Google has made a big step forward by extending end-to-end encryption to Android and iOS devices for Gmail client-side encryption (CSE) users, says an expert.
“All in all, this is a welcome update, especially in light of recent concerns surrounding WhatsApp’s encryption methods,” said Gartner analyst Avivah Litan. “Google’s approach offers verifiable customer-managed keys and ensures the provider does not have access to encrypted content.”
This, she said, addresses allegations raised in the January 2026 lawsuit against Meta regarding their internal access to customer encrypted message data.
Meta has reportedly said the claims are false, and that WhatsApp messages remain protected by default. The suit’s allegations have not been proven in court.
Litan noted that Google’s encryption update is only for organizations subscribing to its Enterprise Plus with Assured Controls edition. Messages and attachments are encrypted directly on-device, with encryption keys managed externally by the customer.
“For CSOs in regulated industries, this development is significant, as it supports secure mobile communication, compliance with regulations such as HIPAA [the U.S. Health Insurance Portability and Accountability Act] and GDPR [the European General Data Protection Regulation], and reduces the risk of plaintext data exposure on mobile devices,” she said. “External recipients retain the ability to reply via a web portal.”
However, Litan added, the capability remains opt-in, requires premium licensing and administrative configuration, and disables several Gmail functions, including AI features and comprehensive search, on encrypted content. But, she pointed out, the limitations are consistent with those in Gmail web and desktop implementations.
It’s also a capability that Microsoft doesn’t provide. A Microsoft spokesperson said in an email that the company doesn’t currently offer end-to-end Outlook encryption on mobile, although messages can be digitally signed and encrypted.
In its April 9 announcement, Google said Workspace users can compose and read end-to-end encrypted messages natively within the Gmail app on Android and iOS without the need to download extra apps or use mail portals. Users with a Gmail E2EE license can send an encrypted message to any recipient, regardless of their email address. If the recipient uses the Gmail app, the encrypted message will be delivered as a normal message thread to their inbox, but if not, they can seamlessly and securely read and reply in their own native browser. This, Google said, ensures that all users have a simple and secure interface, regardless of their email service or device.
Google Workspace admins will need to enable the Android and iOS clients in the CSE admin interface to give users access to the new capability. This can be done in the Admin Console.
End users also need to be taught the new process: To add client-side encryption to any message, they must click the lock icon and select ‘additional encryption’. Then they can compose a message and add attachments as they normally do.
Forrester Research Senior Analyst Andrew Cornwall noted the biggest benefit for enterprises is that Workspace admins or Google can disable the ability to take screenshots and screen recordings when users read an encrypted message in the Gmail app. That will prevent Android and iOS recipients from forwarding a message as an image, he said, noting that Google can also disable screenshots in Android Chrome for business users and presumably will do this when Android users with email programs other than Gmail open a message in a browser.
From a user’s perspective, he added, this encryption gives Gmail an advantage over third-party email programs like Outlook and Thunderbird, which won’t automatically decrypt messages that have been encrypted using Google’s encryption mechanism. Unlike some encryption methods, Gmail doesn’t require the exchange of a key in advance, so users will be more likely to use it.
However, he pointed out, Google’s client-side encryption doesn’t encrypt headers or message senders, so an attacker with access to the device can still get some potentially sensitive information even with encryption enabled.
“If you’re planning to use Gmail to commit financial crimes or plan a revolution,” he added, “you should know that Google controls the display and often the keyboard on devices they build. Even if emails are encrypted on device, your messages may still be available while being read or composed.”
And while end-to-end encryption (E2EE) is considered by experts to be an excellent protection against the hijacking of data in transit, it won’t protect data on compromised devices, stolen and hacked devices, or in unencrypted backups.
David Shipley, CEO of security awareness provider Beauceron Security, noted the extension of Gmail end to end encryption to mobile platforms will help organizations ensure compliance with privacy concerns. “On the downside,” he added, “this is going to be a powerful tool for criminals. If they spin up a Google Workspace tenant and send encrypted messages to end users who aren’t on Gmail, in those cases, users will get a link to a new portal to read the sent message which will not be intercepted by a lot of security tools like email filters.”