Gmail adds E2EE to mobile apps

Most email encryption works like sealing a letter inside the postal system: the message is protected while it travels, but the mail company can still handle parts of it. Gmail’s new mobile change moves the lock onto the sender’s device and keeps the key under the customer’s control. (support.google.com) Google said on April 9, 2026 that people using Gmail on Android and iPhone can now compose and read these locked messages inside the Gmail app itself. Before this update, Gmail’s client-side encryption was mainly a desktop feature. (workspaceupdates.googleblog.com) Google calls the underlying system client-side encryption, which means the email body is encrypted before it is sent to Google’s servers. Google’s help page says the message body, inline images, and attachments get the extra encryption, while the subject line, recipients, and timestamps do not. (support.google.com) That detail matters because this is not “every part of every email is invisible to everyone except two people.” Google still leaves the outer envelope readable so the message can be routed, even while the contents stay locked. (support.google.com) The mobile shift fixes a practical problem, not a theoretical one. Google says users no longer need a separate app or a web portal on their phones, which means an employee can send an encrypted contract or open a protected attachment from the same Gmail app they already use on the train or in an airport. (workspaceupdates.googleblog.com) This is also narrower than it sounds. Google says the rollout is for Google Workspace Enterprise Plus customers with the Assured Controls or Assured Controls Plus add-on, so regular free Gmail accounts are not getting this as a standard feature. (workspaceupdates.googleblog.com) Google has been building toward this in stages. In October 2025, it made it possible for these customers to send end-to-end encrypted Gmail messages to any recipient, even if that person used a different email provider. (workspaceupdates.googleblog.com) If the recipient uses the Gmail app, Google says the encrypted message appears as a normal thread in the inbox. If the recipient does not use the Gmail app, Google says they can open and reply to the message in a browser through a guest flow instead of dealing with certificate exchange or custom software. (workspaceupdates.googleblog.com) The old enterprise way to do secure email often relied on Secure Multipurpose Internet Mail Extensions, which is the certificate-based system known as S/MIME. Google’s help page says customers without Assured Controls may still need that certificate exchange for outside domains, while customers with Assured Controls can skip that setup for this newer flow. (support.google.com) That makes this less a privacy revolution for 2 billion inboxes than a workflow upgrade for companies that already pay for strict compliance tools. The people who benefit first are the ones sending board documents, legal files, health records, or government paperwork from phones that used to be the weak link in the chain. (workspaceupdates.googleblog.com)