Apple’s Lockdown Mode

I haven’t written about Apple’s Lockdown Mode yet, mostly because I haven’t delved into the details. This is how Apple describes it:

Lockdown Mode offers an extreme, optional level of security for the very few users who, because of who they are or what they do, may be personally targeted by some of the most sophisticated digital threats, such as those from NSO Group and other private companies developing state-sponsored mercenary spyware. Turning on Lockdown Mode in iOS 16, iPadOS 16, and macOS Ventura further hardens device defenses and strictly limits certain functionalities, sharply reducing the attack surface that potentially could be exploited by highly targeted mercenary spyware.

At launch, Lockdown Mode includes the following protections:

  • Messages: Most message attachment types other than images are blocked. Some features, like link previews, are disabled.
  • Web browsing: Certain complex web technologies, like just-in-time (JIT) JavaScript compilation, are disabled unless the user excludes a trusted site from Lockdown Mode.
  • Apple services: Incoming invitations and service requests, including FaceTime calls, are blocked if the user has not previously sent the initiator a call or request.
  • Wired connections with a computer or accessory are blocked when iPhone is locked.
  • Configuration profiles cannot be installed, and the device cannot enroll into mobile device management (MDM), while Lockdown Mode is turned on.

What Apple has done here is really interesting. It’s common to trade security off for usability, and the results of that are all over Apple’s operating systems—and everywhere else on the Internet. What they’re doing with Lockdown Mode is the reverse: they’re trading usability for security. The result is a user experience with fewer features, but a much smaller attack surface. And they aren’t just removing random features; they’re removing features that are common attack vectors.

There aren’t a lot of people who need Lockdown Mode, but it’s an excellent option for those who do.

News article.

EDITED TO ADD (7/31): An analysis of the effect of Lockdown Mode on Safari.

Tags: , , , ,

Posted on July 26, 2022 at 7:57 AM22 Comments

Comments

Steve Bolton July 26, 2022 8:28 AM

I would use it going through customs in any country, but especially the US! 🙂

Regis July 26, 2022 8:49 AM

That seems a remarkably practical set of options for the small segment of the user base that needs it.

bw July 26, 2022 9:43 AM

This might make me buy an Apple product or two. I don’t see any features lost that I care about.

Do I ‘need’ this? Maybe not. However IMO this should default on.

Beatrix Willius July 26, 2022 9:59 AM

Stupid questions:

Why can’t Apple fix the problems in Messages with link previews and non-image attachments if these are a security risk?
What exactly is the difference between using the JIT compiler and the non-JIT one for JavaScript?

The other 3 features make sense but the first 2 look flakey to me. Or not very well explained.

Denton Scratch July 26, 2022 10:52 AM

There aren’t a lot of people who need Lockdown Mode

I disagree!

I guess a lot of people only need a few of these protections; many of the others are easily worked-around. For example, banning a locked device from wired connections is straightforward; if you’re making a wired connection, you have your hands on the device, and can simply unlock it. That’s standard on Android.

Banning JIT is a browser feature, not a device feature.

Controlling message attachments is a no-brainer. Executable attachments should simply be banned.

It doesn’t sound to me as if lockdown-mode is a serious impediment to useability; I think it should be standard.

/me Not an Apple owner.

Daniel Armyr July 26, 2022 10:53 AM

So am I missing something or are the features listed really not that important? Everyone keeps stressing how few people need this. I think: Why not? I simply do not really see the downside. But then, in a room of 10 colleagues, almost everyone said that their phone was their favorite possession. I said the opposite… so maybe I am the odd man out here.

Ted July 26, 2022 1:42 PM

Is anyone going to play with the iOS 16 public beta release?

Still, I think that technical solutions are a very narrow mitigation of this problem.

Without addressing invasive spyware through larger policy and enforcement mechanisms, there is nothing to stop spyware makers from creatively finding other avenues to exploit.

I hope we get continued updates from Citizen Lab, Amnesty International’s Security Lab, and Apple on this space.

David Leppik July 26, 2022 4:16 PM

@beatrix:

Without the JIT compiler, JavaScript is almost entirely interpreted. That is to say, JavaScript commands are performed line-by-line. Sort of. Expect JavaScript to run 10x slower.

