This does not seem to disable JS altogether, only JS JIT compilation. IIUC, JS will still be executed, although via an interpreter (which is safer) rather than via compiled machine code (which might be used to exploit memory safety bugs such as type confusion, somewhat frequent on the JS side).
Totally agree. I'm also concerned about the fine print, what Apple is not announcing - like, "Oh, we also updated our EULA to reflect that metadata from phones with 'lockdown mode' enabled will be forwarded to the FBI", something like that.
It slightly degrades some experiences, so I see why it's disabled by default. Disabling JIT JavaScript is going to make web browsing more painful. And incoming friend requests are useful because it simplifies things when two people are adding each other to their phones - one sends a request and the other reciprocates.
> It slightly degrades some experiences, so I see why it's disabled by default.
My sense is that the functionality to provide those experiences resulted in a decrease in user security and privacy when they were introduced -- and that those risks were widely-discussed and well-understood.
It's weird (although not unexpected) to see the reversal of them touted as a selling point.
"Web browsing: Certain complex web technologies, like just-in-time (JIT) JavaScript compilation, are disabled unless the user excludes a trusted site from Lockdown Mode."
I just don't want most of the programming capabilities on the web, plain old hypertext with a bit of style is enough. There are plenty of other ways to run software on a computer than inside a web browser.
I agree half way with you, we need the web split into 2 parts, webpages and apps.
I seen some cool simulation, small apps, small games that I can just test online and not have to install them on my machine. Apple would love that we all got scared and only use installed apps from their store but the web is a decent deliver platform.
If we could have a modern subset of html and css for news websited and blogs , and the rest of js for web apps then you can have the option to turn off teh advanced settings or we could have different browsers that could focus on different things, like a website reader browser that does not care about super fast JITed JS it would not support webgl,camera or microphone acccess, it would just focus on text layout and simple forms,
and a web app browser that focuses on extreme optimizing for JS , canvas and webgl operations, camera and microphone access.
You can technically achieve this, but you get a degraded experience. Most sites don't test for JS being turned off, and it's not rare to only get a blank page when viewing a site in that way.
What OP wishes for is rather an experience that decidedly doesn't use JS, similar to Google's AMP or Gemini. A subset of HTML that makes publishing possible, without moving parts.
Actually I browse with JS off by default and whitelist stuff, ironic since I am a web dev (or maybe the fact I know how shit web tech is is why I think documents should be documents , imagine I want to show you my blog but I make an Unreal Engine 5 app because I want some cool effects and I also want to learn this shiny tool and the marketing team wants to do some shitty things too)
I'm having fun with Gemini exactly because it's so dumbed down that you can't do anything more than publish text
It's still very niche, but it's growing and the protocol is so simple that I'm writing software for it, specifically a multi platform browser (more like a viewer?)
Most (if not all) browsers allow you to disable JS, so that seems like the perfect preference for you. I know it works on Chrome and Firefox on desktop (I use the NoScript extension myself, that blocks JS by default but allows you to enable it per-site), I can imagine it works the same on smartphones as well.
I /think/ what they're asking for is a world where turning JS off is actually a real option. Currently the web essentially does not work in such a case, so while it technically exists the option to disable JS isn't actually an real option.
So what they want isn't the power to turn off JS in their own browser, but the power to turn it off in other people's browsers (at least the browsers of people developing websites).
More seriously, I guess they might want a way of avoiding sites that don't have a good no-script experience. Perhaps if there were a trustworthy way to vote on that (or detect it automatically), someone could offer an extension which puts scary red boxes around hyperlinks which point to such sites.
just seems more antiweb from Apple. they love to ruin the web and make it harder to avoid their walled app garden....it's a money ploy to fight web apps and make their little devices even less useful.
>Web browsing: Certain complex web technologies, like just-in-time (JIT) JavaScript compilation, are disabled unless the user excludes a trusted site from Lockdown Mode.
This should be ON by default. It would force webdevs to write efficient websites.
