watchOS 8.5 fixes a security vulnerability in the Mail app that could leak a user's IP address when downloading remote content, security researchers have found.
Last year, it emerged that Apple's Mail Privacy Protection feature was undermined by a lack of Apple Watch support. Mail Privacy Protection was a new feature introduced with iOS 15, iPadOS 15, and macOS Monterey that hides your IP address so senders are not able to determine your location or link email habits to your other online activity. It also prevents senders from tracking whether you opened an email, how many times you viewed an email, and whether you forwarded the email.
The feature works by routing all content downloaded by the Mail app through multiple proxy servers to strip your IP address, and then it assigns a random IP address that corresponds to your general region, making email senders see generic information rather than specific information about you.
Apple's legal documentation on Mail Privacy Protection indicates that the feature is available for iPhone, iPad, and Mac only, but security researchers and developers Talal Haj Bakry and Tommy Mysk discovered that since the Apple Watch does not hide a recipient's IP address, it can compromise the overall security provided by Mail Privacy Protection.
The Apple Watch downloads remote content, such as images, using the recipient's real IP address, both when receiving a Mail notification and when opening an email, meaning that even for users who had enabled Mail Privacy Protection on their iPhone, their IP address can be exposed.
While Mail Privacy Protection is a feature exclusive to iOS 15, iPadOS 15, and macOS Monterey, the fact that simply receiving a Mail notification on the Apple Watch could reveal a user's IP address and bypass Mail Privacy Protection on other devices seemed to be an oversight. Now, Bakry and Mysk have found that Apple has fixed the issue in watchOS 8.5.
Good news: As of iOS 15.4 and watchOS 8.5 the Mail app on the watch no longer leaks the IP address when downloading remote content. Remote content is blocked on the watch even when Mail Privacy Protection is on. Now you get this prompt: https://t.co/Ocs0iXt4YM pic.twitter.com/Yea2fQxWlO— Mysk 🇨🇦🇩🇪 (@mysk_co) March 14, 2022
As of watchOS 8.5, loading remote content is automatically blocked on the Apple Watch, and instead provides an option to "Load Content Directly." Users can also select "Always Load Content Directly" for all new emails or "Ask to Load Content" on a per-email basis. The improvement was not included in watchOS 8.5's release notes.
watchOS 8.5 was released to the public yesterday and the update brings a number of other improvements, including updates to irregular heart rhythm notifications designed to improve atrial fibrillation identification, audio hints in Apple Fitness+ workouts, the ability to authorize Apple TV purchases and subscriptions, and the ability to restore an Apple Watch using an iPhone.