database, entities.db, stores records of people’s names, email, and phone numbers you’ve corresponded with. Although the phone number may not be in your contact list, data from emails such as signature blocks and forward information are stored. It’s like an address book built for you. This could be touchy, as it may allow quick and easy access to some potentially sensitive information.
[…]
For a company that prides itself on security and privacy, the lack of attention to detail on an issue like this completely and totally surprises me. […] I also have to wonder why it took 99 days for someone to know the answer on how to prevent this. All parties at Apple were alerted multiple times before writing this blog and giving an ample amount of time before I published this.
You can prevent it by going into the Siri settings and unchecking Mail. This does not remove e-mails that have already been stored in the database.
The Suggestions folder is protected from apps that haven’t been given permission, but the data is unencrypted on disk if you aren’t using FileVault.
Previously:
Update (2019-11-08): Jay Peters:
Apple tells The Verge it’s aware of the issue and says it will address it in a future software update. The company also says that only portions of emails are stored. But the fact that Apple is still somehow leaving parts of encrypted emails out in the open, when they’re explicitly supposed to be encrypted, obviously isn’t good.
Update (2020-02-06): Juli Clover:
Apple in macOS 10.15.3 quietly addressed a bug that left some of the text of encrypted emails unencrypted, reports The Verge.
See also: macOS 10.15.3.
4 Comments RSS · Twitter
And on T2 equipped Mac's the SSD is always encrypted, even if FileVault is off: https://support.apple.com/en-us/HT208344
This is obviously concerning. I assume this is not so much a case of oversight as it is of the solution being non-trivial: the entire point of these databases is presumably to fetch data faster than regular Spotlight can, and having decryption mechanisms hook into that first would run counter to this. So my guess is they knew internally they had a weakness, but weren’t willing to delay the entire Siri feature for that edge case (unfortunately, encrypted e-mail is still very rare, even in corporate environments, at least here in Germany). And then they weren’t willing to communicate that trade-off decision in their communication with Bob.
That’s no excuse at all, to be clear.
A few things I’m confused about.
iOS has had mechanisms were portions of the file system can be encrypted on an app level, no? Does macOS still lack this entirely?
Another really stupid question: the implication from the article seemed to be that this has all mails. But the entire Suggestions
folder is just 115 MiB here, and snippets.db
is just 1.2 MiB. My Mail folder contains gigabytes.
So, is this… particularly recent mails? Interesting mails? Frequently opened mails?
@Sören If it were a known issue, you’d think they would have Siri obey the preference to not search encrypted e-mails. If I don’t want the content in Spotlight, why would I want it in Siri?
Yes, I don’t think macOS can do per-app encryption.
That’s a good question. Maybe it is only pulling out certain content like names?
If it were a known issue, you’d think they would have Siri obey the preference to not search encrypted e-mails. If I don’t want the content in Spotlight, why would I want it in Siri?
Right. I’m saying they seem to be sweeping the issue under the rug.
Maybe it is only pulling out certain content like names?
Yeah, something like that.