> Lockdown Mode is available in iOS 16 and coming soon in iPadOS 16 and macOS Ventura.
> Web browsing - Certain complex web technologies are blocked, which might cause some websites to load more slowly or not operate correctly. In addition, web fonts might not be displayed, and images might be replaced with a missing image icon.
The first sentence I believe is referring to disabling JIT (just in time compilation of Javascript), which is dangerous as it allocates W+X pages which are often used by the final stage of an exploit. Apple did an amazing job already of hardening iOS by severely restricting which applications can use JIT (and this is their justification for why non-Safari browser engines are not allowed on iOS) and even enabling per-thread memory page permissions. Many more details are in this fantastic post from Google's project Zero: https://googleprojectzero.blogspot.com/2020/09/jitsploitatio...
Overall it's very interesting to see Apple invest so significantly in something that will benefit relatively few users -- not that I'm complaining!
> Overall it's very interesting to see Apple invest so significantly in something that will benefit relatively few users -- not that I'm complaining!
My theory on this is that apple is one of the few companies where everything they build seems to be well integrated into their ecosystem. This is part of their appeal.
Another part of Apple's appeal is that they've positioned themselves to appear as the company that cares the most about consumer privacy and security. Lockdown mode seems to be one of those features that's great for marketing and PR in certain circles, while being extremely useful in situations where it's needed.
I imagine someone writing an article claiming how lockdown mode saved them, and that's practically free viral marketing in the security circles.
> Lockdown mode seems to be one of those features that's great for marketing and PR in certain circles, while being extremely useful in situations where it's needed.
Also, it gives them additional room to play with security research and engineering at large. They already have an incentive to improve security on device (drive by attacks, jail breaking), and this just enables them to play with things that are safer but break too much. They’re basically training their other tech teams to be more secure, and find where security and UX clash, identify and build the fix, even if off by default.
You gotta admit, they do invest a ton of money into security. Mainly to keep consumers from running their own custom software on their devices. I guess that keeps out attackers too. But do keep in mind the user themself is probably part of Apple's threat model.
Is there some angle for corporate phones too? If you’re a company and you’re going to buy a load of phones and you ask your cybersecurity department, I think they’d probably already tell you that iPhones are more secure. This just adds to it. Perhaps Apple are worried about eg pixel phones reliably getting security updates.
"Bioweapon defense mode" is a marketing ploy for "there's a HEPA cabin filter and a recirculation function", both of which a massive number of other cars on the market have both of as well.
You mean false advertising? Because unless is it an actual overpressure system, using compressed and probably stored air, that VX gas is getting in.
https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7158270/
"In principle, homes could be outfitted with High-Efficiency Particle (HEPA) filters, although this would require substantial modifications to most home heating, ventilation, and air conditioning (HVAC) systems and would require positive overpressure systems to prevent infiltration through cracks. However, hermetically sealed office buildings frequently have HEPA filters and positive overpressure HVAC systems, making it easier to ‘harden’ such buildings if they are likely targets of attack or if they perform critical functions in the midst of an emergency."
Different take… Apple is going to push the idea wider and this is their test audience.
It wouldn’t surprise me if the anti-googled, that is instead of enforcing adoption of a web technology because they own the browser market, stopping all the misused technologies they don’t want to have to explicitly protect for.
Technically pages alternate between W and X as you say, but this will disable even that (which is already true AFAIK for non-Apple iOS apps, they can't have JITs).
They can’t have their own JIT. If you use SFSafariViewController or WKWebView you’re using Safari and it’s standard JIT. But you have no access to it outside normal JS so it’s no more exploitable than the Safari app would be.
There are still RWX pages in Chrome, something to do with WASM I think. I don’t know about Safari. Old MS Edge used to solve the remapping of the W JIT page to X by moving JITTing to another process and then having it RW in there, but only ever be RX in the primary process.
It doesn't have RWX pages on macOS; macOS on Apple Silicon (and under the Hardened Runtime on Intel, although I'm not sure whether or not Chrome's adopted that) strictly enforces W^X.
I just looked it up in the Armv8 manual and there is a control setting that makes the processor ignore the executable permissions for any writable pages. It states these controls ‘are intended to be used in systems with very high security requirements.’ which suggests there are drawbacks.
My understanding is that trying to execute a page that's been written to is already insanely slow on essentially all modern processors, whether or not they care about security.
It depends on the kind of vulnerability. Say you have a vulnerability that allows writing to arbitrary pages, then an attacker on RWX system can write malicious code into pages that would get executed. In W^X environment, the attacker needs to find a W page and write to it before it becomes the X page.
This isn't a 100% mitigation, but it does make it harder to exploit.
JavaScript JIT been source of so many RCE vulnerabilities.
It means an attacker with an arbitrary-write vuln needs to be able to target a page as the JITted code is being written to it, rather than being able to target any existing page with code in it.
And since javascript is so focused on a single thread, it's easy to make sure it's not even running at the same time your JIT code is doing those writes.
I was mucking about on my Mac the other day playing with the accessibility settings and came across this: https://support.apple.com/en-gb/guide/mac-help/mchlb2d4782b/... - s system that lets you move the mouse with movements of your head as picked up by the web cam. Woks very. Scrunch nose to click etc.
It's designed to make a computer secure against even physical access to the hardware. Because ChromeOS systems are often used as work or school machines, and need to be 100% completely owned by the institution and immune to the actual user.
I mean, to be fair, Google grew up just trying to get us to click on things. Apple had to convince people to part with sums of money for lumps of metal and plastic with lightning in them.
Apple probably had a bigger budget for that sort of thing from the beginning, thus creating a proper culture. Google, probably not so much.
I don't think human right activists and journalists are the most at risk here. They are more at risk than you and me but at least, they can keep a low profile.
