> Lockdown Mode is available in iOS 16 and coming soon in iPadOS 16 and macOS Ventura.
> Web browsing - Certain complex web technologies are blocked, which might cause some websites to load more slowly or not operate correctly. In addition, web fonts might not be displayed, and images might be replaced with a missing image icon.
The first sentence I believe is referring to disabling JIT (just in time compilation of Javascript), which is dangerous as it allocates W+X pages which are often used by the final stage of an exploit. Apple did an amazing job already of hardening iOS by severely restricting which applications can use JIT (and this is their justification for why non-Safari browser engines are not allowed on iOS) and even enabling per-thread memory page permissions. Many more details are in this fantastic post from Google's project Zero: https://googleprojectzero.blogspot.com/2020/09/jitsploitatio...
Overall it's very interesting to see Apple invest so significantly in something that will benefit relatively few users -- not that I'm complaining!
My theory on this is that apple is one of the few companies where everything they build seems to be well integrated into their ecosystem. This is part of their appeal.
Another part of Apple's appeal is that they've positioned themselves to appear as the company that cares the most about consumer privacy and security. Lockdown mode seems to be one of those features that's great for marketing and PR in certain circles, while being extremely useful in situations where it's needed.
I imagine someone writing an article claiming how lockdown mode saved them, and that's practically free viral marketing in the security circles.
Also, it gives them additional room to play with security research and engineering at large. They already have an incentive to improve security on device (drive by attacks, jail breaking), and this just enables them to play with things that are safer but break too much. They’re basically training their other tech teams to be more secure, and find where security and UX clash, identify and build the fix, even if off by default.
Are you sure? There's no need to ever have a page that is W and X at the same time, and I would not expect any current professional JIT to make one.
W^X is more difficult to exploit for sure, but as other commenters point out, unfortunately still possible.
https://armv8-ref.codingbelief.com/en/chapter_d4/d44_1_memor...
Apple has been doing this for decades with heavy investment into assistive technology, far better than other platforms.
Getting world leaders, celebrities and CEOs to use their devices might make this part of their marketing budget.
> Lockdown Mode offers an extreme, optional level of security for the very few users who, because of who they are or what they do, may be personally targeted by some of the most sophisticated digital threats, such as those from NSO Group and other private companies developing state-sponsored mercenary spyware.
Outside of that it’s kind of left-field and out of character for them to give users a way to make things work worse.
I think it's probably inaccurate to conflate these two things: the JIT was not even allowed in third party browsers when using Safari for a long time, and they still didn't allow other browser engines. If this was the only reason, surely other browser engines without JIT would be fine?
This is why the iOS App Store allows Swift Playgrounds (app with a memory-safe interpreter), and allows iSH Shell (virtualized POSIX environment, where you can write and run e.g. bash scripts), but doesn't allow iSH Shell to ship with gcc.
One area of greatest concern for me is client hints and the various JS APIs that leak way too much, from OS to memory and more. You would think that an extension as popular as uBlock Origin would exist that would make this information as generic as possible to mimic the most common browser profile. Without it, it is still incredibly easy to identify a user with JS enabled and unfortunately disabling JS also makes you unique.
This doesn't even address the Canvas API issue that needs to be virtualized to protect privacy. The web standard as a whole hasn't really put a lot of thought into privacy.
Maybe Apple wants to encourage more (non-classified) government use of iPhones? Maybe they have a big juicy contract they could take if they just get their OS into the right shape for it?
Government purchase-orders used to be the main thing that kept RIM/Blackberry afloat: they were a Canadian manufacturer, and so were (or could be validated + closely scrutinized to be) trustworthy as a supplier for American government communications systems. This is 90% of why the Blackberry ecosystem was... the way that it was.
Apple is now in (nearly) the same position. And their ecosystem has also been strange for the last 6-or-so years, in that particular "there's no clear reason for this, unless the government asked you to do it for supply-chain-integrity purposes" way (e.g. a self-serve repair program that requires you to pre-register a device for repair before ordering parts, and then report the part IDs to initiate online pairing.)
The niche they don’t play in is some police, inspector, and other outdoor jobs. The iPhone environmental operating range is too narrow.
I would say that this is at the very least a strong marketing point. "We are secure by default, and the most secure phone out-of-the-box on the planet if needed".
The hardware itself must be trusted to an extent, too. Is there an android-compatible device/ROM combination that can advertise the same level of security as this lockdown mode, without spending two days configuring it?
In no way is this 'revolutionary' by Apple.
[1] https://landing.google.com/advancedprotection/
[2] https://support.google.com/accounts/answer/9764949?hl=en
TBH, if you have a target on your back, spending two days configuring your phone is a pretty small inconvenience.