Self-managed MDM is the way to go for most of them. I think the main one that can't be achieved thru MDM is the browser lockdown. MDM has a lot of other security policies available though.
This is great but too big of a hammer for most use cases. What I really want is a per-application firewall.
For example, say I would like to install a photo editing application. It would need access to my photos. That is fine, so long as it is not allowed to connect to the Internet (or any other network). There is currently no way to ensure this.
I use little snitch for this, but I agree, a big hammer, and likely more hoops for regular developers to jump through. Notarisation, signing, forced developer keys...
I use Little Snitch on macOS, but it is not available on iOS, so far as I know. Normal apps on iOS do not have enough visibility into the system for that.
Android exposes a soft VPN API that firewall apps can use to block network traffic for certain apps in certain scenarios (say, no Google Play updates when on mobile data) with apps like Netguard [1].
Does iOS not expose such functionality? Surely there's some kind of VPN API?
iOS has APIs for VPNs and “content blockers”. But as far as I know, such a filter has no access to know which process/application is trying to make a connection. Little Snitch on macOS has to install code into kernel space. (Or at least it used to; I have not reinstalled in a long time.)
The Android app you link to seems to have the functionality I think should exist as a built-in. It needs to be built-in so that non-geeks can use it.
Just as users are asked the first time an application attempts to use the microphone and are able to prevent it before it starts, they should be able to limit network access and revoke it at any time.
(I don’t think users should be necessarily be forced to approve Internet access for every app install. Just make it possible to revoke in the global Settings widget and encourage users to think about personal data and Internet access being mutually exclusive.)
Not like that. The idea is antithetical to Apple, who have said during keynotes that they've tried to avoid doing so, because what they really want is a world where the concept of "mobile data" is not limiting.
I've had those options on multiple OnePlus phones, but they were not present on multiple Pixels. Since Pixels are usually sold as "AOSP experience with Google flavor" are lacking this feature - I am not sure if that is that feature comes from AOSP or is only present on OnePlus phones.
I've generally found them on most Android phones, but they're all over the place in the settings. On my current phone they're not in permissions, or connections, or internet setup, or security, but they're in the app details screen.
I've also seen the toggles placed in the data usage graph, the other, older data usage graph you can sometimes find via a workaround, and in a separate app that pretends to be one of those system storage optimizers.
I'm sure Android supports it at the system level but how you get to those settings is anyone's guess, really.
> Android exposes a soft VPN API that firewall apps can use to block network traffic for certain apps in certain scenarios (say, no Google Play updates when on mobile data) with apps like Netguard.
I worked on AOSP for longer than I care to admit. This is mostly an illusion. System apps (like Google Play) can pretty much do whatever the heck it is that they want to. NetGuard, sure, "firewalls" it... but it wouldn't even know if a system app bypassed its tunnel. For installed apps, NetGuard is golden (as long as NetGuard itself doesn't leak).
disclosure: I co-develop a FOSS NetGuard alternative (and yes, this alternative has similar limitations).
Interesting, and disappointing. Do you happen to know what mechanism is used to bypass the VPN configuration?
I'm using my VPN as a Pihole tunnel and I don't notice any extra logs or requests when I turn off the VPN, but I may just be lucky. I did purge a lot of preinstalled Facebook crap…
It isn't that System Apps actively bypass the VPN tunnel, but they can if they want to, on-demand [0]. That is, System Apps retain the ability to bind to any network interface. Whether they do so, is anyone's guess.
For installed apps, there's no such respite, iff one enables 'Block connections without VPN' (the VPN lockdown mode) on Android 10+ (but NetGuard doesn't support it). This means in the times when NetGuard crashes or restarts (which it does on network changes, for example, or even on screen-off/screen-on, from what I recall), there's a chance the traffic flows through underlying interfaces rather than the tunnel (because the tunnel simply doesn't exist in the interim).
Datura (ebpf based) on CalyxOS and AfWall+ on any rooted Android can block out everything it pleases, though.