CEOs and celebrities and politicians are not only at risk because of their influence and insider knowledge, but they also have a huge target painted on them at all times. They simply can't keep a low profile due to their occupation. They also have money, much more than journalists and activists, so they attract "regular" criminals too.
Human right activists and journalists probably won't be their main user base but it will be the most prominent for public relations reasons, because who doesn't like human right and investigative journalism? VIPs are less marketable and let's not talk about criminals. To keep things clear, I think it is a good feature, even if it can help criminals. After all, human right activists are often technically criminals where they act.
Many journalists whole job is to not keep a low profile and pull attention from the public. I'm not sure politicians get killed that much more in comparison [0]. Money is usually enough to solve political problems.
I have yet to hear about NSO tools being used to target celebrities who are not activists. Activists are targeted all the time. For example, Mexico used its NSO install to target a person that was working to get a tax on sugar sweetened beverages passed. And their children!
Considering NSO Group is specifically mentioned by name multiple times in Apple’s press release announcing Lockdown Mode, I’d say you’re right…
> Lockdown Mode offers an extreme, optional level of security for the very few users who, because of who they are or what they do, may be personally targeted by some of the most sophisticated digital threats, such as those from NSO Group and other private companies developing state-sponsored mercenary spyware.
> Apple did an amazing job already of hardening iOS by severely restricting which applications can use JIT (and this is their justification for why non-Safari browser engines are not allowed on iOS)
I think it's probably inaccurate to conflate these two things: the JIT was not even allowed in third party browsers when using Safari for a long time, and they still didn't allow other browser engines. If this was the only reason, surely other browser engines without JIT would be fine?
Any Turing-complete interpreter written in a non-memory-safe language is a potential exploit vector; and browsers are full of them. The major browser engines all do their own font rendering, for just one example.
This is why the iOS App Store allows Swift Playgrounds (app with a memory-safe interpreter), and allows iSH Shell (virtualized POSIX environment, where you can write and run e.g. bash scripts), but doesn't allow iSH Shell to ship with gcc.
That's just a business requirement on the App Store rather than a technical requirement. Nothing prevents you from installing iSH shell and then installing gcc yourself afterwards. In fact I have done so.
To summarize, Apple made a speed bump, not a wall.
iSH doesn’t ship with GCC because it is massive, not because Apple blocks it. In fact it would probably be easier for us to include it rather than deal with making the package available to be reviewed.
Chrome and Chromium has flags to disable JIT as well, but there is definitely a significant performance penalty.
One area of greatest concern for me is client hints and the various JS APIs that leak way too much, from OS to memory and more. You would think that an extension as popular as uBlock Origin would exist that would make this information as generic as possible to mimic the most common browser profile. Without it, it is still incredibly easy to identify a user with JS enabled and unfortunately disabling JS also makes you unique.
This doesn't even address the Canvas API issue that needs to be virtualized to protect privacy. The web standard as a whole hasn't really put a lot of thought into privacy.
> Overall it's very interesting to see Apple invest so significantly in something that will benefit relatively few users
Maybe Apple wants to encourage more (non-classified) government use of iPhones? Maybe they have a big juicy contract they could take if they just get their OS into the right shape for it?
Government purchase-orders used to be the main thing that kept RIM/Blackberry afloat: they were a Canadian manufacturer, and so were (or could be validated + closely scrutinized to be) trustworthy as a supplier for American government communications systems. This is 90% of why the Blackberry ecosystem was... the way that it was.
Apple is now in (nearly) the same position. And their ecosystem has also been strange for the last 6-or-so years, in that particular "there's no clear reason for this, unless the government asked you to do it for supply-chain-integrity purposes" way (e.g. a self-serve repair program that requires you to pre-register a device for repair before ordering parts, and then report the part IDs to initiate online pairing.)
>Overall it's very interesting to see Apple invest so significantly in something that will benefit relatively few users -- not that I'm complaining!
I would say that this is at the very least a strong marketing point. "We are secure by default, and the most secure phone out-of-the-box on the planet if needed".
The hardware itself must be trusted to an extent, too. Is there an android-compatible device/ROM combination that can advertise the same level of security as this lockdown mode, without spending two days configuring it?
TBH, if you have a target on your back, spending two days configuring your phone is a pretty small inconvenience.
On the other hand, if you're applying this without looking deeper into what it covers, what it doesn't, and the linits you'll probably be in trouble sooner than later.
Part of the problem is difficulty, no? If it takes you two days to configure the phone to be safe, how sure are you that you’ve got every single option you had to change completely correct? That seems like a lot of possible mistakes.
“Slide this and cover practically everything built in” is a lot more reliable. You can still have problems (as always) with anything extra you install, like any system would.
I hear you, and think Apple’s default are useful, but under a set of conditions:
- you spent the time to know what they do, and how they work
- you set yourself at the right level of security
So you still need to be sure that Apple got every single option completely right for your use case in the configuration you chose.
That’s probably a one time task, and once you understand what it does and where it protects you, you can just move the slider. But it can’t be a “no-brainer” just slide the thing.
I’d compare this to buying an insurance: some will have 3 plans and you just choose one level, some have 250 options and you take hours or days going though each of them.
But whichever you choose you’ll still spend a significant amount of time going though all the papers to even understand what the terms are and what you’re actually paying for. You wouldn’t be paying years of insurance to realize at the worst time that the “just sign this” plan was partly incompatible with you health situation.
Appreciate your concern is genuine, but I think most of the people benefit from this lockdown mode are people who are mostly technically illiterate, and at the same time they are also cash strapped, unless they are the journalists from well funded media company.
What these people needed from the tech community is a fool proof failed safe way to turn the security level to the max.
What Apple just did is going in this direction. I am hope Google can do the same.