On the other hand, if you're applying this without looking deeper into what it covers, what it doesn't, and the linits you'll probably be in trouble sooner than later.
A phone fully designed, developed, and assembled in the States with capacity to further lock down is a huge + for three letter agencies.
Lockdown mode is quite similar in that thinking.
https://www.macobserver.com/tmo/article/tim-cook-soundly-rej...
Perhaps requested by Biden's Director of InfoSec?
Well they did that not because they care about users but because they want all software to pass trough the App Store (and thus the review and policies of Apple). If you would allow to run efficiently code from other sources (for example downloaded at runtime, put in a W+X memory page and executed) that code doesn't pass through the review process of Apple, thus one can publish an app that does something and then modify its code to make it do another thing (even load an entirely different thing).
In the end I don't think this is a good thing for users.
I really hope the EU will succeed in forcing Apple to allow third party app stores. That would be a game changer. People that are happy to stay in the walled garden can simply not use any other app stores but for someone like me it will open up iOS as an actual option I can choose. Right now there's too many things I can't do on iOS.
Though honestly, I'd be even happier with a real third option instead.
This is the best news. Otherwise, you can bet your IT department would be throwing that switch on for everyone.
The article says that in LM, you can't enrol the device in MDM -- I suppose that if you want LM functionalities, it makes some sense that you wouldn't want parts of your device to be remotely controllable by an entreprise (or your MDM profile overriding some of the Lockdown options..?)
But... I don't understand what you mean by it being a bad thing that IT admins would want Lockdown Mode for everyone. Thanks
If there's a lazy security option that can be enabled, a lot of companies are just going to inappropriately turn it on because it doesn't bother them that your phone can't do anything fun. That doesn't cost them money. Even if you're a web designer for a small shoe store where obviously nuclear power plant level of security doesn't really make sense.
I remember android phones like 10 years ago or so had some corporate policy option so any time the screen is locked, you need to enter a 20 character password that has uppers, lowers, capitals, symbols, and numbers.
Any patterns / words it decided were too easy to guess were rejected for a password. This wasn't a "Lock after an hour of inactivity." It was "Lock immediately, and set screen timeout to 30 seconds."
My understanding is that you can't change the MDM settings/enrollment while in Lockdown, but you can enroll in it, and then enable Lockdown, and be fine.
If you want me to use lockdown mode, give me a separate phone.
I think you will find you are partially mistaken here.
Apple have provided the ability to disable cellular access from day one. Its right there for you as an option and has always been there (look under Settings->Mobile Data, you can toggle on/off for each specific app).
Additionally, Apple have always provided the ability to disable background data refresh for apps. In other words, this takes you 3/4 of the way to providing the ability to restrict WiFi access.
I know its cool to Apple bash, but at least get your facts right before you jump on the bandwagon.
That's not what he's talking about. I can't block a specific app I don't trust without blocking the internet for the entire phone.
On Android, you can download firewalls that allows you to turn on or off internet access for each apps individually.
Disabling network access entirely is a great safety switch for apps that claim to be offline-only, or to ensure apps literally can't send your data away. I knew I'd trust a lot more apps this way.
I look forward to when this comes to iPad. An iPad with a Bluetooth keyboard is an excellent option over a traditional laptop for a high-risk target, and this’ll make it even better.
It would make much more sense to look at their actual, independently validated security certifications that they advertise:
https://support.apple.com/guide/sccc/security-certifications...
https://support.apple.com/library/APPLE/APPLECARE_ALLGEOS/CE...
https://support.apple.com/library/APPLE/APPLECARE_ALLGEOS/CE...
Where they have only managed to achieve the absolute lowest levels of security.
Like, look at that last one, their security validation functionally consists of typing “public unpatched ios vulnerabilities” into Google and certifying that nothing comes up. It is utterly preposterous to claim they have any security expertise against highly skilled attackers at all when that is the limit of their advertised certifications. If they actually want to demonstrate security leadership, they should certify against the highest level, AVA_VAN.5, which actually verifies protection against HIGH attack potential threats instead of the lowest level, AVA_VAN.1, which only verifies protection against BASIC attack potential threats.
Security qua security (ie, not counting security loss due to privacy loss) it's pretty tight between Android and iOS:
Maybe Zerodium will offer a new tier for a zero-click attack on an iPhone on Lockdown mode in the future.
Privacy I am not even so sure - you can turn a ton of Google stuff off fairly easily and on top of that while Apple may not directly sell your aggregated data to third parties they sure as hell are using it themselves
[1] https://support.google.com/accounts/answer/11577602?hl=en
https://microsoftedge.github.io/edgevr/posts/Super-Duper-Sec...
