Analyzing iOS 16 Lockdown Mode: Browser Features and Performance

Since several web features are disabled with Lockdown mode enabled, I wonder what measures Apple is planning to implement to defeat (at least to some extent) fingerprinting attempts to detect the people&#x2F;devices using Lockdown mode while browsing.<p>&gt; If you can’t stand the impact on performance or image rendering, well, maybe Lockdown isn’t for you. Apple claims only a tiny fraction of users will need it, though I’d argue an awful lot of users will <i>want</i> it.<p>Of course, I want it! (I already go through many other inconveniences for privacy and security).<p>&gt; Should You Turn it On?<p>&gt; Yes. Seriously. Turn it on when you have a supported OS and don’t look back.<p>Amen! I’ll be telling some laypeople to turn it on and try it out (along with instructions on how to turn it off selectively or completely).

&quot;But it’s an admission that the complexity of a modern phone operating system (or tablet, or desktop OS) have just gotten too much to handle, so the best path forward is to offer the option to not do those things.&quot;<p>Looking at non-consumer security mobile phones (like the one from Boeing) or those that are modified to be secure (like the Blackberry used by Obama) they all seem to employ this less-is-more approach to security.<p>In other words, what&#x27;s the minimum tolerable feature set we can offer without further compromising security? It follows from the question &#x27;why use a phone at all? If there is a functionality the client can&#x27;t do without, then how do we provide just that without any security downside?&#x27;<p>It&#x27;s a sensible approach which means Apple has just entered this market. Not in a big way yet - phones are made in China, modem chip firmware security has a long way to go. But lockdown is just beginning too and it shows Apple understands this is serious.<p>But all this is just defense. Next step is the entire industry. Finfisher is done - next up: NSO, Candiru and Darkmatter, their investors, suppliers and scumbag employees before they dissolve&#x2F;rebrand and scurry back out of the light.

So lockdown mode disables any attachment except images on their messaging app, because parsing these has often been introducing exploits.<p>The fascinating this is that this parsing would happen on a process which even _has_ privileges to trigger any exploits. Parsing a message should be done far far away from the core OS operations, high in userspace, by a sandboxed process that can&#x27;t break anything.<p>Based on previously seen exploits, it seems messages are handled by rather privileged processes. I wonder if there&#x27;s a reason for that (e.g.: special messages can trigger privileged operations?)

This is a good writeup! A couple random thoughts that occurred to me while reading through it:<p>- It would be really nice to be able to disable Lockdown Mode for specific people in iMessage the way you can for specific websites in Safari. I&#x27;m guessing you can&#x27;t because the sandboxing isn&#x27;t implemented the same way it is in Safari...but maybe that should be fixed!<p>- Disabling WebRTC in Lockdown Mode is probably an overall win, but it may result in certain web-video-conferencing tools not working. In most cases, the correct answer will be &quot;then install the app for that instead&quot;, but it may result in a few issues. On the other hand, users can also disable LM for those sites (and I like that you can do it easily, so I could do it temporarily and then flip it back off afterwards).<p>- It will be interesting to see if the ability to turn this on is a feature available in MDM. I can imagine companies mandating that users traveling to certain areas of the world must have LM MDM-force-enabled on their phones at all times instead of taking a burner phone.<p>- I wonder how the prohibition on wired accessories will work if the phone is unlocked when the accessory is plugged in. As an example, with LM enabled I could plug my phone into my car and use CarPlay, but does it then turn off when the phone locks? I&#x27;m assuming not, but if you&#x27;re going full-bore-privacy-protections, there&#x27;s an argument there that it should actually just disable the port fully when the phone locks (and that&#x27;s certainly the easier option to code).

The missing icons are probably web fonts being disabled?

if there&#x27;s one thing I hate, it&#x27;s websites &quot;supporting&quot; tor by redirecting from a specific article to the main page of their (in this case non-functional) onion URL.<p>twitter did this too a while back, they made a big show of how they&#x27;re supporting tor now, and now whenever i click a link to a tweet via tor, it redirects me to their frontpage.<p>thanks, can you stop supporting tor now please, so I can use the site with tor again?

It&#x27;s not clear to me if Lockdown Mode would have prevented Hermit, the latest mobile APT which targeted iOS via sideloading by enrolling in the Apple Developer Enterprise Program.<p>The list of lockdown features don&#x27;t seem to explicitly list that in-house app sideloading is disabled - is it? If not, then this mode seems like security theater from Apple, in that it doesn&#x27;t actually lock down the parts of the attack surface that are actively being leveraged. How about instead, or better yet alongside this, Apple explains how they granted entry in the Enterprise program to the spyware company, and what measures they&#x27;re taking to prevent it from happening again.

Fun fact, the browser limitations used for lockdown mode are very similar to the existing restrictions that Apple already had in place for rendering captive portal screens :)

If I wanted my computing device to be as secure as possible against state actors, I would compile all the software myself, and tweak a few compiler settings for my builds.<p>It&#x27;s super hard to make an exploit work when you don&#x27;t know what options your target was compiled with.<p>Also, simple things like swapping malloc implementations or changing some parameters of malloc will pretty much make your device immune to state sponsored attacks.<p>Also, anytime you see an application crash, record all crashdumps - since they will contain evidence of a failed exploitation attempt.

