Do you guys use Lockdown Mode on your Apple devices?
If so, does it bother you that some features are missing?
Do you think an average person should use it?
An average person shouldnât use it and this is why I donât like Lockdown Mode. You either get nothing by not enabling it or everything, including a kitchen sink, when enabling it.
Basically, you have no choice and control over what you want and what you donât, but this is Apple, I didnât expect anything else from them, theyâre known for limiting user control and freedom.
But you should try it and see if it works for you.
1 Like
I personally use it on my iPhone and MacBook. None of the restrictions have annoyed me other than some fonts on websites being blocked, but you can easily disable Lockdown Mode per website. There is a fingerprinting concern as websites can identify whether an Apple device is in Lockdown Mode because of the font blocking and probably other stuff. Cryptee did publish of proof on concept for iOS. Whether or not websites actually do is uncertain, so to (possibly) help people who truly need it I also use it (though if they depend on anonymity they should use Tor and a live OS). And I do just like the extra security. It does not come anywhere near GrapheneOS though. But does Lockdown Mode actually work? Yes, it has blocked an attack at least once and other times it would have had the user enabled it. It also would have blocked the Operation Triangulation attack against Kaspersky as it would have blocked the malicious pdf file. Alternatively, disabling iMessage (which has a large attack surface) would have worked as well.
1 Like
Well, that can be said for a lot of stuff. E2EE is a security feature, but lots of governments look at that and go, âHey, they must be doing something illegal!â And Apple did actually say that it is working as intended. Yes, it makes your device more unique, but it does increase its security.
I agree, but a lot of people buy an iPhone to use iMessage so a lot wonât disable it. Apple really should try to reduce its attack surface. A lot of the zero-click exploits attacked iMessage first. I would disable it because I rarely use it, but I donât because I want the messages with the few people that use it to be E2EE. Oh, and letâs mention that Apple doesnât force HTTPS on Safari yet. Yes, they do automatically upgrade to HTTPS for some websites, but not all and it is possible to visit a HTTP website. Thatâs how Ahmed Eltantawyâs iPhone was compromised by Predator Spyware. But it was another attack Lockdown Mode would hav blocked had he enabled it.
As with the BLASTPASS zero-click exploit we recently disclosed, we believe, and Appleâs Security Engineering and Architecture team has confirmed to us, that Lockdown Mode blocks this particular attack.
These two recent high profile cases underline the serious value that this security mode provides.
Therefore, we encourage all Mac, iPhone, and iPad users who may face increased risk because of who they are or what they do to enable Lockdown Mode.
3 Likes
Source?
3 Likes
Iâm really surprised by the responses here. Lockdown Mode significantly improves security, and I see no reason not to turn it on if it doesnât cause any issues for you. Like @anon59474973 pointed out, it has been proven to prevent attacks and actually work, so I donât see how itâs a âsecurity placeboâ.
I do wish it was a bit more configurable and less of an all or nothing buy-in with some things, but still, I think itâs a great feature that the vast majority of other mobile phones donât have anything remotely close to.
5 Likes
Especially since it is available on consumer devices that you can just walk into a store and buy. Unlike GrapheneOS (GOS) which, while providing superior security, isnât something everyone would use and tbh probably shouldnât buy online or in-store but rather flash yourself. Thereâs around 250 thousand GOS users compared to Appleâs 1 billion+. Android doesnât have a similar feature and itâs not like all Android devices probably could either. Google could with their Pixel but that would be it. And letâs not forget that most people who would be targeted still use Android and iOS devices like everyone else. GOS is still pretty niche even for people who could really benefit from its enhanced security.
3 Likes
You can just go in and buy a Google Pixel or buy it online, and if youâre capable of using a phone, then youâre more than capable of flashing GrapheneOS. Itâs as easy as connecting your phone to a PC or another Android phone with a cable, visiting grapheneos.org, and pressing the buttons on the screen, itâs extremely simple.
Appleâs Lockdown Mode is nothing special compared to what GrapheneOS or even stock Android offer.
Lockdown mode is hyped as being something crazy advanced, while it really isnât. This is basically what the default should look like and mostly does on other platforms.
I donât see why this matters. Most services and software recommended by Privacy Guides could be considered niche if we look at the user count compared to the big tech alternatives. Itâs irrelevant if itâs niche or not if it improves users privacy, security, freedom, etc., which GrapheneOS does.
You can just go in and buy a Google Pixel or buy it online, and if youâre capable of using a phone, then youâre more than capable of flashing GrapheneOS. Itâs as easy as connecting your phone to a PC or another Android phone with a cable, visiting grapheneos.org, and pressing the buttons on the screen, itâs extremely simple.
I agree that itâs very simple, but I feel like you overestimate the tech-savviness of a lot of average people. I doubt most people nowadays have ever connected their phone to their computer or directly to another phone, period. But itâs irrelevant, as in general, GrapheneOS is still very obscure and unknown outside of privacy security circles. Most people donât know it exists. Hell, I would say the vast majority of people donât even know LineageOS, or that theyâre even able to unlock the bootloader on certain phones and install a different OS period. Thatâs where Lockdown Mode is great, itâs a built-in feature which is easy for anyone to enable on an extremely widely adopted OS.