Just wanted to say thank you for making this point. Far too many people on this site (and in tech in general) fall into this category: https://xkcd.com/2501/
People being targeted by the NSO Group are generally very smart very educated people, but they're journalists, not digital security specialists. They may even know how to beat a tail, but they have no idea about MAC addresses. As someone who has been on both sides of the divide just "flipping a switch" is a massive upgrade to the ability for reporters and activists to keep themselves and their contacts safe.
During Apple’s annual meeting an activist asked Tim Cook to commit to doing only those things that are profitable. To which he responded: “When we work on making our devices accessible by the blind, I don’t consider the bloody ROI.”
> Apple did an amazing job already of hardening iOS by severely restricting which applications can use JIT
Well they did that not because they care about users but because they want all software to pass trough the App Store (and thus the review and policies of Apple). If you would allow to run efficiently code from other sources (for example downloaded at runtime, put in a W+X memory page and executed) that code doesn't pass through the review process of Apple, thus one can publish an app that does something and then modify its code to make it do another thing (even load an entirely different thing).
In the end I don't think this is a good thing for users.
I really hope the EU will succeed in forcing Apple to allow third party app stores. That would be a game changer. People that are happy to stay in the walled garden can simply not use any other app stores but for someone like me it will open up iOS as an actual option I can choose. Right now there's too many things I can't do on iOS.
Though honestly, I'd be even happier with a real third option instead.
I’d like to write an app for myself, side load it, and Apple not have to give me special permission to do what I want. Right now, I have to have a “shortcut” start my own app (for simming) to change some device settings, then remember to change them back after the session. But if Apple would allow you to do whatever you want without their permission (on your own device), my life would be a bit simpler.
Results of enabling it and using my phone as I normally would:
- Some websites don't display images. I've no idea what they encode to, but they won't display. Fine, don't care.
- Animated GIFs don't play in Messages when coming in via SMS (perhaps iMessage too, haven't tried). Annoying when people communicate in animated GIFs, but... people just expect my tech to be weirdly broken, so this doesn't actually impact things significantly.
And that's it. I couldn't tell you the performance delta in casual internet use, though I don't use my phone very heavily either.
Sorry, I'm not sure that I follow. Why would it be a bad idea if some IT departments enabled Lockdown Mode (LM) via MDM..?
The article says that in LM, you can't enrol the device in MDM -- I suppose that if you want LM functionalities, it makes some sense that you wouldn't want parts of your device to be remotely controllable by an entreprise (or your MDM profile overriding some of the Lockdown options..?)
But... I don't understand what you mean by it being a bad thing that IT admins would want Lockdown Mode for everyone. Thanks
There are a lot of cases where you have to be available on chat. Either sit at your desk and do nothing for 12 hours straight, or do anything you want and just have your phone on you. This could either be a slow day at work, or an actual off day like being on call on a Saturday. A lot of companies aren't going to buy you a separate work phone.
If there's a lazy security option that can be enabled, a lot of companies are just going to inappropriately turn it on because it doesn't bother them that your phone can't do anything fun. That doesn't cost them money. Even if you're a web designer for a small shoe store where obviously nuclear power plant level of security doesn't really make sense.
I remember android phones like 10 years ago or so had some corporate policy option so any time the screen is locked, you need to enter a 20 character password that has uppers, lowers, capitals, symbols, and numbers.
Any patterns / words it decided were too easy to guess were rejected for a password. This wasn't a "Lock after an hour of inactivity." It was "Lock immediately, and set screen timeout to 30 seconds."
I feel very sad to hear people install their employer’s MDM on their personal phones.
It’s kind of like your employer wanting a key to your car when it’s in the company lot, or to check your coat pockets when you leave work, or requiring a vial of your blood.
Some would say that I am privileged to say “nope!” to all of the above, but tacitly requiring employees to bring their own devices and then controlling them with MDM is such an inappropriate use of power that we should be protected from it, by right.
Apple and Microsoft have done it where the MDM need not actually be the device so much as the data container for all things Office. Instead of Mobile Device Mgmt, it’s more Mobile Data Mgmt.
This allows the company to wipe data that actually belongs to them, but a policy doesn’t have to let them see your activity, mails, photos, or even what other apps you have.
If your employer is running policies for accessing your private stuff, send the right people some docs on how to protect company data w/o invading your privacy.
Just to add to this: Many IT Security departments reflexively enable the "most secure sounding" option, even if it makes no sense, stops people working, or conflicts with other requirements. Generally there can be no meaningful debate about these settings, because nobody wants to personally wear the risk of disabling a security setting that is already enabled.
In my career I've always tried to enforce only the seamless security that users don't even notice, the ones that "work in the background". Most SecOps people have the opposite notion of this, thinking that systems aren't really secure unless they're in-your-face to the point of being obnoxious and interfering with regular business activities.
It's not secure if it's not theatre.
A random example is the "usage terms" that large orgs make everyone click through when they log in. These do nothing. Some text has never in the history of the world stopped a hacker hacking into a system. Illegal access is illegal whether you tell users about it or not. Crimes are crimes even if you don't have the legal code printed out and visible wherever that crime may be committed. The only users who will actually see the text are staff with contracts, staff that have their details registered with HR, staff that can be conveniently arrested by the police if they break the law. You know who doesn't see that disclaimer? Hackers.
Why does this matter anyway, you ask? Why not just "click accept" and move on with your life? Well... because when you log onto a shit-slow corporate terminal services desktop, that's a process that takes 2-5 minutes on a good day. Roughly half-way-through the process will stop and wait for 30 seconds for that acceptance click. No click, and the whole thing is aborted. It's a test to see if you have the patience to sit there, wasting minutes of your precious life on Earth watching a screen change colours while the system loads, click, and only then have a brief moment of freedom to do other things while the loading continues.
