SecureMac, Inc.

Checklist 256: A Lack of Mail Privacy Protection

November 19, 2021

Mail Privacy Protection on Apple Watch, Apple rolls out PCM for advertisers, and a super-sneaky stolen iPhone scam

Checklist 256: A Lack of Mail Privacy Protection

On this week’s Checklist

Mail Privacy Protection on Apple Watch

If you use Mail on Apple Watch, beware: the new Mail Privacy Protection feature won’t protect your privacy there!

Mail Privacy Protection was introduced in iOS 15. It protects your privacy when you open your emails, because it conceals your real IP address from senders. It does this by assigning you a generic region-based IP address, so that when images and other assets in your emails load, the trackers can’t see exactly where you are.

But as a recent article in Cult of Mac explains, this doesn’t work in the Mail app on Apple Watch:

Apple Watch downloads all remote content, such as images, using your real IP address — even if you have Mail Privacy Protection enabled on iPhone. You don’t even need to open an email for this to happen.

In fairness to Apple, the company never promoted Mail Privacy Protection for Apple Watch. But since Apple Watch users will have a paired iPhone, and that device may have Mail Privacy Protection turned on, there is likely to be a fair number of users who incorrectly assume that they’re protected on Apple Watch as well.

Hopefully Apple will address this in a future watchOS update. But if you’re worried about your Apple Watch compromising your privacy, you can always disable Mail notifications on your device. To do this, open the Watch app on your iPhone and select Mail. Tap Custom and then tap Notifications Off.

Apple throws the advertisers a bone

App Tracking Transparency (ATT) is a new feature introduced by Apple this year. We covered it pretty extensively on Checklist 217: The State of Apple’s App Tracking Transparency. But for those who need a quick refresher, ATT requires apps to obtain a user’s permission before tracking them between apps or across the web.

It’s an obvious win for user privacy. But ATT made life much harder for digital advertisers, who had relied on all that tracking to serve targeted ads to users. It also makes it tough for companies to know if the ads they pay for are actually working!

Apple isn’t going to reverse course on ATT, but they do appreciate the challenges that advertisers are now facing. In an effort to help out a bit, they’re introducing something called Private Click Measurement (PCM) for in-app advertising. 

An article in The Mac Observer describes the feature:

PCM sends attribution reports in Private Browsing without including cookies, and it delays sending the report randomly between 24 and 48 hours. The net result is a report that says “Someone who clicked ad X on website A later converted with value Y on website B.”

In other words, PCM blurs you. Advertisers can get enough insight into user behavior to know that a certain ad resulted in a purchase. But the information provided to advertisers isn’t enough for them to identify which specific user this was, let alone create a marketing profile for them. 

PCM has been part of iOS since the release of iOS 14.5 early in 2021, but up until now it has only worked in the Safari app on iOS. In iOS 15.2, PCM will be extended to apps that use Apple’s in-app Safari browser.

If you want to take a deeper dive into how PCM works, check out Apple’s documentation for developers on the WebKit website. 

Giving the devil his due

We all hate digital scams. But sometimes, you just have to take your hat off to the bad guys and admit that they’ve come up with a really effective one! An iMore piece earlier this week explains that iPhone thieves have found a devious way to get owners of stolen phones to unlock their devices for them.

According to iMore, a user in India was using Find My to locate his stolen iPhone. He discovered that his missing device was offline, and that Find My couldn’t pin down its exact location. So he put his iPhone into Lost Mode, called the police, and blocked his SIM card.

So far, so good. All of the above is exactly what you should do if your iPhone is stolen. Lost Mode is key, since it locks your device and prevents thieves from accessing your data if they turn the device on again.

But here’s where the scam comes in. After a few days, the victim received an SMS text message saying that someone had found his stolen device. The message contained a link that appeared legitimate — it included the words “iCloud” and “Find My”, after all — and that promised to show him the exact location of his missing iPhone. Upon tapping the link, the user was taken to what looked like an Apple login page.

As you can probably guess, neither the link nor the login page were actually from Apple — they were sent by the scammers. When the unfortunate user tried to log in, he handed the thieves his Apple ID and password. A few minutes later, he received an email notification (this one really was from Apple) telling him that his Apple ID had been accessed from a Windows computer. He tried to change his password and remove the Windows computer from his list of trusted devices, but it was too late. His iPhone had already been removed from his Apple ID, and Find My had been turned off.

iMore breaks down how the scam worked on the attackers’ end:

The link was from the person that had the iPhone in their possession and they were able to use the Apple ID credentials to disable Find My on the iPhone. They got [the victim’s] phone number by putting the SIM into a new device and calling themselves. 

There are different bits of advice that we could offer to help you protect yourself from a scam like this. But we’re just going to focus on one. It’s the same one we give when talking about delivery and order scams around the holidays: Always go directly to the source! If you’re attempting to track an iPhone in Lost Mode, don’t bother trying to figure out if that SMS link is really from Apple or not. Instead, just hop on your computer, fire up your favorite web browser, and type in “iCloud.com”. If the text message was legit, then you’ll see what you’re looking for in your account area. If it wasn’t legit, well, you still don’t have your iPhone … but at least the bad guys can’t unlock it!

To keep learning about cybersecurity while you’re waiting for our next podcast, check out The Checklist archives. To suggest a topic for a future show, or ask a question about digital security and privacy, send us an email.

Join our mailing list for the latest security news and deals