Appleâs Lockdown Mode is nothing special compared to what GrapheneOS or even stock Android offer.
Itâs nothing special compared to GrapheneOS, yeah, I agree, but compared to stock Android, really? I guess the problem is âStockâ Android is too vague of a term and can heavily vary depending on OEM and various other factors, but still, I canât think of a stock Android OS that has all of the security features of Lockdown Mode even available at all.
Lockdown mode is hyped as being something crazy advanced, while it really isnât. This is basically what the default should look like and mostly does on other platforms.
I agree that some of Lockdown modeâs features should be the default, but a lot of what Lockdown mode does is certainly not the default on most other platforms that Iâm aware of. I think the problem here is that youâre too focused on the online privacy security bubble specifically vs. the general public.
I donât see why this matters. Most services and software recommended by Privacy Guides could be considered niche if we look at the user count compared to the big tech alternatives. Itâs irrelevant if itâs niche or not if it improves users privacy, security, freedom, etc., which GrapheneOS does.
I think you misunderstood @anon59474973âs point. I donât think that he meant that GrapheneOS was worse because it wasnât as well known, rather that simply most people donât know it exists, and as such, canât take advantage of or use it. Thereâs also cases where people just canât get a Pixel, etc.
I feel like this has derailed pretty heavily, went from someone asking if they should enable Lockdown Mode on their Apple devices, to just shitting on Apple and recommending GrapheneOS.
I just donât get this hate for Lockdown Mode. Bringing more security to the general public is a good thing. Sure, GrapheneOS is excellent, but itâs not the answer for everything, and itâs also just irrelevant to this discussion, since it has nothing to do with how good Lockdown Mode specifically is or whether it should be used or not.
4 Likes
Could you give some examples? Which Lockdown Mode features do stock OSâes on for example Google Pixel and Samsung phones arenât available or canât be made available with ease?
Iâd say the biggest example is the browser hardening. It not only applies to Safari itself, but also to the systemâs WebKit as a whole. Itâs similar to a hardened WebView like Vanadium or Mulch, and improves security of every app that uses it. Also being able to disable the hardening for certain apps is nice for usability. Nothing really like that on stock OSes.
Being able to turn off 2G is another example. While it is in AOSP and present on some stock Android variants like the Pixelâs, a lot of devices still donât have this feature as far as Iâm aware, like Samsungâs. This is a pretty important security feature.
Lockdown Mode also blocks auto-connecting to insecure guest networks (You could still prevent auto-connecting manually for each network, but annoying and tedious), and blocks installing configuration profiles, which Iâm also not sure of being an option on most Stock OSes.
Iâm also not sure how the hardening in iMessage with Lockdown Mode compares to Google Messages (as I donât use either), but that could also be a point.
Also unclear how carrier locked Android devices can impact some of these settings, such as disabling 2G, whereas this isnât really an issue on iOS afaik.
Is Lockdown Mode game-changing and super advanced? No, Iâd say not. But I do think itâs a great feature that should be used if it doesnât cause issues for you, and I believe that it provides better security than most operating systems and devices that average consumers have available. I donât think itâs perfect, but I think itâs a great addition, and Iâd like to see more OEMs add features similar to Lockdown Mode.
5 Likes
I think @Sharply answered everything pretty well. But maybe I can add some more info.
Yeah, this is what I meant. Especially the fact that the Pixel isnât available in as many countries as the iPhone. Currently the Pixel 8 is only available in 21 countries. It was less for the previous ones. The iPhone 13 was released in 31 countries in September and then another 15 in October. The iPhone 15 and 15 Pro were available in 40 countries in September 22 and was available in another 20 countries in September 29.
Itâs also generally recommended not to connect your phone to your computer as computers are nowhere near as secure as phones. I think back to one scambaiting video where this scammer stupidly backed up his phone to his computer without encrypting it, giving the scambaiter access to everything thatâs on his phone. Messages, contacts, photos, videos, etc.
I doubt Google Messages blocks attachments, which is what Lockdown Mode does in iMessage. I know the zero-click exploits against iMessage used pdf files and I think a gif.
And as mentioned before, the people who would truly need to depend on GrapheneOSâs security either donât know about it or wouldnât use it anyway. Often times in their forum you see people switching to it because of its privacy enhancements (like being de-Googled) rather than its security. Security is a big selling point compared to other custom Android operating systems, but not many actually depend on its enhanced security. They arenât likely to be targeted by spyware and while disabling parts of the USB-C port is really cool and all phones should have an auto-reboot feature, if you are likely to have your phone seized you should be aware of turning it off in situations where itâs more likely to happen, whether you have an iPhone, a Stock Pixel or a phone that isnât recommended. I also donât see many organizations mention it. The Markup updated their How Do I Prepare My Phone for a Protest? but never mentioned GOS. I donât think Freedom of the Press Foundation or Electronic Frontier Foundation have mentioned it much either or at all. And I bet those people who were work there should probably use GOS.