I don't mean to downplay NetGuard, because the codebase has evolved in response to years of addressing flaky networks, flawed apps, buggy Android forks. Marcel, the lead developer, has put his life's work into it and gave it away for free. The app I co-develop is, in fact, inspired from his efforts.
I see, thank you for explaining! Good to know that rooting your phone still has some benefits. I wouldn't have thought that there's such an easy bypass for system apps, but I suppose it makes sense for some modem/carrier apps to specify an interface.
I absolutely love Netguard even though I don't really use a firewall in practice (I was sort of hoping a permanent VPN with some "real" traffic meddling would be enough to block most violations of my privacy). It's the one rootless firewall that actually just works on practically any device you can think of, among a sea of broken/scammy firewalls that fail all kinds of edge cases.
> It's the one rootless firewall that actually just works on practically any device you can think of, among a sea of broken/scammy firewalls that fail all kinds of edge cases.
None of which is particularly effective since it's trivial to setup a legal entities that makes one game but signs a bunch of malware (or steal enterprise keys).
I am aware of that option. It is on the screen I just described. That is really just for saving bandwidth where it is expensive. It is in no way intended as a security measure.
You can disable app's cellular data access, but that's it, at least on Western phones. Ironically, phones for the Chinese market actually expand that setting and also allow to block Wi-Fi access.
As a Chinese user, this is the first time I heard that blocking WiFi access on iOS is China only. How confused I was when reading the comment above you, given I'm already capable of blocking network access for any iOS App.
I'd go a step further, and say per-application virtualization. Every single program running its own (ideally encrypted memory) namespace, with its own assigned memory, etc.
That's what the ios sandbox provides. Heck, the tools arm64 gives you to isolate VMs are awfully similar to the tools they give you to isolate processes. VM escapes aren't too different than sandbox escapes.
Encrypted memory isn't part of arm yet, I was holding out hope with armv9 "realms" but not so.
> This is great but too big of a hammer for most use cases.
This is not in any way intended for most use-cases, it's very clearly intended for a single, specific, uncommon use-case. The press release says as much more than once.
I guess my point is that instead of making a special mode that is only useful for a minority of users, it would have been really nice to get a feature that everybody should be thinking about and using.
Different people who specialize in different aspects of security can be working on different things at the same time; and contrariwise, experts have comparative advantages and would be mostly wasting their time working outside their nich.
In other words: there's no "instead" here, any more than there's an "instead" between e.g. UI work and backend server work. Different people, different competencies, concurrent capacity.
Every time I have allocated labor on a software project, I was mostly playing a zero-sum game. I am surprised to learn that Apple does not have such problems.
Regardless, I was just lamenting that we don't (yet) have a feature that should be table stakes at this point.
Agreed. I wish iOS had a "network access" permissions just like Android does. (Though to avoid permission fatigue for the average user, perhaps make it something only users that care can deny)
That said, I think this is pretty unrelated to protecting yourself from nation state actors. Mercenary spyware (like NSO) doesn't use a legitimate app store app as their initial infection point. I can think of many reasons for this: difficulty getting target to install it, app store approvals, leaking their 0days, leaving more of a paper trail, and avoiding scrutiny in general, etc. I'd of course love this feature for my own data privacy of course.
> (Though to avoid permission fatigue for the average user, perhaps make it something only users that care can deny)
Yeah, I would not want to have to approve every app. What I would like is a machine readable description of the app's capabilities to include Internet access, just as is required for access to the microphone or photos. This would encourage app developers to advertise to users that they don't need such capability and encourage users to realize that privacy and Internet access are mutually exclusive.
There are many small apps I simply will not buy/install (e.g., apps for editing photos or contacts or calendars) because they cannot be trusted. Even if you trust the developer, the developers are often embedding third party analytics libraries that cannot be trusted.
It's not exposed in the UI, but if you really care, you can just create yourself a configuration profile that disables various per-app permissions (including network access, per-domain/per-IP/per-certificate) on a fairly fine-grained basis. MDM yourself.