I put up with this every day, because some dingbat in legal thought that crimes will occur if they don't force 15,000 employees to click 'Accept' on text none of them have ever read. Every day.
It's a thousand cuts like that add up to corporate misery, to the point where big vendors are being irresponsible to the public by adding anti-human features like this.
I refuse to sign in to my work gmail on my android exactly for this reason. It basically wants to lock down my phone. It doesn’t do that for my iPhone though, but I’m not logged in their either, FWIW.
I refuse to use my personal devices for work, as a matter of principle. Need me to be on call?, flip phones are pretty darn cheap.
My work allows us to sign into Teams, Outlook, and Slack without installing MDM profiles which is very nice. I keep notifications off of course, but can access them if needed.
Thats literally just a really shitty IT department poorly managing their MDM. And on Android at least the "work profile" is generally completely separate from your usual stuff and (if enrolled properly) the company cannot control major aspects of your phone (just the work profile). The company can remote wipe the work related sections, for example, but not your entire device.
There are settings though for passcode enforcement and whatnot
> The article says that in LM, you can't enrol the device in MDM
My understanding is that you can't change the MDM settings/enrollment while in Lockdown, but you can enroll in it, and then enable Lockdown, and be fine.
Yes, because they require it for internal apps. But as "user enrollment" so they are very limited in what they can do. See the table at the bottom of this page[1].
For context this is relatively new and is different from the older way of doing things (device enrollment).
Does your employer provide a cell phone subsidy? That is how most places do it, they give you some amount of money every month and you sign something that they can enforce policy and seize your device as required.
Still waiting for Apple to allow restricting network access (both cellular and WiFi) for specific apps on all devices, not just those sold in China: https://apple.stackexchange.com/a/312430/51806 .
> Still waiting for Apple to allow restricting network access (both cellular and WiFi) for specific apps on all devices
I think you will find you are partially mistaken here.
Apple have provided the ability to disable cellular access from day one. Its right there for you as an option and has always been there (look under Settings->Mobile Data, you can toggle on/off for each specific app).
Additionally, Apple have always provided the ability to disable background data refresh for apps. In other words, this takes you 3/4 of the way to providing the ability to restrict WiFi access.
I know its cool to Apple bash, but at least get your facts right before you jump on the bandwagon.
No, you’re just refusing to understand what he meant, just to be “right”.
You cannot fully block an app’s internet access.
You can disable its cellular data permission, and you can disable background refresh, but as long as you’re connected to Wi-Fi the app can use the internet.
You would have to manually disconnect from Wi-Fi every time you wanted to use the app.
That's still not good enough, and not what they meant at all.
Disabling network access entirely is a great safety switch for apps that claim to be offline-only, or to ensure apps literally can't send your data away. I knew I'd trust a lot more apps this way.
This further cements my opinion that Apple is just leaps ahead of anyone else wrt security and privacy these days. They should be applauded for this.
I look forward to when this comes to iPad. An iPad with a Bluetooth keyboard is an excellent option over a traditional laptop for a high-risk target, and this’ll make it even better.
Really, a marketing piece on their own website where they make a extraordinary claim that they can protect against the “most sophisticated digital threats” without any evidence supporting their claim at all, let alone the extraordinary evidence required to actually support such a claim that is generally viewed as impossible by most technically competent individuals, cements their leadership in the security space?
It would make much more sense to look at their actual, independently validated security certifications that they advertise:
Where they have only managed to achieve the absolute lowest levels of security.
Like, look at that last one, their security validation functionally consists of typing “public unpatched ios vulnerabilities” into Google and certifying that nothing comes up. It is utterly preposterous to claim they have any security expertise against highly skilled attackers at all when that is the limit of their advertised certifications. If they actually want to demonstrate security leadership, they should certify against the highest level, AVA_VAN.5, which actually verifies protection against HIGH attack potential threats instead of the lowest level, AVA_VAN.1, which only verifies protection against BASIC attack potential threats.
My favorite part of Hacker News is when commenters just lazily make the same comments again a couple months later, without taking into account what people’s replies to them, and hope nobody will notice: https://news.ycombinator.com/item?id=32007917. Seriously though, this is pretty much the textbook definition of bad faith, so don’t do it.
Their lack of any independent audits of their claims continues to be relevant.
Please point to a single third party who is competent to evaluate if they can actually protect against the “most sophisticated digital threats” that has actually supported Apple’s claims.
Valid third parties include, but are not limited to, any national security agency or premier hacking organization with hundreds of members (i.e. actual “most sophisticated digital threats”) declaring it can protect against them, any individual or organization who has designed and implemented such a system in the past agreeing Apple has created such a system, or any certification body who has reliably certified such systems with low rates of false positives such as the Common Criteria.
Invalid support includes, but is not limited to, certification bodies that give Windows their highest security rating, marketing articles, individual hackers of no particular renown, and claims of it being “better” or “harder” without even being able to quantify where in a multiple order of magnitude range it lies.
My problem is that I can pretty much paste my response word-for-word and it still applies just as well here, which really means you haven't updated your take to account for it at all. That's just not interesting.
That said, it's still a new feature. I'm sorry I don't have the NSA spokesperson here to say that they are going to pack it up and go home now because iPhones are unhackable, since that's the only thing you are willing to accept. To be entirely honest I am not even willing to hide my disdain for the certification you've repeatedly brought up at this point beyond it being a set of good practices. Like, the Titan M2 chip was assessed at AVA_VAN.5 it got exploited last month because it was written in a bunch of C and deployed without layout randomization or attempts at CFI. I trust the words of hackers (of particular renown, mind you!) and their analysis of how strong the mitigations actually are over some certification person just looking at the system and trying to take a guess as to how it'd hold out.