Anyone else being ... just Google. It's not like we have many options for mainstream mobile phones.
It's easy to be ahead of the competition when the competition's business model is selling your data. One can dream of a day when Apple gets real competition.
Apple’s privacy reputation is mostly marketing and boils down to “if anyone’s going to spy on you it’s going to be us!”
I just don't see how you could equate apple to every other company and accuse them of spying on their users when it is clearly not the case. You have options when it comes to phones and computers and only one fortune 500 company seems seriously committed to keeping their users personal info private.
[1] https://www.apple.com/privacy/docs/Differential_Privacy_Over...
What if I want to block USB devices, but I want to be able to use shared photo albums?
It makes for a very clear demarcation as to why the product doesn't work as it normally should, and an abundance of differentiation would remove all of the guessing as to "why is feature X not doing what I expect" for the user of the device.
Regarding USB devices, Apple has offered a setting for years in "Face ID & Passcode", under "Allow Access When Locked" called "USB Accessories". If you turn that off, then your iPhone won't allow USB accessories to connect if the phone has been locked for more than an hour. Not quite the same as the Lockdown setting, but better than nothing?
Since around iOS 11 this USB lockout and “require pin, not FaceID/TouchID” used to be 5 clicks of the power button, and triggered it immediately. Also brings up an emergency button no matter what you were doing.
After this screen, pin is required.
Prior to this Lockdown mode, for best results you also may want to use Apple Configurator or JAMF Free or similar to block other ways of “recovering” access.
Before iOS 11’s USB lockout, this “pair locking” was the best way of helping block forensics tools:
Think of how Apple maintains their image, and who they claim this is for. They don't want a journalist killed because they thought they had Lockdown Mode on, but they had link previews in SMS and got hit by a zero-day tracker.
The value of grouping this into a mode is ensuring end operators don't miss important details.
I'd also like to see some method for quickly wiping the phone or severely disabling it. A friend mentioned that a new scheme for thieves is to ask you for your unlocked phone at gunpoint and then use a cash app to transfer money to one of their accounts. Some way to very quickly (and covertly) wipe your phone would help defend against that attack. (Related: https://www.startribune.com/warrant-grifters-targeting-cash-...)
A more practical defence is keeping a low balance on any account that can be easily accessed from the phone. Not seeing any real use for this functionality when faced with an adversary physically.
But when locked it throws away the keys to the storage in memory so they need to be retrieved from the Secure Enclave again through device password.
So without an absolutely amazing exploit all your data on device is totally inaccessible.
Well I would like to have these two enabled in regular situation.
> web fonts might not be displayed
Great, I almost always prefer system default fonts.
> Incoming FaceTime calls are blocked
Perfect, I don't use it, it is always some scammer.
> Incoming invitations for Apple Services
Perfect, I don't care.
> Shared albums are removed from the Photos app
I don't use this stuff, I don't care.
> To connect your device to a USB accessory or another computer, the device needs to be unlocked.
This seems like it should have always been the default.
> Configuration profiles can’t be installed
Perfect, nobody should be trying to manage my phone.
> Perfect, I don't use it, it is always some scammer.
You get spam/scam FaceTime calls? (Not attacking, just generally curious... I've never in my life ever gotten or know anybody who has been spammed via FaceTime).
In fairness, there is a setting to turn Facetime off entirely, that didn't have to wait for this feature.
Isn’t it on by default too?
What baffles me is that damn near all of this stuff could also be a separate preference item, mostly because I don't want 90% of what they mention enabled anyway.
The list of restrictions doesn't seem to inhibiting - for those who have used it, what are the points that stand out? Is this something designed for habitual use or under specific situations?
1. You cannot tap on any links in iMessage. You have to hold your thumb down on the link, copy it to clipboard, switch to Safari, paste
2. If someone posts a gif in an iMessage thread, it doesn't show up
3. All inbound requests for FaceTime calls seem to be automatically blocked, even when they are coming from people who are favorites in my contacts. I haven't looked into why yet. Maybe it's because I don't have their phone number saved with a `+1` prefix in my contacts?
Other than that it's hardly noticeable, and I think it's fantastic that we now have this option.
> Incoming FaceTime calls are blocked unless you have previously called that person or contact.
So you may have to call them first, even if they are a favorited contact.
This sounds like a positive for me. I disable animations in chat whenever it’s an option.
So far, the only annoyance is that sites relying on custom fonts for icons can end up with indecipherable UI elements (e.g. a button with a "refresh" icon is now just a button with an empty square)
I'm not sure though, it might have been a bug, it might have been a user error, but I wonder if inter-device copy and paste is limited, too. I haven't read anything about it, though.