Safari (and other browsers) have several levels of optimization. The lowest level just maps each JavaScript function to a default machine language implementation. It then stitches these implementations together and runs them. It’s 10x slower than pure machine language.* However, since no new code is generated, there is a strict separation between JavaScript and non-JavaScript code, so it’s easy to keep the JavaScript runtime from doing anything it shouldn’t. I assume this is what they are allowing.

After that are multiple levels of more optimized code. In this, a JIT analyzes the code and generates an efficient machine language version. New code is written as bytes into a page of memory, and then the program jumps to that page. There’s a lot more room for something to go wrong when you mix data and instructions—but it lets JavaScript run as fast as native code.

Processors have a security feature where a page of memory is labelled as data-only, instruction-only, or mixed data and instructions. Instruction-only memory is read-only, so it can’t be overwritten with malicious code. The processor refuses to jump to data-only memory. This memory separation shuts out whole categories of attacks.

On iOS, the JavaScript JIT is the ONLY thing that’s allowed to use mixed-use memory. Third-party web browsers are required to use Apple’s JavaScript JIT or have no JIT at all. Presumably, Apple’s new lockdown mode eliminates mixed-use memory entirely.

*It used to be 100x slower, until a dozen years ago Apple added a few extra features to their C compiler to allow things to be stitched together with function pointers. It’s a rare case of a language feature added mainly for a single use case in a single program.

Frankly July 26, 2022 4:22 PM

Does Lockdown Mode send a signal to Apple servers, letting the company know which users are choosing that feature? I bet it does. Corporations do not protect users from the risks of information by that corporation.

Q July 26, 2022 4:42 PM

Doesn’t anyone want to mention the real problem here?

It isn’t about whether JIT is allowed, or if attachments are blocked, or any of that. While those things are good, and probably necessary, they aren’t where we should be.

We need to stop allowing the companies to control all the things. We need to allow the users to decide what they want, and disallow companies to override it “for security”.

Clive Robinson July 26, 2022 5:10 PM

@ Bruce, ALL,

I read this and I shudder,

“Most message attachment types other than images are blocked.”

Anyone else remember when “images” were a major attack vector?

For various reasons some image formats need a “Turing Complete Engine” that interprets the image file…

If you do not want JIT Javascript and it’s pesky time based side channels, you almost certainly do not want similar in image files…

All in all I’d say that what Apple is offering is the very minimum of a list of “fixes” that have been asked for over and over for years and highlighted on this blog repeatedly.

They should have options to fully turn of JavaScript and all forms of cookies as standard.

There are better ways to “implement state” and from a security aspect, running code on a client set from a swrver is a security risk to both the client and the server.

Anyone who thinks that distributing not just executable code but business logic this way realy needs their understanding of security examined by kinetic phrenology…

n1 July 26, 2022 8:15 PM

Maybe for those personally targeted by some of the most sophisticated digital threats a dumb phone would be a better solution.

Peter Galbavy July 27, 2022 3:02 AM

I may be missing something, but something that can be switched on can just as easily be switched off.

That, and also who knows if this is just security-theatre, to borrow one of Bruce’s phrases, and how much is just a visible option with some dancing around behind the scenes – a bit like those cookie consent banners that pretend to be doing something for 30 seconds when you click “reject all” but not “accept all” ?

David Rudling July 27, 2022 3:50 AM

@Clive Robinson

“… kinetic phrenology…”

Now there’s a technique whose applicability seems almost boundless to so many working in this field.

Denton Scratch July 27, 2022 5:09 AM

@David Leppik

You speak of a factor of 10x speedup from JIT. That surprises me.

I’m not surprised that pure Javascript logic can be speeded up that much by compilation; but most Javascript isn’t pure logic. Most of it is library calls. Those don’t get speeded up by compilation.

Does Javascript JIT really generate machine-code as its object? That seems extreme; it means your JIT compiler needs backends to output object suited to each targeted CPU. It would make a lot more sense for the JIT to output intermediate code (p-code), and run that on a VM. The difference in performance between p-code and machine code surely isn’t as much as a factor of 10?

Just asking – I don’t know.