I do not require a NSA spokesperson, I just need any organization with technical merit comparable to the "most sophisticated digital threats" or who have actual practical knowledge of how to defeat such threats to actually weigh in on the claims otherwise I do not see how their claims have any support as they are supported by neither the stated adversary or anybody who has demonstrated such defensive abilities previously.
I did not previously know that the Titan M2 chip was assessed at AVA_VAN.5, but I do not see how the chip itself being certified against physical attacks is relevant to the security properties of the Security IC Embedded Software which is explicitly out of scope and is uncertified at any level. To support my claim that it is a certification of the hardware, not the software:
On Page 7, Section 1.2.2, Statement 9, we see that Security IC Embedded Software is all software running on the chip (i.e. non-firmware). Security IC Embedded Software, which is what we would consider to be the Titan codebase that was attacked, is explicitly called out as not part of the Target of Evaluation (TOE).
On Page 22, Section 3.2, Statement 70, we see that the threats specified are physical, electrical, and hardware attacks. On Page 25, Section 3.2, Standard Threats, Statement 82-87, we further confirm that the enumerated threats are physical and related to the hardware itself, not the software.
On Page 30, Section 3.4, Assumptions, Statement 99, we see a assumption required for correct operation of the composite TOE (hardware + software) is that the Security IC Embedded Software correctly protects user data. As this is a assumption, this is not a evaluated claim and assumed to be true for the purposes of evaluation and is thus out of scope.
So, to reiterate, I do not see how a software attack on uncertified code in the Titan M2 chip proves the certification evaluates software incorrectly given that the software was out of scope of the certification in the first place and thus no claims of its quality are asserted as part of the certification that the Titan M2 chip received. That is like complaining that waterproofing standards for phones are garbage because they do not tell you how fire resistant a phone is. If anything, it supports my statement since the uncertified code was defeated.
Trust in this context is obviously not 1 or 0 but a sliding scale and some organizations are higher on that scale than others based on past conduct, as the previous poster pointed out at length.
If you don't trust anyone but yourself, you'll have to do the audit yourself. How do you suggest to do that? An auditor with a good track record seems like the most trustworthy practically feasible alternative to me.
I don’t think your feasible alternative is assessing the massively skewed information asymmetry at play.
Given you are the most successful computer company on the planet, and the entire planet is connected by your products within two degrees of separation in a network; then the only thing you gain is a loss as any auditor is in a position of being unmatched in every category at best and at worst is an active agent who will dissipate information increasing vulnerability and attack surface.
Bug bounties work well to solve this, and that’s how it’s done.
Is my browser broken and not displaying some comments I should see? The only response I see there is basically "let's wait and see for Apple to provide more details and/or involve third party researchers", which Apple seems to have not done at all in the last 70 days?
To be fair, this mode is a direct counter to the zero-click attacks that Zerodium is offering the high payouts for. It specifically blocks all the (currently) known attack vectors.
Maybe Zerodium will offer a new tier for a zero-click attack on an iPhone on Lockdown mode in the future.
I wouldn't say that is fair in that very few people can use that mode, so the net security win is minor and there exist hyperlocked down Android versions for years on the open market. A friend of mine even worked on one.
This space is murky at the top end.
The Zerodium payout offering is a rough proxy, but for 99.99% of consumers the security win for a iPhone are mostly about how they don't have to think about the manufacturer (tell your tech illiterate friend to buy an iPhone is easier than saying "Android but only Google or XYZ manufacturer") and how the privacy differential helps out a bit.
Also, plenty of people can't enable crazy hyper secure mode without bleeding information that they've enabled it. So this isn't as helpful as it may seem.
> I wouldn't say that is fair in that very few people can use that mode
Very few people are being targeted by nation-states. But more importantly, these are not a random set of people. These are head of states and companies, free speech activists and journalists, and people with access to top secret information. I suspect that a large set of them are aware that they are potential targets.
They are always one upping each other. On the positive side both OS are very, very good generally for security (comparatively to what we used to have)
Privacy I am not even so sure - you can turn a ton of Google stuff off fairly easily and on top of that while Apple may not directly sell your aggregated data to third parties they sure as hell are using it themselves
My understanding was that the median iPhone is much more secure than the median android phone due to things like regular updates being widely installed. Lots of the things that used to be worse for android (eg bad app permission model) have been fixed.
Enhanced safe browsing is stops you from clicking on links to malicious domains and lockdown mode just requires you to enter your pin (equivalent to holding down volume up and power on a recent iPhone). Both are completely different from iOS's lockdown mode.
Enhanced Safe Browsing is not directly comparable with Lockdown Mode. It's only enhanced against phishing attacks. It doesn't do things like turning off unpopular image formats or WebGL or JIT.
Anyone else being ... just Google. It's not like we have many options for mainstream mobile phones.
It's easy to be ahead of the competition when the competition's business model is selling your data. One can dream of a day when Apple gets real competition.
Do you read apple's privacy policy? They go to extreme lengths to ensure none of the diagnostic data they collect is personally identifiable without user permission. They invest millions into certain programs [1] to ensure they can collect data in a way that doesn't even point back to any specific identifier.
I just don't see how you could equate apple to every other company and accuse them of spying on their users when it is clearly not the case. You have options when it comes to phones and computers and only one fortune 500 company seems seriously committed to keeping their users personal info private.
There’s tons of research on the weakness and reversibility of differential privacy. Privacy doesn’t mean being or making representations that you’re being a good steward of the information you’ve spied on me to collect, it means not collecting it.
I'd guess the following: if Apple is a company that is mostly trying too sell UX and seamless integration as a part of that, but has to break quite a lot of that every time an 'extreme' protection measure is used, then it stands to reason that they'd make the 'mess up the UX' thing all contained in one option.