That would be a pretty interesting VPN service if you could easily deploy it as a docket container. Something simple that could give Little Snitch like whitelisting.
The Charles proxy iOS app doesn’t have the ui to support this, it’s clumsy to whitelist domains, but it does provide some visibility into what domains are being accessed.
Sounds like a plan to make iOS the default for highly-placed government employees. Maybe that's already the case, but I thought I remembered that Obama had to have 2 phones, and the "secure" one wasn't an iPhone. Anyone have any more knowledge about this?
I'm guessing it isn't, if only because this feature completely disables MDM (which you'd need in government or business to do things like remote wipes or passcode policies). It looks to be designed for people that are possible targets to use on their personal phone, which shouldn't have work data on it.
(Of course, they could make some new MDM policies to individually turn these features on. You can already block external devices with MDM, and you can completely disable FaceTime/iMessage/iCloud. It wouldn't be much of a jump to add the more granular protections this has.)
I think you’ve misread this announcement: it doesn’t appear that MDM is disabled. It merely looks like you cannot change MDM settings, including enrolling, while this feature is active.
At least at the start of the Obama Administration, he was known to be hooked on his Blackberry [0], and I know RIM did a lot of work to provide secured devices to government officials. I don't know what government officials are using since RIM went under though.
With this announcement, Apple are saying "we will protect you from state actors", which is a role usually performed by states. Apple is saying "we operate at the same level as nation states; we are a nation-state level entity operating in the "digital world": It's a flag-raise.
It's the first such flag-raise I've seen. Security researchers talk about protections from state actors all the time, and there are tools which support that... but this is the first public announcement, and tool, from a corporation with more spare, unrestricted capital than many countries. It comes at a time when multiple nation states are competing for energy and food security; and Apple are throwing up a flag for a security-security fight (or maybe data-security). This is not just handy tech, it's full-on cultural zeitgeist stuff. Amazing.
The NSO Group, whom Apple specifically cites as an opponent that inspired this work, is a private corporation. They sell to governments, but so does Apple.
The relationship between state and private industry has never been binary and has always had features like this. I don't think this is a "Jennifer Government" type scenario.
agreed, the rise of the corporation as the most powerful institution (above the nation-state) in this new budding global civilization is a long time coming.
on the other hand, this is how democracy dies. what structures (systems) exist to prevent apple (and other comparable corporations) from being an oppresive force against human persons? moreover, what incentives do they have?
the ones that only service other banks hence only people working in higher level banking are likely to have heard about. e.g. the bank for international settlements
I only found out about this bank because the former president of the mexican central bank -- Mr. Carstens, left the central banking gig to go to that bank.
From reading their Wikipedia quickly sounds like BIS has a similar function to say the IMF when it comes to financial system stability. I do agree these sorts of organizations exert huge amounts of influence, especially for smaller countries that are dependent on loans and outside financing, but I'm not sure I agree they are more powerful than a nation itself. A nation can (theoretically) decide to opt out from these systems and operate independently, or can play different parties funded by nations (because in the end they all are working for someone's agenda) off of one another as many countries did during the cold war between the U.S. and Soviet Union. But if a nation reneges on its debt, the BIS, IMF, etc. isn't going to invade your country--one of it's creditor nations might, but not them.
The BIS is just a counterparty to facilitate payments between nations. It doesn't exert influence in international affairs (except really via the BCBS [1] which sets the Basel capital accords defining how much capital banks have to hold and therefore does have a lot of influence behind the scenes on how banks operate anyway). When the US says it's going to give $100m in aid to some country or one country pays back a debt to another country, there needs to be someone to process the payment, and that someone is the BIS.
Source: friend used to work in the BIS and I've also been involved in banking off and on for a long time, including dealing with various international banking regulators.
Some fun BIS facts:
1) They process payments via regular SWIFT[2] messages. So the $100m in aid comes as a message just the same as if you transfer $5 from one bank account to another. It has an IBAN number with a regular bank account, so if you changed that to your own account details and the message was processed suddenly $100m would appear in your checking account instead of going fund an aid programme for some government in Africa or whatnot.
