Summary: Google has introduced end-to-end encryption for Gmail on Android and iOS, bridging the mobile gap that existed since the feature’s web launch in April 2025. Now, enterprise users on Google Workspace Enterprise Plus with the Assured Controls add-on can send and receive encrypted messages directly through the Gmail app, without needing additional software. Those not using the Gmail app can still access encrypted emails via a secure web portal in any browser. The update is available for both Rapid Release and Scheduled Release domains.
Closing the mobile gap in enterprise email encryption
Since the launch of Gmail’s end-to-end encryption on April 1, 2025, it was only available on desktop web, leaving out decision-makers who often use mobile. This service enabled Enterprise Plus users to send encrypted emails without Google being able to access the message content, as the process occurs on users’ devices. In October 2025, Google allowed external recipients to receive encrypted messages via a secure web portal, but the Gmail app for Android and iOS didn’t support these capabilities. As of April 2026, the app now lets users compose and read encrypted messages on mobile, offering them full participation in secure communication. Recent developments, such as Anthropic’s disclosure about an AI model exploiting vulnerabilities and emailing researchers independently, highlight the need for secure mobile communication.
Client-side encryption mechanics
Client-side encryption in Google Workspace is already implemented in Drive, Docs, Sheets, Meet, and now Gmail. This method involves key custody: organisations use their own encryption keys managed by a third-party service. When a user sends an encrypted message, the encryption happens on their device, meaning Google only sees encrypted data. If recipients use the Gmail app with encryption, messages appear normally as decrypted. Non-Gmail clients receive a link to a secure web-based Gmail version. The client-side encryption lowers attachment size limits to 5MB. Mobile access requires administrators to enable the feature in their Workspace admin console.
Targeting regulated industries
This feature is specific to Google Workspace Enterprise Plus with Assured Controls or Assured Controls Plus. It caters to organisations with regulatory obligations like data localisation, export controls, or data access restrictions. For companies such as US federal contractors and financial services, mobile encrypted communication is necessary for compliance. This update closes a security gap previously used by Microsoft to its advantage in sectors evaluating mobile device management and encrypted communication capabilities.
Incremental rollout and future prospects
Google’s encryption rollout strategy involves phased deployment by capability tier. The initial web launch allowed IT administrators to assess it in controlled settings, while the October 2025 external-recipient feature extended its practical application. The April 2026 mobile release incorporates regulated-industry workflows. Google’s readiness to integrate AI further into productivity tools shows in collaborations like Anthropic’s Claude Partner Network. However, there’s no indication if encryption will extend beyond Enterprise Plus, leaving personal and small-business users without access. This restriction maintains Gmail’s positioning as a premium enterprise feature rather than a universal privacy offering. As Google intensifies its competitive efforts, Gmail’s encryption update marks a significant step in enhancing security in vital sectors where the tech battles intensify.