It makes for a very clear demarcation as to why the product doesn't work as it normally should, and an abundance of differentiation would remove all of the guessing as to "why is feature X not doing what I expect" for the user of the device.
I imagine that it's more than that - by grouping them into one feature, Apple can continue and improve upon lockdown mode without needing to opt-in the user in every update.
I agree it would be nice to have the ability to toggle some of these on without the others.
Regarding USB devices, Apple has offered a setting for years in "Face ID & Passcode", under "Allow Access When Locked" called "USB Accessories". If you turn that off, then your iPhone won't allow USB accessories to connect if the phone has been locked for more than an hour. Not quite the same as the Lockdown setting, but better than nothing?
And, importantly, you can trigger it immediately instead of waiting an hour.
Since around iOS 11 this USB lockout and “require pin, not FaceID/TouchID” used to be 5 clicks of the power button, and triggered it immediately. Also brings up an emergency button no matter what you were doing.
After this screen, pin is required.
Prior to this Lockdown mode, for best results you also may want to use Apple Configurator or JAMF Free or similar to block other ways of “recovering” access.
Before iOS 11’s USB lockout, this “pair locking” was the best way of helping block forensics tools:
Hm, it would be interesting if they had toggles for each feature with some kind of UI element/hint/incentive to have it all on.
Think of how Apple maintains their image, and who they claim this is for. They don't want a journalist killed because they thought they had Lockdown Mode on, but they had link previews in SMS and got hit by a zero-day tracker.
I find it interesting that Lockdown Mode doesn't (yet) enable multiple lock screen authentication methods. Requiring Face ID AND a pass code could be useful. (There are rumors that Apple will add Touch ID back to their phones in the future. I'm not sure they'd keep Face ID on a phone with Touch ID but combining those two methods AND requiring a pass code would seem to be the most secure.)
I'd also like to see some method for quickly wiping the phone or severely disabling it. A friend mentioned that a new scheme for thieves is to ask you for your unlocked phone at gunpoint and then use a cash app to transfer money to one of their accounts. Some way to very quickly (and covertly) wipe your phone would help defend against that attack. (Related: https://www.startribune.com/warrant-grifters-targeting-cash-...)
A more practical defence is keeping a low balance on any account that can be easily accessed from the phone. Not seeing any real use for this functionality when faced with an adversary physically.
In the theft as described from the article, it would’ve helped since the scam was based on escalating a phone borrowing to theft while acting like a crime wasn’t happening.
Sure. A few years ago all that stuff was in Find My and they split it out for some reason. Honestly I just assumed it would be there, checked, and sure enough it was.
My only worry with this is that Lockdown Mode will be a reason to let the “default” mode be less secure. I understand some security features can cause major inconveniences, and so Apple needs to weigh security against convenience as part of their design process. I just hope they keep striking a good balance there, and won’t use Lockdown Mode as an easy way out of those design questions.
considering that it seems like lockdown mode pretty much breaks the internet, I wouldn't be overly concerned. Average user use cases will still need to be accounted for. My guess is that these are security features that they would ideally like to add to all phones but found that they were too much of a hassle for the end user.
> FaceTime - Incoming FaceTime calls are blocked unless you have previously called that person or contact.
Apple Services - Incoming invitations for Apple Services, such as invitations to manage a home in the Home app, are blocked unless you have previously invited that person.
Well I would like to have these two enabled in regular situation.
Sounds like a reasonable config for me too. Operations that will definitely leak your identity to everywhere (camera, gps) should never being prompt by random people actively (Who the heck will want to allow that?) unless you click the option yourself first.
> Perfect, I don't use it, it is always some scammer.
You get spam/scam FaceTime calls? (Not attacking, just generally curious... I've never in my life ever gotten or know anybody who has been spammed via FaceTime).
Then why does the documentation for lockdown mode specifically mention unlock-for-USB as a feature?
What baffles me is that damn near all of this stuff could also be a separate preference item, mostly because I don't want 90% of what they mention enabled anyway.
> Lockdown Mode is an optional, extreme protection that’s designed for the very few individuals who, because of who they are or what they do, might be personally targeted by some of the most sophisticated digital threats. Most people are never targeted by attacks of this nature.
The list of restrictions doesn't seem to inhibiting - for those who have used it, what are the points that stand out? Is this something designed for habitual use or under specific situations?
Been using since it came out over a month ago. The biggest annoyances are:
1. You cannot tap on any links in iMessage. You have to hold your thumb down on the link, copy it to clipboard, switch to Safari, paste
2. If someone posts a gif in an iMessage thread, it doesn't show up
3. All inbound requests for FaceTime calls seem to be automatically blocked, even when they are coming from people who are favorites in my contacts. I haven't looked into why yet. Maybe it's because I don't have their phone number saved with a `+1` prefix in my contacts?
Other than that it's hardly noticeable, and I think it's fantastic that we now have this option.
This is a strange one. Presumably a few people in the target group for this would know a few people also in the target group - how do they intend to bootstrap trust? Or is it just a calls b, b's device reject call - b can now call a? Then after b call a, a can also call b?
If so, it sounds like a very complicated way of marking contacts as "super favorites"?
You can receive incoming calls from accounts you have called. Presumably, the bootstrap looks like two people try to call each other, one is rejected, one goes through. Then either can call the other in the future.
Is this really a feature people want? I can’t imagine any situation where I’d want to allow unsolicited FaceTime calls (99% of the time it’s some kind of spammer)
#1 sounds great. I hate how I can't open a link from iMessage directly in Firefox Focus, which is my normal practice. In the process of copying the link, I have to long press, which causes Messages to pre-load a preview of the page in a standard webview. I don't know what this does for privacy, but I wish there was a way to disable just this behavior.