2) The number of payments they process is very low (>100 per day max and usually in the low tens of messages) so every payment message is checked by hand by several independent people as well as having automated checks. Partly to avoid the risk of funds getting sent to the wrong places etc.
3) My friend worked there in the 90s and said that even back then they had extremely strong security with multifactor biometrics on every entry to the premises. You got in via an entrance where you had to step into a cylander which would only unlock after it had taken multiple photos including an iris scan
The Knights Templar were a religious organisation, but also a quasi-banking institution in Europe; they took and protected deposits of gold, and issued 'cheques' allowing, for example, travellers to deposit gold in London and spend the money in Southern Europe. They were dissolved because they were beginning to rival the Papacy and nations in power due to their immense wealth.
Also, few know this, but many African slaves who were victims of the slave trade became slaves due to debt-slavery (though this didn't involve formal banks). I've seen estimates of up to 25% of slaves back then having been debt-slaves.
Yes! I had heard a bit about the Knights Templar, I guess I would have categorized them as religious first, financial/governance functions second. But also the Order of Malta had quite a lot of power, to the point I believe that it is still recognized by the UN!
I hadn't realized that about African slaves; debt for what?
Based on their history of using their control over the App Store to "protect people" from such harmful content as content about how smartphones are made in sweatshops and tools (such as VPN clients, but also for a long time cryptocurrency wallets) that allow people to bypass restrictions put in place by these nation states that Apple works with, I'd claim these incentives are pretty shit :(.
I can think of a few, at least applicable in the USA:
Apple doesn't have a military or police force with jurisdiction over me. They don't have the legal power to arrest me or throw me into prisons, which they also don't have. I don't have to pay taxes to Apple. I don't have to do business with them or interact with them in any way if I don't want to. I don't need Apple's permission to do anything unrelated to their product lines.
Same is true for any megacorporation. It's a big stretch to say they are even remotely as powerful as nation-states, let alone more powerful.
Yes, the state's monopoly on force is to me what truly differentiates them into a different category of power than a corporation. Also international recognition for nation states and being able to have treaties and the like, but really its the monopoly on use of force. That said, I think the rise of charter cities (think of an SEZ on steroids run by a private corporation) will blur the lines further, although most proposals I've seen for charter cities leave policing to the locality they're residing in.
Many nation states don't have control over interest rates (because their central banks are run independently of the government) or even the ability to print money, if they have adopted another currency.[0]
> Mandatory taxes
States typically tax transactions which happen on their territory (e.g. wages and sales), and in the case of Apple, their devices are their territory, like feudally controlled tracts of land in cyberspace. Taking a cut of all app sales and in-app purchases seems very much like a tax under this analogy.
>Many nation states don't have control over interest rates
And many others do. The State can abdicate such power and it usually does in stable economies where markets can self regulate.
Given a big enough crisis, however, and the State will usually take that power back.
>or even the ability to print money, if they have adopted another currency.
Usually in cases of near total State bankruptcy
>Taking a cut of all app sales and in-app purchases seems very much like a tax under this analogy.
> I don't have to do business with them or interact with them in any way if I don't want to. I don't need Apple's permission to do anything unrelated to their product lines... Same is true for any megacorporation
Nope. You can avoid buying an iphone, but you cannot escape Google. I'm often forced to "do business" with google. I've seen several government websites that require code hosted on Google's servers. I need Google's permission to do all kinds of things unrelated to their service (reCAPTCHA) and google will track everywhere you go online even if you never use any of their services. Facebook also doesn't give you any option. They'll create a profile for you and start collecting data on you even if you've never created an account. You could argue that you pay these companies taxes in the form of your data rather than money, or that the fees they charge developers drive up consumer prices (acting as a tax on the purchases), and I suspect that should Apple/Google pay become more commonplace they will start charging a fee (tax) for that as well. Nothing stops them from doing it.