Otherwise I've noticed nothing, except a popup when starting apps for the first time after activating lockdown mode, that lockdown mode is active for the app.
To me, lockdown mode is a no-brainer. But I don't use very JS-intensive web sites, and never use Apple messages.
Private relay and locked down mode are two of the recent good features in iPhone.
I am wondering how much is it effective against NSO-style spyware? Like, are they going to still come up with exploits and zero days hacking locked down iPhones, maybe adding 25% to their fees?
Is there a similar mode in desk and server Linux?
Thanks to years of invasive online targeting, bulk data breaches and mobile phone network structural insecurity, it has never been cheaper to screen for higher-than-average-value targets with digital assets that can be exfiltrated.
Since targeting costs have fallen, it is profitable to target employees below the C-suite, e.g. those in strategic or development roles who routinely need to access sensitive information and digital assets. This applies to enterprise, mobile and WFH environments, e.g. leveraging mobile phone foothold to reach other devices like a home router.
Some apps like Gmail will warn you that Lockdown mode is activated and that it will impact your experience but I have not encountered any drawbacks beyond iMessage links not opening the browser. This is easily worked around by copying them.
I hope this also blocks incoming calendar invites. Apple has as a feature the automatic addition of calendar invites... spammers soon noticed this and send out calendar invites with their favorite links that can clutter it up.
Executives, politicians, government figures, engineers and scientists with access to intellectual property, lawyers, … will all benefit from this mode.
Think of nations stealing trade secrets and technological know-how from each other. Or how much money you could make hacking iPhone of an employee or CEO of a company that might provide inside information.
https://www.vice.com/en/article/epzpb4/websites-can-identify...
Apple is under more legal pressure than ever for its apparent 'anti-competitive' practices. They have on many occasions pushed the line of user privacy and security to defend their business. Features like this benefit a small group of people, but help Apple enormously in defending itself from litigation.
Edit: Downvote? Why are companies given the benefit of the doubt as if they were human and caring when they are clearly not! Large listed tech companies like Apple will ALWAYS act in their own interest first. User privacy is the advantage Apple has over its competitors who rely on free services and advertising. It is in their OWN INTEREST to pursue this path which in turn impacts others ability to compete. Must we continue to be so grossly naive?
If competitors that depend on tracking and advertising due, nothing of value is lost.
'Privacy and security' allows them to justify taking a cut of 30% from developers for simply allowing their apps to be installed on an Apple device, which is then passed onto you.
'Privacy and security' is why you need to update your perfectly capable phone after X amount of years because Apple stopped releasing updates for it.
'Privacy and security' is why they removed ad tracking on devices used by competitors, forcing developers into Apple's payment streams where.. you guessed it, they take a cut. They then created their own App Store advertising model in the process. No alternative payment methods are available on Apple devices because 'privacy and security'.
Question: If I turn off cell, like with airplane mode, is it truly, completely off, with no cell tower pings and such?
Many hacks these days exploit Whatsapp incoming message processing, etc.
Every app with push notification support increases your attack surface.
or perhaps disable their processing all together and just have notifications be a dumb pipe.
https://www.apple.com/child-safety/pdf/CSAM_Detection_Techni...
There is growing political consensus that given the lawless conduct of our adversaries, and the semi-lawful conduct of American intelligence, a smaller overall security cross section is to our advantage.
> 4. Tap Turn On Lockdown Mode.
Tap twice? ;)
Countdown to some 0day no-click exploit that adds an app or service or site to the exclusion list and then proceeds with a further attack?
What type of exploit would be able to add something to the exclusion list but not already perform arbitrary code execution and just attack the system directly? This seems incredibly unlikely -- and roundabout, because you'd still have to get the browser to load the page.
> Tap Aa > Disable Lockdown Mode to view News Org secure content
Similarly to how malicious Word docs get users to enable macros.
Also, it appears you cannot use configuration profiles in lockdown mode, meaning you may not be able to use DNS over TLS or HTTPS.
—-
It says you can’t install new configuration profiles while lockdown mode is enabled, not that you can’t run lockdown mode with a profile enabled.
It is nice to make the effort, and it might be dome good. and allow a lot of people to feel l33t
It is bad if people at proper risk think they are safe once it is enabled. (and those, to me, appear to be the people this is marketed for)
I have seen some people in such positions and sometimes they don't even use a smartphone at all. I don't think they would be tricked into feeling 'safe' with something like this. I wonder if it will actually prevent the attack vectors used by something like Pegasus.
I think it will make a lot of people feel badass though :) Like most people that bought Phil Zimmermann's Blackphone.