I've been using it for the past few days. I mainly use my phone as a text-based communication device, with occasional feed-scrolling (such as reading HN or twitter).
So far, the only annoyance is that sites relying on custom fonts for icons can end up with indecipherable UI elements (e.g. a button with a "refresh" icon is now just a button with an empty square)
I think lockdown mode prevented me from copying text on my iPad and pasting it on the iPhone in WhatsApp, but let me paste it in Apple Notes.
I'm not sure though, it might have been a bug, it might have been a user error, but I wonder if inter-device copy and paste is limited, too. I haven't read anything about it, though.
Otherwise I've noticed nothing, except a popup when starting apps for the first time after activating lockdown mode, that lockdown mode is active for the app.
To me, lockdown mode is a no-brainer. But I don't use very JS-intensive web sites, and never use Apple messages.
Are you sure this is the lockdown mode? If your phone is enrolled in an MDM the admin can control which apps you can copy/paste between and normally this includes just the corporate-sanctioned apps.
I have been running Lockdown Mode for several weeks. It is very rare that my iPhone can not access a web page correctly, etc. iMessage behaves a little differently but I am used to it.
I try it and the experience is good. Barely noticeable. Maybe the sites load a bit slower, and occasionally fonts on some websites don’t render correctly. Otherwise it’s something that many people could just keep turned on.
Private relay and locked down mode are two of the recent good features in iPhone.
I am wondering how much is it effective against NSO-style spyware? Like, are they going to still come up with exploits and zero days hacking locked down iPhones, maybe adding 25% to their fees?
Any startup employees working directly on technology trade secrets or otherwise non-public intellectual property should enable iOS16 lockdown mode.
Thanks to years of invasive online targeting, bulk data breaches and mobile phone network structural insecurity, it has never been cheaper to screen for higher-than-average-value targets with digital assets that can be exfiltrated.
Since targeting costs have fallen, it is profitable to target employees below the C-suite, e.g. those in strategic or development roles who routinely need to access sensitive information and digital assets. This applies to enterprise, mobile and WFH environments, e.g. leveraging mobile phone foothold to reach other devices like a home router.
I was very happy to see this feature announced! I turned it on immediately and so far it has had little negative impact on my life.
Some apps like Gmail will warn you that Lockdown mode is activated and that it will impact your experience but I have not encountered any drawbacks beyond iMessage links not opening the browser. This is easily worked around by copying them.
I hope this also blocks incoming calendar invites. Apple has as a feature the automatic addition of calendar invites... spammers soon noticed this and send out calendar invites with their favorite links that can clutter it up.
Er, are you both under threat by nation-state attackers and also posting about your device security decisions on a public web forum? If so, you may wish to reconsider!
Fairly certain it's just another person wanting to go the extra mile of security. Sure, it may not do anything useful if you're just some guy Pegasus won't ever encounter. But if lockdown mode doesn't restrict OP in any way, what's the drawback of just enabling it to sleep that little bit better at night?
Seems most likely, but there’s nothing I need to say in that scenario. May as well cover the long-odds case in the off chance that I save someone’s life.
I'm not making an analogy. I'm saying right now, there's a similar long-odds off chance arecurrence is near someone having a stroke. And elaborating on stroke symptoms would be about as useful as the advice you gave earlier.
It’s valid, helpful, and statistically unlikely to reach anyone who needs to read it.
Statistically unlikely to be seen is the case for almost every comment I make, because that’s how I enjoy participating here at HN. The rest of the commenters have “statistically likely” covered! No need for me to pile on.
So I look for the odd weird corners and note them and earn a mix of “Whoah”, “No you’re wrong”, and “Sure but so what”. I’m cool with that :)
The exact wording in the guidelines that I’m adhering to is:
> Have curious conversation
There is no guideline directing me to make my comments relevant to the majority of HN readers. This is probably the most narrowly-focused HN comment I’ve ever made in a decade, though!
It’s neither offtopic nor generic, as it’s focused on the exact post topic at hand, and it says something odd but useful that no one else is saying. That’s the essence of what every HN comment should be.
We already established that the opsec scenario was so unlikely as to not matter for that particular poster. And for everyone else "you, specific person, under an extremely unlikely guess, should not be posting on HN" is not a useful post.
The audience for this is broader than journalists and human rights activists.
Executives, politicians, government figures, engineers and scientists with access to intellectual property, lawyers, … will all benefit from this mode.
Think of nations stealing trade secrets and technological know-how from each other. Or how much money you could make hacking iPhone of an employee or CEO of a company that might provide inside information.
I don't really see why this matters when Apple also installs backdoors into their phones and grants nation states the exploits to attack dissidents for any person or group that would need a feature like this, apple is the last company I'd trust to protect me from an authoritarian regime.
Obviously these types of features are welcome, even though they are apply to an incredibly small group of people. I cant help but feel the 'personal security' push from Apple and its marketing is rather self serving.
Apple is under more legal pressure than ever for its apparent 'anti-competitive' practices. They have on many occasions pushed the line of user privacy and security to defend their business. Features like this benefit a small group of people, but help Apple enormously in defending itself from litigation.
Edit: Downvote? Why are companies given the benefit of the doubt as if they were human and caring when they are clearly not! Large listed tech companies like Apple will ALWAYS act in their own interest first. User privacy is the advantage Apple has over its competitors who rely on free services and advertising. It is in their OWN INTEREST to pursue this path which in turn impacts others ability to compete. Must we continue to be so grossly naive?
I buy Apple devices specifically because the value proposition is simple. I give Apple money and they give me goods and services. Their interest are aligned with mine.
If competitors that depend on tracking and advertising due, nothing of value is lost.