Some corporations even have their own literal armies (Blackwater/Xe/Academi), but others don't bother because they have the ability to command the police and military wherever they are. The RIAA have their own "swat" team. They participate directly in raids breaking down doors and handling evidence.
Companies like Apple and Google are far more invasive than police watching everything you do, listening to everything you say, recording every person you're in contact with. They censor and ban with impunity. If they really wanted to, they could plant data on your devices that would get you arrested and thrown in prison in any country around the globe.
corporations might not yet be as powerful as a nation state, but they're a lot closer than you give them credit for, and they likely have more direct influence on your day to day life and what happens to you.
No, they're nowhere close to being a nation state. Those spheres of power are nothing compared to something like the British East India Company, which had a currency, an army, and forcefully controlled almost 2 million sq. km. of Asia.
Captchas are definitely worthy of criticism, but they are not remotely on the same level as forcefully controlling the land under someone's feet.
Apple is a public corporation and votes on its corporate direction are freely available on the open market for anyone to purchase. Based on my share ownership Apple is much more subject to my whims than my actual elected politicians are on a % basis.
Definitely very interesting. I know Google has their “Advanced Protection Program”[0] with a Titan security key which is similar. It is interesting considering that Google’s protections target the user as the weak link, as your data lives on their hardware; while Apple is obviously targeting both the user and the hardware they have. I’m curiuos what security researchers will think of this, if it’s more theater or if it is actually a innovative attempt at giving advanced privacy to people who need it. Despite their past stumbles (e.g., CSAM), it seems like Apple is genuinely in the privacy fight, even if it is just for their bottom line.
I think you're letting the reality distortion field get to your head. They're creating a safe mode for iPhones because a lot of features complex/intricate enough that they are perennial sources of vulnerabilities (and/or UX flaws that lead users to make unsafe decisions).
That is, they're turning features off for security. Something every IT department has been doing for decades. Windows supports this. Mac OS supports this. In fact, iOS was kind of notable in being so unconfigurable. The settings available in their MDM implementation were pitiful and didn't let admins disable many of these features.
> Apple is saying "we operate at the same level as nation states; we are a nation-state level entity operating in the "digital world"
Apple's profits are bigger than my country's (Slovenia) whole GDP. You bet your butt they're a state level actor in the digital world. They have more resources than many countries.
If Apple was a country, their $365bn in revenue would make them the 43rd richest country in the world right after Hong Kong.
My understanding is that the "social contract" inside many of these large companies is quite cushy. Especially in USA where being employed comes with services traditionally provided by the state like health care, child care, free or subsidized food, retirement benefits, etc.
This also points out how the increasing costs of technology and economies of scale mean that small countries like Slovenia are no longer viable on their own. The only way they will be able to survive the next few decades and avoid turning into failed states is to surrender most of their sovereignty to larger regional alliances.
At the same time, if that state actor happens to be China, Apple will just give the government access to your iCloud data. Not all state actors are equally within Apple's striking range.
Nothing stops Apple from offering e2ee backups, and in fact they do this for certain data backed up to iCloud (health data for example.)
But your iMessage data...well there, your ass is hanging out in the breeze. In fact, I'm not sure it's possible to log into an iPhone with your Apple ID and not have an iCloud backup immediately fire off, which means your private encryption keys hit iCloud and stay there until it is purged according to their data retention policies. And we have no idea what those policies actually are; those keys made end up stored forever.
> In fact, I'm not sure it's possible to log into an iPhone with your Apple ID and not have an iCloud backup immediately fire off
You are correct there’s a bit of dark pattern going on here, but it is possible (to the extent the code does what it says of course). To be extra sure I have a custom lockdown MDM profile to disallow iCloud backups, as well as a number of other nefarious things like analytics, and whenever I get a new device, I first DFU restore it to the latest iOS image to ensure software (post bootrom) isn’t tampered with, then activate and install the MDM profile via a Mac and only then I interact with the device and go through setup.
> Nothing stops Apple from offering e2ee backups, and in fact they do this for certain data backed up to iCloud (health data for example.)
