Apple Mail Encryption bug fixed.
10.15.3 update no longer stores encrypted emails, unencrypted!
The Apple Mail S/MIME encryption bug I blogged about back in November has been solved by the 10.15.3 update for Catalina that was released on January 28th!
I participate in the Appleseed Beta program and regularly test early releases of updates. I was very pleased to see in the release notes as betas were released for 10.15.3 that encrypted emails will no longer appear in Spotlight searches. I was also contacted by AppleCare Enterprise Support around the same time about the upcoming fix. In less than 90 days from my previous blog post, the public release of 10.15.3 solves the email encryption bug.
So now when suggestd comes across an S/MIME encrypted message it deletes it from the information it is ingesting.
As shown in the above screenshot at the highlighted line, suggestd comes across an encrypted message, marking it for deletion. Then 2 lines later in the log stream, the message is deleted from the data it has ingested. It’s no longer saved in the snippets.db database file. I’ve done extensive testing with 10.15.3 to validate this, however, I cannot speak for the security updates released at the same time for previous macOS versions. To my knowledge, these updates for High Sierra and Mojave only dealt with the CVEs listed in their release notes.
If you’re very conscious and concerned about data collection, you may still want to disable Siri Suggestions. Or, if you’re on Sierra, High Sierra, or Mojave, disabling Siri Suggestions would be the way to stop encrypted messages from being ingested and stored in the snippets.db database file. However, features may suffer, so be warned your experience may differ. Below is a configuration profile that can be implemented to disable Siri Suggestions for Apple Mail which would stop all mail from being ingested by Siri Suggestions.
You can edit the above profile to include other 3rd party non-Apple applications that suggestd can learn from. To see the full list of applications, open System Preferences → Siri → Siri Suggestions & Privacy. Some of mine are the Twitter and Microsoft Remote Desktop application, you may have others. Once you block it in the system preference, you can run the following command in the Terminal to see the preference domains to add to your profile to block suggestd from learning from them.
defaults read com.apple.suggestions SiriCanLearnFromAppBlacklistBelow is an example of blacklisting ALL Apple applications available.
<key>SiriCanLearnFromAppBlacklist</key>
<array>
<string>com.apple.mail</string>
<string>com.apple.AddressBook</string>
<string>com.apple.iCal</string>
<string>com.apple.FaceTime</string>
<string>com.apple.Maps</string>
<string>com.apple.iChat</string>
<string>com.apple.news</string>
<string>com.apple.Notes</string>
<string>com.apple.Photos</string>
<string>com.apple.podcasts</string>
<string>com.apple.reminders</string>
<string>com.apple.Safari</string>
</array>When on macOS Catalina 10.15.3, there is now no concern whether you are a government customer, enterprise customer, or personal home user that your potentially sensitive and important encrypted mail is stored with less protection even if Siri and Siri Suggestions are enabled.
I want to thank the Apple systems engineers, AppleCare team and all of those who made this a priority to fix. Although, this bug likely affected a very small percentage of users, to see it resolved is very rewarding and pretty amazing. Thank you, Apple!
These views are my own and not the views of my employer. If you have any questions or want more information on this, feel free to contact me on the MacAdmins Slack(boberito), Linkedin(linkedin.com/in/bob-gendler-8702014) or email(bobgendler@gmail.com).