The issue isn't about personal preference. It's about the anti-competitive practices of large tech companies that remove competition, stifle innovation and allow monopolies to set the value of their own product rather than the market.
'Privacy and security' allows them to justify taking a cut of 30% from developers for simply allowing their apps to be installed on an Apple device, which is then passed onto you.
'Privacy and security' is why you need to update your perfectly capable phone after X amount of years because Apple stopped releasing updates for it.
'Privacy and security' is why they removed ad tracking on devices used by competitors, forcing developers into Apple's payment streams where.. you guessed it, they take a cut. They then created their own App Store advertising model in the process. No alternative payment methods are available on Apple devices because 'privacy and security'.
The 30% cut talking point is way overblowned. It came out in the Epic trial that 80% of in app revenue comes from games. Most of Apple’s “competitors” don’t even allow you to pay for services within the App Store. For instance Netflix and Spotify have been forcing you to pay outside the App store for years
Way overblown... tell that to a game developer. The privacy and security argument was used time and again by Apple in court as a reason for booting Epic's Fortnite off the App Store for not using their payment system.
Let’s not make this about the poor indy game developer either. Most of the game revenue comes from in app purchases from pay to win games and loot boxes where the “whales” are making the money. They are just as sleazy as the ad supported industry.
Epic in fact tried to convince Android users to side load. It was not only a horrible failure, it introduced a security vulnerability.
Apple isn't deserving of a slice of revenue from game developers because of questionable gaming practices. If anything it makes them complicit. Like a mafia syndicate, they will allow these types of gaming practices if they are given their share.
The whole point of Epic side loading apps was to avoid the gatekeeping of the primary stores and their ‘review’ process. Was it a terrible failure because Epic is incapable of creating functioning software? Or was it a failure because it's near impossible to circumvent the limited developer 'sandbox' with APIs that all run through Google services? Are apps listed on Google Play free of security vulnerabilities? Who’s to say this information wasn’t disseminated throughout the public and media by Google or Apple themselves attempting to sway opinions against the so called evils of installing your own software.
As far as Epic vs Apple, whether the judge ruled Apple a monopoly or not isn’t of great concern. What’s more important is that she ruled Apple must provide other payment options to developers. It's in the user's interest that alternative payment methods are made available as it (in theory) will decrease the cost of app purchases. Apple's not in any hurry to implement it through.
Lockdown Mode is an optional, it is a extreme protection that's designed for the very few individuals who, because of who they are or what they do, Lockdown might be personally targeted by some of the most sophisticated digital threats.
Lockdown Mode should be the default, and people should actively enable it. There's nothing anyone would want, except maybe shared albums. Those are from people you trust not to upload any images that exploit something.
Outside of something like turning off some kinds of decoding in the system libraries to all apps, what could lockdown mode realistically do to a 3rd party app to make it more secure?
Yup. My naive impression of it is “we don’t trust our code to not back door your device, so we let you turn the highest risk portions of it off now. Mostly, gifs, because we’re don’t know how to safely parse a 35 year old standard.”
Wow, with this and the iPhone 14's camera, they are massively ahead of all other companies. It makes me happy that I bought their products and helped create this.
Does anyone think that Lockdown Mode was allowed to roll out without the American security state feeling comfortable that they're able to defeat it by pressing a button?
> Lockdown Mode was allowed to roll out without the American security state feeling comfortable that they're able to defeat it by pressing a button?
There is growing political consensus that given the lawless conduct of our adversaries, and the semi-lawful conduct of American intelligence, a smaller overall security cross section is to our advantage.
The ability to exclude apps or websites from the lockdown seems at the face of it to reintroduce attack surface that lockdown mode is meant to prevent.
Countdown to some 0day no-click exploit that adds an app or service or site to the exclusion list and then proceeds with a further attack?
> Countdown to some 0day no-click exploit that adds an app or service or site to the exclusion list and then proceeds with a further attack?
What type of exploit would be able to add something to the exclusion list but not already perform arbitrary code execution and just attack the system directly? This seems incredibly unlikely -- and roundabout, because you'd still have to get the browser to load the page.
Important to understand is that "provisioned access" as given to the US government is not considered to be a cyber attack, and lockdown mode will not help you there.
Also, it appears you cannot use configuration profiles in lockdown mode, meaning you may not be able to use DNS over TLS or HTTPS.
You're never 'safe' by toggling any switch. Opsec needs to be approached holistically and goes far beyond technology. This setting could be part of that but not the core. I would expect the people really at risk to be fully aware of this (or have people in their entourage that are). The best thing to do if you have state-sponsored adversaries is to assume your phone is being hacked.
I have seen some people in such positions and sometimes they don't even use a smartphone at all. I don't think they would be tricked into feeling 'safe' with something like this. I wonder if it will actually prevent the attack vectors used by something like Pegasus.
I think it will make a lot of people feel badass though :) Like most people that bought Phil Zimmermann's Blackphone.
> Lockdown Mode is available in iOS 16 and coming soon in iPadOS 16 and macOS Ventura.
> Web browsing - Certain complex web technologies are blocked, which might cause some websites to load more slowly or not operate correctly. In addition, web fonts might not be displayed, and images might be replaced with a missing image icon.
The first sentence I believe is referring to disabling JIT (just in time compilation of Javascript), which is dangerous as it allocates W+X pages which are often used by the final stage of an exploit. Apple did an amazing job already of hardening iOS by severely restricting which applications can use JIT (and this is their justification for why non-Safari browser engines are not allowed on iOS) and even enabling per-thread memory page permissions. Many more details are in this fantastic post from Google's project Zero: https://googleprojectzero.blogspot.com/2020/09/jitsploitatio...
Overall it's very interesting to see Apple invest so significantly in something that will benefit relatively few users -- not that I'm complaining!