Almost all users can't handle this; to support people, you need to be able to recover their account when they've lost every single password and proof of identity they possibly can. It's not a backup if you can't restore it.
The only persistent connection Apple has that I can think of to implement such a concept is for push notifications. Which would be a massive security hole if a HTTP response to that daemon was capable of bypassing the lock screen, secure enclave etc.
And the logical question is if they had such a system why would they bother triggering an iCloud Backup when they could ask the device to specifically hand over certain information e.g. Messages. Which at least could be done quietly over Cellular.
> Which would be a massive security hole if a HTTP response to that daemon was capable of bypassing the lock screen, secure enclave etc.
I mean, Apple has killswitches for every iPhone they ship. I wouldn't be the least bit surprised if that suite of tools also included settings management (MacOS has such a thing built-in, fwiw).
"Apple is moving some of the personal data of Chinese customers to a data center in Guiyang that is owned and operated by the Chinese government. State employees physically manage the facility and servers and have direct access to the data stored there; Apple has already abandoned encryption in China due to state limitations that render it ineffective."
Apple has abandoned encryption for everyone in iCloud. You cannot encrypt anything except a limited subset of your device's data (Apple Health data, mostly.)
That may be true, but Reuters reported that Apple had a plan for it (which means they felt it was workable) and dropped it due to pressure from FBI/DOJ.
Also, there are many users who would benefit from e2ee iCloud backups who are not targets of NSO Group-type attacks, so I don't think it makes sense to make it only available in "Lockdown Mode".
I was all prepared to answer this with "so Reuters reporting something makes it true?", only to discover that, in fact, Reuters reported no such thing.
Reuters makes two claims:
1) The FBI talked to Apple (duh)
2) An unannounced plan to implement fully E2EE backups was no longer discussed with the FBI at their next meeting
Both of those things might be true! Reuters isn't known for just making stuff like this up, like, say Bloomberg, but the article specifically says:
"When Apple spoke privately to the FBI about its work on phone security the following year, the end-to-end encryption plan had been dropped, according to the six sources. Reuters could not determine why exactly Apple dropped the plan."
So we've got an unannounced product, which the FBI didn't like, which Apple stopped talking to the FBI about (according to some leakers at the FBI).
This does not add up to "Apple dropped plans due to pressure from [the] FBI/DOJ". It adds up to "secretive company discusses plans with secretive agency, and some stuff about that conversation leaked".
I would suggest that if you're doing anything illegal in the country you're staying in, turn off icloud sync at the least, and best policy is don't use an iphone but use an android with an open source operating system like graphene OS
> In Apple's defense E2E encryption also makes it a lot easier to get locked out of your photos and device backups.
This is likely the real reason E2E hasn't been done yet. I would wager Apple deals with orders of magnitude more people who are locked out of their phones than the number impacted by the lack of E2E backups. Trusted recovery contact added in the last iOS version is a step in a direction of providing some way to implement E2E, and still give people a way to recover.
I really dislike that there is so much social control :( In theory is to protect you. In practice it can and is misused in so many ways that it should not be even allowed without a judge authorization.
You're kind of missing the point. The Chinese government has unlimited social control. Even if there was some sort of written law in China requiring judicial oversight, that wouldn't limit social control because the judiciary is just a rubber stamp.
Because they are complying with Chinese laws regarding data localization in the country and have been known to work with China (recently YMTC chip deal, previously in a major unreported deal that was unearthed a little while ago) in order to get market access.
It is worth mentioning that things like National Security Letters exist in the US. It is also the US who made Apple back off of encrypting iCloud backups E2E.
I wish we were more willing to cite our own government(s) as the bad actors here, rather than pretending that we have to reach for China/Russia/North Korea to find the kind of behavior Apple is attempting to protect its users against here.
Not to mention the CLOUD (Clarifying Lawful Overseas Use of Data) Act, which was enacted following a case in 2014 where Microsoft refused to hand over emails stored in the EU (an Irish data centre, in that case) on foot of a domestic US warrant.