&gt; Apple is previewing a groundbreaking security capability that offers specialized additional protection to users...<p>That&#x27;s an amazing marketing spin. It&#x27;s not their admittance of failure of engineering to make the features secure, no, it&#x27;s a <i>groundbreaking</i> security capability! To be fair, I do appreciate that they acknowledge the problem in the first place and are trying to do something about it.

Disabling old archaic image formats, link previews, ill advised web apis sounds like a great feature. I will definitely try this out.

It will be interesting to see how this fits in with Supervised Mode.<p>For example, I&#x27;m assuming &quot;configuration profiles cannot be installed&quot; will only to apply to unsupervised devices. Otherwise it could make Supervised Mode rather, erm, tricky !<p>Also &quot;Allow access to USB accessories when device is locked&quot; option has already been available in Supervised Mode for years.<p>So I wonder if Lockdown Mode is more removing some of the &quot;supervised only&quot; restrictions from certain options (e.g. the &quot;USB when locked&quot; is currently &quot;supervised only&quot; option, but it looks like Lockdown Mode will bring this option to all users).<p>Overall, I think this is a good move by Apple though even if some of the details remain to be seen.

Disabling WebGL will block a lot of HTML5 games. I think there will be a lot of &quot;WebGL not supported&quot; or &quot;browser out of date&quot; messages that will need updating to include &quot;please turn off lockdown mode&quot;...

I wonder how lockdown mode affects apps that use WKWebView? (Not SFWebView which afaik is supposed to be more like the Safari app with things like password manager support.) Eg would this break a WebRTC meeting in a native app?

I&#x27;d love to know if you can still use a third-party browser (e.g., Firefox) and if it would inherit lockdown settings per web page (given that all iOS browsers have to use webkit webview).

This post repeats the false claim that link previews in messages provide attacker controlled network loads.<p>They do not.<p>The page preview included in Messages is created on the sender side. On those occasions the sender can&#x27;t create a preview you get a &quot;click to load preview&quot; message instead of a preview with the url. In other words, nothing more than just sending the url in the first place. I&#x27;m curious what &quot;disabling link previews&quot; actually means in lockdown.

I am running Lockdown Mode on iOS and iPadOS right now. Generally I like it, but some web sites don&#x27;t seem as responsive and the Mastodon web app uses a few web fonts that don&#x27;t show up.<p>Here is some irony: the linked article caused Safari on my iPhone with beta iOS 16 and Lockdown Mode to immediately crash every time I visit the page (about 5 tests trying to load the page). I have not seen that problem in any other web site.

Question on part of this. He skips over it in the article.<p>How do 2 locked down phones that have not done so before do a facetime call? As neither one will accept the others call.

Would such a thing be possible in Android world? I wonder since there are so many phone manufacturer and ISP mods that might not be under Google&#x27;s control.

&gt; But with Lockdown enabled, the list grows. Now, the browser no longer will render TIFF, BMP (24-bit), JPEG 2000, or PDF images.<p>I am not sure why BMP is excluded specifically in lockdown mode. Isn&#x27;t BMP 24bit simply a bit chunk of bytes filled with uncompressed rgb pixels? It don&#x27;t even have any specific logic required to render. All you need is fill the render buffer with pixels.

I wonder if turning off the JIT is worth it? A lot of bugs exist <i>around</i> JavaScript engines, sure, but they tend to be in the interfaces with the bindings for all the html5 features (and corresponding opportunities for memory corruption).<p>It&#x27;s been a while since the last bug in the JIT itself - fuzzing tends to uncover those pretty quick.

Firefox on Android could easily offer something similar for the web part. Sounds like a quick win to get some attention.

How about some kind of Firewall which sends requests only to trusted domains and blocks everything else?

I am late to this conversation, but I have a question: both my iPad Pro and my iPhone 11 Pro seem to get slightly shorter battery life between charges. Has anyone else noticed this? Perhaps it is because Javascript runs slower?

Aren&#x27;t configuration profiles necessary for configuring VPN though? For the best security you&#x27;d want all your traffic to go through your own server for retrospective analysis.

I already use an extra iPhone as a secure platform crypto wallet, this feature sounds like it&#x27;ll make it even better.

I had no idea you could use Photoshop document (PSD) as an image on a webpage!

Finally a feature I’m interested in and they drop support for the 6s.

What about store apps privacy.

prbly they shared how to pass by this mode with the pegasus team pebblydy

The lockdowm mode modify apple telemetry?

Will this become entirely moot in the EU after they force Apple to throw open the gates to iOS?

So lockdown mode is IE6 on iOS?

It&#x27;s not clear to me why you wouldn&#x27;t just turn off your phone if you think you&#x27;re being targeted by such an extreme attack.