How secure is Apple Mail?

[davidg4781]

I'm doing some security training for work and they mention using Apple Mail (and others) for your work email can lead to security risks due to lack of enterprise-grade protection. They suggest using Outlook Mobile.

Any thoughts behind this? I had a coworker tell me the same a few weeks ago (guessing they took this training).

 

[BigBlur]

Apple Mail is just a basic email client. It doesn't support security policies and restrictions that companies can apply to your email account in Outlook if they're using Exchange.

As a few examples, they could:

• Require Face ID / PIN when using Outlook
• Prevent screenshots
• Blur/block Outlook's screen in the App Switcher (so someone can't see the last email you were reading)

Another example is with contacts. If you use Apple Mail, you're also likely to sync your company's contact directory as well, which gets synced to the Contacts app. Other apps you've given access to Contacts will then be able to see them. So if you had a bad app installed that you've given access to Contacts, they could potentially get the contact details of your coworkers and socially hack them or the company. With the Outlook app, contacts stay local to that app and can't be seen by other apps.

Companies may also have access to wipe their data on your device in the event you get terminated or lose your phone. If you use Mail, the whole phone gets wiped. If you use Outlook, only the data in the Outlook app gets wiped. This is more BYOD-friendly in that regard.

 

[!!!]

security risks due to lack of enterprise-grade protection. They suggest using Outlook Mobile.

This is just another classic example of false security perpetrated by Microsoft's B2B marketing. iOS itself already has encryption at rest. Not that it matters because your emails aren't E2E encrypted. Something-something "GPG is for nerds".

Your company will be exploited because they were too busy telling people that Outlook was secure (it's not, email itself is so incredibly insecure it's a joke anyone actually takes this seriously, they'll tell you to just implement a few more obscure protocols instead of just using GPG) instead of telling them not to click links from emails with poor English.

Require Face ID / PIN when using Outlook

If my phone's already unlocked what's the purpose of an additional speedbump? If your response is "what if you leave your phone unlocked" my response is "what if I leave it unlocked with the mail app already opened?"

Prevent screenshots

The nefarious person has the capability to take their own phone and take a photo of the screen. The non-nefarious person will do the same and suddenly you'll have confidential information on a personal device.

Blur/block Outlook's screen in the App Switcher (so someone can't see the last email you were reading)

Again, see above. What's the point of this? To slow me down? Now I can't just reference what I was just looking at, I need to re-enter the app, now it wants Face ID, it fails a few times (because Face ID is infinitely worse than Touch ID) and now you've wasted my time. Meanwhile the CEO is letting a half dozen scammers remote into his PC... (the ironic part here is that the scammers claim they're from Microsoft)

 

[UliBaer]

From own experience I can only say, if your business uses exchange servers for mail, Outlook is lightyears ahead of any other mail client I tested. Exchange support - especially in Apple mail - is abysmal compared to Outlook. Try it, you can always uninstall/delete it, if it's not your cup of tea.

 

[BigBlur]

If my phone's already unlocked what's the purpose of an additional speedbump? If your response is "what if you leave your phone unlocked" my response is "what if I leave it unlocked with the mail app already opened?"

I'll equate this to Apple's similar "Require Face ID" / "Hide App" feature that was implemented in iOS 18. What if you hand over your phone to a family member or friend so they can look at something; or someone snatches your phone while it was already unlocked? That was supposedly Apple's reasoning for adding that feature.

With Apple's method, you have to set this up yourself; the employer can't enforce this with Mail. With Outlook, they can. Also, the PIN can (and should) be different from your passcode. With Apple's solution, if someone knows your passcode, they can still get into your locked/hidden apps. With Outlook, they cannot (assuming you set the PIN to be different from your passcode).

If you leave your device unlocked with the Mail/Outlook app already opened, then that's on you. If someone snatches your phone while you're reading an email; there's nothing that can be done to prevent that from happening in the first place.

The nefarious person has the capability to take their own phone and take a photo of the screen. The non-nefarious person will do the same and suddenly you'll have confidential information on a personal device.

Absolutely. Nefarious people will capture the screen other ways. The non-nefarious person may not have another device or camera to capture the screen, but then why would they be doing that anyway if it wasn't for nefarious reasons?

This is more to help contain where company data lives. The non-nefarious person may think there's no harm in taking a screenshot because they want to reference it easier, but now that email/data is in their photo library. Now all other apps that have access to the photo library can see it as well. Maybe they'll share their phone with someone else to look at vacation pictures and forget that email is still in there. Or maybe they'll accidentally select it when uploading/sending/sharing photos somewhere.

Again, see above. What's the point of this? To slow me down? Now I can't just reference what I was just looking at, I need to re-enter the app, now it wants Face ID, it fails a few times (because Face ID is infinitely worse than Touch ID) and now you've wasted my time. Meanwhile the CEO is letting a half dozen scammers remote into his PC... (the ironic part here is that the scammers claim they're from Microsoft)

Similar to the first example above. Someone else has your phone while it's unlocked for whatever reason. Don't necessarily want to leak confidential information via the last displayed screen in the App Switcher.


You definitely bring up valid points. There will always be a way around things and it will never be 100% foolproof, but that doesn't mean companies shouldn't try to slow or help contain their risks. They should be aware that some of these can impact productivity. It's up to them to find the right balance of policies they want to implement. In my case, I'm not asked for Face ID or my PIN every single time. If I'm working and switching between apps, no Face ID/PIN is needed. If I've been idle for a while, then it's needed again.

 

[SebCohen]

All email, unless using something like a private encryption key using PGP et al, is just like sending a postcard in the mail.

Everyone from the person taking that postcard and the person sorting it and delivering that to the sender can just flip it over and read it.

Never send anything personal (too), tax returns, medical files, duckpics etc via email.

Every node and service provider that email passes through can read it and potentially copy it. By law US intel can't technically do that anymore, UNLESS it goes via foreign services.

But in any case, treat all email like it's open for the world to see.

As such, Apple Mail is perhaps the best most secure of all email clients and receives speedier updates than almost anyone else.

 

[tbgb50]

I'm doing some security training for work and they mention using Apple Mail (and others) for your work email can lead to security risks due to lack of enterprise-grade protection. They suggest using Outlook Mobile.

Any thoughts behind this? I had a coworker tell me the same a few weeks ago (guessing they took this training).

At least you have a choice. My company uses MS Exchange - they prevent you from using anything other than Outlook for all platforms and forced us to install MS Authenticator. You need to re-authenticate every 24 hours.