The Apple Mail app on macOS stores encrypted emails in plaintext inside a database called snippets.db.
The issue was discovered earlier this year by an Apple IT specialist named Bob Gendler.
The issue is not fixed at the time of writing, although Gendler told the company about it back in July. A fix is coming, according to tech news site The Verge; however, Apple did not provide a timeline.
Apple Mail + Siri = bad
The bug occurs because of a Siri feature that allows Apple’s voice assistant to provide information for contacts, following an owner’s request.
According to Gendler, Siri uses a process called “suggestd” to scrape various apps for contact information. Whatever it finds, it stores inside the snippets.db file, where it keeps the data on hand, in case the user ever wants a contact suggestion.
Over the summer, Gendler discovered that if users had configured Apple Mail to send and receive encrypted email, Siri would collect a plaintext version of the user’s emails, and store them inside this database.
“This is a big deal. This is a big deal for governments, corporations and regular people who use encrypted email and expect the contents to be protected,” Gendler said in a blog post published this week.
“Secret or top-secret information, which was sent encrypted, would be exposed via this process and database, as would trade secrets and proprietary data,” he said.
How to prevent Siri from scraping your emails
Gendler says the issue was present on all macOS versions from Sierra to the latest Catalina.
The Mac IT expert says that disabling Siri doesn’t do anything, as the “suggestd” process keeps scraping emails to have them ready the next time Siri was enabled.
The only way to prevent Siri from scraping encrypted emails is to specifically tell it not to read content from Apple Mail.
“There are 3 ways to disable these processes from learning from Apple Mail,” Gendler said. They are:
1) Go to System Preferences → Siri → Siri Suggestions & Privacy, and then uncheck the box for Apple Mail.
2) Run from the Mac Terminal the following command (as a normal user, no admin access needed):
defaults write com.apple.suggestions SiriCanLearnFromAppBlacklist -array com.apple.mail
3) Deploy a System-Level (for all users) configuration profile to turn off Siri from learning from Apple Mail.
Gendler said the third option is permanent, as a future OS update won’t accidentally re-enable Siri’s email scraping.
A final step, Gendler said, is to remove the snippets.db file. Telling Siri to stop scraping Apple Mail content doesn’t automatically delete this file, so users will need to do it themselves. The file is located in “/Users/(username)/Library/Suggestions/”.