Anyway, this has derailed quite a bit as Sharply said. @anon86552080 the general recommendation is to enable it if it doesnât cause much issue for you. You can easily disable Lockdown Mode on a per-site basis in Safari if some websites that have their fonts blocked are too annoying. It does increase the security of an Apple device significantly by disabling certain features that are common attack vectors (AKA, reducing the attack surface of the device), like blocking attachments in iMessage and disabling Just-in-Time JavaScript Compilation in Safari. And Apple has improved it in iOS 17 and most likely will this year in iOS 18. And as I showed in my first and second post here, it has proven to protect an iPhone from spyware.
Edit: Lockdown Mode also protects against iLeakage.
Lockdown Mode does mitigate our work by disabling just-in-time (JIT) compilation in Safari, which is a performance feature used by iLeakage to build its attack primitives. However, Lockdown Mode changes device behavior in other aspects. For example, some message attachments and unknown FaceTime calls may be blocked. See Appleâs documentation for a complete list.
Furthermore, since iLeakage is written in JavaScript, disabling it also mitigates our work. However, disabling JavaScript may cause Safari to render some websites incorrectly or incompletely, and some advanced web features such as online payments may not work.
1 Like
True, there are things Apple should address as a whole. This is what GOS does. However, sometimes outright disabling a feature is a more certain way for it to never be used against you. Thatâs why itâs recommended to either not use or disable biometrics in certain cases.
I have given examples of where it has protected against real-world threats that are not theoretical. Pegasus has been around for over a decade yet it only just got a lot of attention a few years ago because it was used against journalists and Human Rights Defenders. Apple made Lockdown Mode for their devices and it has blocked one and would have blocked others had it been enabled (or existed at the time as with the case with Kaspersky and Operation Triangulation). And Apple is putting their money on it. Itâs a $2 million dollar bounty for any researchers who successfully compromise an iPhone in Lockdown Mode. Thatâs the highest bounty ever offered.
Does it help Appleâs PR? Yes, most definitely. I mean, iOS have always been recommended over Android for journalists, this just makes it even more so. iOS has always been more strict and always had the best update support compared to Android. That is now changing with Google and Samsung promising 7 years of updates for their latest phones. I do wish Apple would state how long each of their devices will get updates for. And it actually does help your security. Again, sources have been provided.
1 Like
Okay so no, no source. Thanks for playing
2 Likes
I do agree that staying under the radar is often the best approach. The last thing you want to do is draw attention to yourself, especially at an airport, border or protest.
Yeah, not mandating HTTPS is terrible. The only way Iâve seen to force it is on iOS by using the iVerify app by Trail of Bits (though it is now independent). âSecured Browsingâ allows you to force HTTPS and block HTTP. I did provide feedback to Apple for Safari about that, so maybe theyâll do it soon. Iâm not too surprised that they havenât yet considering it was only last year when they added the option to secure your Apple Account with security keys.
No argument there. I wasnât saying it was some security masterstroke, but it does make it harder to exploit an iPhone, so it does have a benefit. Should Apple just design things differently by designing them with the smallest attack surface possible? Yes, but I do believe that having the option to disable features is good. Even Google Chrome on desktop now allows you to disable the V8 Engine.
I have no doubt that their ecosystem remains vulnerable. Apple does give some cyber security researchers access to specific iPhones that donât have their security features enabled, but it is only to select researches and they have to apply for the specific iPhone device.
Yes, it is their strengths as they control everything. Android does offer more flexibility in terms of side loading and with some Android devices allowing the user to unlock the bootloader and flash a custom operating system (best being the Pixel). Iâm pretty sure I mentioned at some point that GrapheneOS is more secure than an iPhone Lockdown Mode. I even have GrapheneOS on my Pixel 6, and I love it.
I was defending Lockdown Mode in that it has proven to block spyware attacks. Iâm not saying that itâs better than actually developing or improving existing features to be more secure. But I do think itâs good that Apple offers it. Both Apple and Google have room to improve their respective smartphone operating systems. I do sometimes feel that Google takes security more seriously; Google will warn you if an app you have installed is malicious through Google Play Protect, but Apple doesnât even though they would know that you have that app installed. I do believe that Apple has some hubris when it comes to the security of their devices, especially in regard to the iPhone. They donât like to admit if an app on the App Store is malicious or that the iPhone being exploited through iMessage shows that the iPhone isnât as secure as they like to claim.
3 Likes
Use it? Yes, you wont feel any problems on apps, might break some websites but you simply exclude them in settings.
Is it a joke or more of a promotional trick? Yes, it can mitigate some attacks but by calling it âLockdownâ mode while bluetooth and javascript are still enabled, is just for laughs.
In the end of the day is how the user operates the device, donât even think of going wild just because you have this mode enabled. Kinda creates a false sense of security.
1 Like
What does security have to do with fingerprinting, and how does that make security hardening âfundamentally flawedâ?
4 Likes
No notes, outstanding post.
3 Likes
Iâm reading that Lockdown uses a VPN slot. Is this true? Does that mean I canât use a VPN like Proton when using Lockdown mode?
Can you link to where you are reading this?
1 Like