watchOS 8.5 fixes a loophole in the Mail app that could reveal a user's IP address when downloading content remotely, security researchers have discovered.
Last year, it emerged that Apple's Mail Privacy Protection feature was undermined by its lack of Apple Watch support. Mail Privacy Protection was a new feature introduced with iOS 15, iPadOS 15, and macOS Monterey. It hides your IP address so senders are unable to determine your location or link your email habits to your other online activity. It also prevents senders from tracking whether you've opened an email, how many times you've viewed it, and whether you've forwarded it. The feature works by routing all content downloaded by the Mail app through multiple proxy servers to filter out your IP address. It then assigns a random IP address that matches your general region, so email senders see general rather than specific information about you.
More data protection for users
Apple's legal documentation on Mail Privacy Protection states that the feature is only available for iPhone, iPad, and Mac. However, security researchers and developers Talal Haj Bakry and Tommy Mysk found that the Apple Watch does not hide the recipient's IP address, and thus can compromise the overall security of Mail Privacy Protection. The Apple Watch downloads remote content, such as images, using the recipient's real IP address, both when receiving a Mail notification and when opening an email, meaning even users who had Mail Privacy Protection enabled on their iPhone can have their IP address exposed. Although Mail Privacy Protection is a feature unique to iOS 15, iPadOS 15, and macOS Monterey, it seemed to be an oversight that receiving a Mail notification on the Apple Watch could reveal a user's IP address and bypass Mail Privacy Protection on other devices.
watchOS 8.5: Apple did not communicate the adjustment
Now Bakry and Mysk have found outthat Apple has fixed the issue in watchOS 8.5. Starting with watchOS 8.5, Apple Watch will automatically block remote content loading and offer the option to "load content directly" instead. Users can also choose to "always load content directly" for all new emails or "load content" for each individual email. This improvement was not mentioned in the watchOS 8.5 release notes. watchOS 8.5 was released to all users yesterday. The update brings a number of other improvements, such as irregular heart rhythm notifications designed to improve atrial fibrillation detection, audio cues in Apple Fitness+ workouts, the ability to authorize Apple TV purchases and subscriptions, and the ability to restore an Apple Watch using an iPhone. (Photo by Brandon Romanchuk / Bigstockphoto)