This whole issue of Javascript performance and JIT compilers ought to be moot, because we’re speaking here of a browser scripting language; you don’t need 80Kb of script to display a webpage, and it seems crazy to make a webpage that runs so slowly under an interpreter that you need JIT.

Clive Robinson July 27, 2022 6:34 AM

@ Denton Scratch, David Leppik, ALL,

you don’t need 80Kb of script to display a webpage, and it seems crazy to make a webpage that runs so slowly under an interpreter that you need JIT.

It’s worse than that…

If you have a moderately slow Internet connection, like mobile broadband in contested/conjested areas, there is something you fairly quickly note.

With javascript turned on page doebloads untill the “we need you to say yes to XXX” box can take upto ten or twenty seconds or so…

By which time you can have read enough of the page to reverse out if dull/pointless.

But if you turn javascript off and dowbload the page, it takes only a second or two to load the page… And in a lot of cases you do not get that popup box demanding your first born be sold into slavery or whatever…

It’s why for quite a few years now I’ve had not just cookies but Javascript disabled.

As for disabling this nonsense, you might have noticed with just about every update of a browser it gets harder and harder…

If you want to know why have a look at the corporate funders, not just of those that produce the browsers, but also the organisations that produce the standards…

More than 75% of HTML5 is not just totally unnecessary, a big chunk of that is positively dangerous when it comes to your privacy. Which is hardly surprising when you consider how some of those corporates make their income directly or indirectly.

The fact is the “extra services” it might provide, are mostly unwanted or of no interest to probably more than 9 out of 10 web browser users.

The simple fact is for nearly all the sites I might want to browse, it’s to read information, not stare at animations etc. Whilst an occasional static picture of a graph, chart, map etc can be useful I generally do not need them, though on some “How-To” technical sites, for things like antenna construction or certain cooking techniques etc[1], I can understand others needing the pictures. As they may be first timers or they may not have experience going back to the 1970’s. Those with experience need just a parts/ingredients list, and a minimal set of instructions and often not even the minimal instructions (see the various recipe compendiums).

For just about everything I’ve had to do with developing an HTML based information source Flash, Java, JavaScript has been entirely unnecessercy and in most cases undesirable from the source security aspect. Even designing out “state” so cookies are mostly unneeded is something that can with experience be done.

The fact developers still push for quite privacy invading and security failing features somewhat baffels me (till I follow the money 😉

[1] In fact cooking is an excelent example, with terms like make a “brun roux”, or “onion marmalade” whilst simple after a bit of practice can be almost heart stopping to contenplate and have the fear of over caramilisation where things are not as you’ld like. Even the difference between a simmer, boil, and rolling boil, are easier seen than described. But once you’ve seen once or twice… The problem is that often web page authors do not know how to write thus just copy and past in stuff that would best be served by having a more extensive page to it’s self that gets linked to.

Nameless Cow July 27, 2022 9:04 AM

@Denton Scratch

Banning JIT is a browser feature, not a device feature.

You might as well consider it a device feature, given that on iOS there’s really only one browser available. (Other browsers on iOS use Safari under the hood.)

Quantry July 27, 2022 11:43 AM

@nt

“a dumb phone would be a better solution”

Where do I get one? (Does it have a headphone jack and a removable battery ? ‘Im in : Im out’).

lurker July 27, 2022 7:20 PM

@quantry, n1

4 years ago I bought a 2/3G dumb phone from my telco. Today the dumbest burner they offer is a 4G feature phone with FB & WA pre-installed. Our local version of Walmart lists the same model and a similar for another carrier, also 4G+FB+WA.

They call this progress.

Q July 27, 2022 9:02 PM

“The difference in performance between p-code and machine code surely isn’t as much as a factor of 10?”

It is. And maybe even more than 10x. Interpreted stuff needs to be parsed every time you encounter it. So loops will get the parsing penalty every time they repeat.

“you don’t need 80Kb of script to display a webpage”

You are correct, of course. But too many websites demand that it be so. And for people like me that refuse to run JS, often get labelled as Luddites, or paranoid, or some other derogatory term. Probably in an attempt to shame me into conforming to the norm of simply unquestioningly trusting all websites.

Websites seem to be treated as gods, and mere ordinary people shouldn’t question their wisdom. Or something like that. I don’t actually understand the mindset of blindly following “trends”.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.