Gmail is finally bringing end-to-end encryption to mobile devices, allowing eligible Google Workspace users to send and read encrypted emails directly on their devices.
Previously, the feature was available only on the web. But it is now available in the Gmail app on Android and iOS.
The update removes much of the friction that has long made encrypted email stressful to use. According to an update from Google Workspace, messages are now encrypted on the sender’s device and handled entirely within the Gmail mobile app. This eliminates the need for third-party tools or separate secure portals, which would complicate the entire process.
How this specific feature works
By default, every email sent from Gmail is encrypted using the Transport Layer Security (TLS) protocol, a standard requirement to prevent unauthorized access in transit.
Another form of email privacy — confidential mode — allows Gmail users to control how their emails are viewed and shared, and to set an expiry date for the email. It simply controls what the email recipient is allowed to do with the email they receive.
However, end-to-end (E2E) encryption, now made available to eligible Gmail mobile users, raises the bar on privacy even further. While standard TLS encryption prevents unauthorized access in transit, Gmail, which holds the decryption key, can view email contents when it reaches its servers to filter spam, among other things.
E2E, as the name implies, adds a stronger boost to available privacy. With this form of encryption, the email is encrypted before it leaves the sender’s device and decrypted only on the receiver’s device, preventing even Google from reading the email in plaintext when it reaches its servers.
Another interesting part of this new feature update is that it allows users to send encrypted messages to anyone, regardless of the recipient’s email address or provider. As a result, Outlook, Yahoo, iCloud, and even Gmail users outside the sender’s workspace environment can receive encrypted emails.
Why end-to-end on Gmail
Organizations across healthcare, finance, and even the military contracting sector handle highly sensitive data daily. Because these industries are highly regulated and must comply with data-use and processing requirements, the need for a highly secure means of communication is high.
While Gmail has supported end-to-end encryption on the web since 2023, the feature has been limited to desktop users until now. That limitation led many organizations to either restrict sensitive email conversations to desktop or, as Google notes, to use third-party apps to provide the same functionality on mobile devices.
In its own words, Google said:
“For the first time, users can compose and read these E2EE messages natively within the Gmail app on Android and iOS. No need to download extra apps or use mail portals.”
By locking users in on both desktop web and mobile, Google is reducing the surface area for security issues introduced by third-party vendors, while making things easier for Workspace users.
Set up and availability for Gmail users
The feature is available only to organizations using Google Workspace Enterprise Plus with the Assured Controls Plus add-on. For users subscribed to other Workspace plans and for personal Gmail users, though they can receive encrypted emails sent from an E2E-enabled address, the feature is not available to them at the moment.
The feature must be enabled by the Workspace admin in the Client Side Encryption (CSE) Admin Interface. Only then can the lock icon be visible to member users, allowing them to use this feature when sending emails from their Android or iOS devices.
Even with the Workspace admin turning on the feature, each member user must enable it on their end. To do that, Google says they need to “click the lock icon and select additional encryption.”
Security and privacy, plus the future potential of Gmail’s end-to-end
Emails have been one of the primary ways for scams and other attacks targeting enterprise users. To that end, Google has taken steps to prevent these incidents and protect its email users from privacy breaches, even if it means losing the ability to decrypt emails on its servers.
One notable update was the introduction of domain verification, which enables enterprise users to verify their domain and instantly distinguish legitimate senders from scammers. While the current rollout of E2E on mobile is for eligible Workspace users, we expect more Workspace plans to adopt it, and potentially personal users as well, in the near future.
Also read: Gmail users in the US can now change their email address without losing old messages, account data, or access to Google services.