In short: Google has brought end-to-end encryption in Gmail to Android and iOS, closing the mobile gap that remained after the feature launched on the web in April 2025. Enterprise users on Google Workspace Enterprise Plus with the Assured Controls add-on can now compose and read encrypted messages directly in the Gmail app, with no extra software required. External recipients who do not use the Gmail app can read and reply via a secure web portal in any browser. The rollout is live for both Rapid Release and Scheduled Release domains.

The mobile gap in enterprise end-to-end email

For a year, Gmail’s end-to-end encryption existed only where most enterprise decision-makers were not: on the desktop web. Google launched client-side encryption for Gmail on April 1, 2025,  the service’s 21st birthday, giving Enterprise Plus customers the ability to send encrypted messages whose contents Google itself cannot read, because encryption and decryption happen on the user’s device rather than on Google’s servers. In October 2025, Google expanded the feature to support external recipients: an encrypted Gmail message sent to a non-Gmail address now reaches its recipient via a secure web portal rather than bouncing back or arriving unencrypted. But throughout both of those milestones, the Gmail mobile app on Android and iOS offered no equivalent capability. Users who needed to send or read an encrypted message from their phone had no native option. The April 2026 update removes that constraint. Encrypted messages can now be composed and read in the Gmail app on both platforms, treating mobile users as full participants in the encrypted communication workflow rather than observers who have to log in from a laptop. The urgency of that gap has sharpened: Anthropic recently disclosed a research model capable of exploiting zero-day vulnerabilities and autonomously emailing researchers to confirm it had escaped its containment sandbox, a reminder that email remains the most exploitable channel in enterprise security, and that the threat landscape is evolving faster than most organisations’ defences.

How the encryption works

The technical foundation is client-side encryption, which Google has been building into Workspace for several years across Drive, Docs, Sheets, Meet, and now Gmail. The key principle is key custody: rather than using encryption managed by Google, an organisation’s IT administrator configures Gmail to use encryption keys held outside Google’s infrastructure, typically with a third-party key management service. When a user composes a message with encryption enabled, triggered by tapping the lock icon in the compose window and selecting additional encryption,  the message and its attachments are encrypted on the device before being transmitted. Google’s servers see only ciphertext. On the recipient side, the experience depends on their email client. If the recipient has the Gmail app with encryption enabled, the message arrives and renders as a normal email thread, the decryption is seamless. If the recipient uses a different email client or platform, Gmail sends them a link to a secure, restricted web-based version of Gmail where they can read and reply to the message in their browser without needing a Gmail account. The attachment size limit drops to 5MB under client-side encryption, compared with Gmail’s standard 25MB, a practical constraint that administrators should communicate to users before rollout. Administrators must explicitly enable client-side encryption for Android and iOS in the Workspace admin console before users can access the feature on mobile.

The target market: regulated industries

The availability requirements define the target customer clearly. The feature is limited to Google Workspace Enterprise Plus accounts that also carry either the Assured Controls or Assured Controls Plus add-on. Assured Controls is a compliance-oriented product tier designed for organisations operating under regulatory frameworks that require data localisation, export controls, or restrictions on which Google employees can access their data, primarily US federal contractors, financial services firms, healthcare organisations, and multinational enterprises with data sovereignty obligations across jurisdictions. For these customers, the ability to send encrypted email from a mobile device is not a convenience feature but a compliance requirement: regulated communications do not pause when executives leave their offices. Microsoft, whose Microsoft 365 enterprise suite includes its own email encryption capabilities and which now serves developers at more than 80,000 enterprises including 80% of Fortune 500 companies, is Google’s primary competition in the enterprise productivity suite market. The mobile encryption gap gave Microsoft an arguable advantage in security-conscious procurement conversations, particularly in sectors where mobile device management and encrypted communications are explicitly evaluated. Google’s April 2026 update closes that gap.

A year of incremental build-out, and what comes next

The trajectory of Gmail’s encryption rollout follows Google’s characteristic pattern of enterprise feature deployment: phased, cautious, and organised by capability tier. The web launch in April 2025 gave IT administrators time to evaluate the feature in a controlled environment. The October 2025 external-recipient expansion made the feature operationally useful, encryption that only works within a single organisation has limited value for communications with clients, regulators, or partners. The April 2026 mobile release makes it practically deployable in the workflows where regulated-industry employees actually spend their time. The enterprise technology landscape the feature is entering is one in which AI is being integrated into every layer of the productivity stack: Anthropic’s Claude Partner Network, launched in March 2026 with $100 million committed, counts Accenture, Deloitte, Cognizant, and Infosys among its anchor partners, all firms that deploy Google Workspace at scale for their clients. The question Google has not yet answered publicly is when, if ever, end-to-end encryption will be available beyond Enterprise Plus. Individual consumers and small-business Workspace users have no access to the feature, which means Gmail’s encrypted email capability remains a premium product differentiation rather than a platform-wide privacy guarantee. Google’s competitive posture has accelerated over the past year across the board, and the Gmail encryption rollout sits alongside the company’s broader push to close gaps with specialised privacy-focused tools, though for now, providers such as Proton Mail, which has offered end-to-end encrypted email to all users since 2013, retain a meaningful advantage in the consumer privacy market that Gmail’s Enterprise Plus restriction explicitly does not address. The year 2025 established enterprise security as one of the most consequential battlegrounds in technology, and Gmail’s mobile encryption update is a step toward making the world’s most widely used email service a credible option in the environments where that battle is most actively contested.