I don't use iOS often but I find lockdown mode to interfere very little with apps when I've tried it. Seems like a "don't get hacked" toggle that companies and people doing any kind or public researchs should just turn on for their phones.

However, I don't have access to Safari on a dev machine and until Apple fixes that, I'm not testing websites on iOS. Sorry not sorry, but even Microsoft Edge is cross platform these days, if Apple wants independent websites to support their browser (especially their own restricted browser profiles) they need to stop making it exclusive to their hardware.

Seems like a good idea to test against if you're already doing Safari testing but I'm not sure if automated tooling supports the toggle.

You can run WebKit on Linux if you want

I do occasionally, but it didn't take me long to find differences in behaviour and support between Linux and iOS. Entire APIs are left unimplemented on the Linux side and things that work on Linux break on mobile for some reason. Codecs (for image, video, and audio) seem to vary wildly between platforms too.

I'm sure Apple could take Gnome Web and turn it into a cross-platform Safari browser if they wanted to, but so far they haven't (and probably don't want to).

Safari mobile has different bugs than WebKit. And even different bugs than desktop Safari itself.

As a web developer, I'm also not bothering to test anything on iOS, it's just so much pain that it's not worth it. You need to buy a dedicated device with a specific iOS version and never update it (since you can't even change the browser version on iOS) and as for the debugging tools, they suck so much that I had to resort to Firebug.js a few times in the past.

Yeah no thanks, I just test on Android and hope it's good enough on iOS.

What would your clients react after reading this?

Not sure, most end users aren't really aware on how it works on their mobile and it's not like Apple will advertise it either.

Personally I can't really do much about the sad state of the web on iOS myself anyways, I'm not a regulator. The problem goes beyond just the tech side.

AVIF images being automatically disabled by default in Lockdown Mode is painful. That and various automatic family sharing things (such as shared photos or children app install requests) no longer working has made Lockdown a deal breaker in some cases where the user doesn’t appreciate the threat.

One shouldn't use a locked down device to auto share pictures and approve children app install requests. If there is no need for a separate device for sensitive data then one possibly is not a person of interest and doesn't need a lockdown mode. It is not possible to have comfort and security at the same time.

And a sensitive device should not be easily discoverable to gatekeep who can actually send anything to it. This is also renders it unusable for day to day family tasks.

Do you happen to have a full list of what media formats are still working in Messages when in lockdown mode? Does HEIC/HEIF work? (Pardon the question but I just don't have a second iOS device available for testing this myself.)

Even large mainstream app developers are not testing against Lockdown mode. Amazon’s app doesn’t load Customer support chat with it enabled for example.

Also, is JIT disabled for alternative browser engines in EU?

Nobody has released an alternative browser engine yet, because of the way the app store works (you'd need specific apps you can only install in the EU next to the worldwide version for instance). I'm sure it'll happen eventually, but it doesn't seem to be a priority for browser makers just yet.

I don't actually think there is official API to check if the device is in Lockdown Mode. But to be clear this is an academic curiosity for now as nobody is actually shipping an alternative browser engine in the EU that is being targeted by a sophisticated attack.

Generally Apple introduces features they think people want to use. So enabling anything that takes away networked features will hurt the user experience in practice. So... people won't do that.

I would rather be interested in ways to detect these software phoning home on my home wifi with my firewall - for now. I might change this stance any moment in the future heh.

Why are more people not saying this? At the end of the day malware is only useful if it can send information out. So its by nature, totally detectable.

How would you inspect mobile data when not on your own wifi?

How would you inspect it if it was piggybacking of a trusted but compromised endpoint? What if the data exfiltration doesn’t use a networking protocol you can monitor at all, like Bluetooth beacon transmitting?

The answer to almost any “why are people not saying this” is because it’s usually not that simple.

1) Software defined radio. You basically hook up a IMSI backed by a internet connection.

2) That is a good example. Much harder to execute. I would argue in that case that everything is totally compromised. But if the hardware vendors provided a low level interface where one could read and write firmware etc. directly. One could do simple binary comparison analysis.

The point still stands. Figuring out what malware is doing is hard. Detecting that there is something in your system that wasn't there before shouldn't be hard. If the hardware vendors wanted to provide low level mechanisms to make the process easier. Its totally in the realm of the possible.

E.g. the main responder to this thread makes it seem like a impossible task even for dedicated security defense groups. But with just two mechanisms 1) network analysis 2) low level ability to read and write firmware/persistent storage. Its totally possible and straightforward.

And you’re suggesting that these are things a normal person can setup themselves and regularly use?

Ransomware, a type of malware, just needs to encrypt your files so you can't access it, no network access required. totally detectable after the fact, but by that time it's too late.

> might just help prevent getting you popped by this sort of crap

The ratio of people that actually need this mode to people publicly advocating for it approaches zero very quickly. I'm quite sure no state actor will spend $7 figure 0days to get my cat photos.

My concern isn't so much the high cost super-secret 0-days, as the "about to be useless" 0-days (1-days?) that have just been patched, but the patches are still rolling out to people.

Also, for most people, it's not the cat photos on their phone that are of value. It's the banking credentials, business login 2FA keys, crypto 2FA, email (which allows, for almost all accounts, a password reset), etc.

I agree with that: sadly, the most pressing security risk to any consumer isn’t on my devices, but online services being breached (or disclosing) private information including passwords! Over the last years I’ve gotten data breach notifications from Equifax, AT&T, Ticketmaster, and United Healthcare (via Change.) I think the average informed tech user will benefit more from training (and reminders!) to keep your online information private than, say, telling them to avoid previewing complex file formats.

Thanks for the reminder! However, I’m a little pessimistic about whether Apple will keep Lockdown Mode maintained and updated - I only remember this popping up after Pegasus and Apple sending out waves of notifications to exploited users, and both seemed to be just a one time effort.

Apple continues to send out exploit notifications and Lockdown Mode continues to grow to include more attack surface. It seems to be actively maintained, as opposed to a lot of other things that Apple has tried.

I’m actually glad to hear that! I guess my underlying concern is that not knowing the full breadth of modern iOS’ attack surface might make me complacent when evaluating whether there are any risks that Lockdown doesn’t cover, and that being constantly notified on updates might somewhat alleviate that.

Apple has maintained lockdown mode and sent out regular notifications. It's just not announced publicly.

why would a regular user opt in for such a downgrade?

They won't, and they're not expected nor advised to.

The last time I was looking at the documentation page for lockdown mode all I could think was "this is how the phones should be by default"