The CLOUD Act expressly brings data stored by US-based companies anywhere in the world under the purview of US warrants and subpoenas.
It's part of the reason that Privacy Shield collapsed and why the US isn't considered to offer adequate protection to EU residents. It's currently being both litigated (as more and more EU country data protection agencies make individual rulings that specific instances of transfers of personal data to US companies are unlawful) and the subject of intense political negotiation between the EU and US.
Most companies affected are currently awaiting the results of these processes, because following the current precedent to it's logical conclusion, it appears unlawful to transfer any personal data of an EU resident to a US-based company (even if that data remains physically in the EU or another adequate country). That would obviously have catastrophic consequences for the current status quo, so it's hard to believe that a compromise won't be found to avoid it.
However, it's also hard to see a compromise unless the United States exempts EU data subjects from the CLOUD Act, which seem unlikely. Hard to know where it'll go.
> However, it's also hard to see a compromise unless the United States exempts EU data subjects from the CLOUD Act, which seem unlikely. Hard to know where it'll go.
Bureaucrats are capable of breathtaking sophistry when it makes their jobs easier. If red was illegal but convenient they’d make a policy that red was actually green and argue it was until they were blue in the face.
It's not entirely clear yet who wins, but the current issues with Google Analytics in the EU seem to be partially related. Some countries have come to the conclusion that GA can't be legal if Google US has access to the data.
This has always been the law. Common law courts have been issuing court orders that require you to take actions in foreign countries, even in violation of foreign law, for as long as it's been a legal question. The CLOUD Act actually introduced some additional safeguards and allows judges to consider the seriousness of the foreign law violation and weigh it against the importance of the court getting access to the foreign-stored data.
You unfortunately need something like this because otherwise people will just hide documents, money, stolen property, etc. in foreign countries out of reach of US courts, even if they are US persons and corporations.
It isn't just pro-government. Imagine you are a criminal defendant and there is evidence proving your innocence in a foreign server controlled by an American person or company. This rule makes sure you can legally compel that entity to go get the data, the laws of that other country be damned, so you can present your defense.
While extra-territoriality is not a new concept, it’s absolutely false to say that the CLOUD Act didn’t grant sweeping new powers to US courts. That’s a truly absurd claim that makes me question whether you’re commenting in good faith?
It was passed because in the Microsoft v. US case, the Supreme Court was expected to affirm the long-standing law on this: that in response to a U.S. court order, Microsoft had to hand over user data from Irish servers, Irish law be damned.
Such a blunt rule was considered a little too harsh, and a potential source of international problems, so Congress passed a law softening the rule and allowing judges more discretion in considering the burdens of complying with the order. The law had the effect of making the Supreme Court case moot.
Sorry that the truth is more nuanced than you’d like it to be.
There is nuance, but in the opposite direction. Microsoft did not adhere to the original court order, and fought it to the supreme court, where it was undecided when the CLOUD Act came into force and a new warrant was issued for the data held in Ireland.
It is unambiguously an expansion of Government powers. You're the first and only person I've ever come across who has argued the opposite. It's such a ridiculous thing to write that I am wondering if you're trolling me?
>There is nuance, but in the opposite direction. Microsoft did not adhere to the original court order, and fought it to the supreme court, where it was undecided when the CLOUD Act came into force and a new warrant was issued for the data held in Ireland.
What part of this do you think is incompatible with the fact that almost everyone expected Microsoft to lose the case?
And in fact, Microsoft, Apple, and Google lobbied for the CLOUD Act.
So maybe instead of accusing people of bad faith, you should have a little humility and open-mindedness to improving your understanding of the world. Believe it or not, techie discussion forums and Wired are not reliable sources of legal information, so that would explain why you're so misinformed.
Yes, this is Apple protecting you against extralegal state actor threats. There's not really much Apple can do to protect you against the laws of your own country.
Apparently that protection does not include protection from the US government.
iMessage offers excellent privacy of message content, but no 'pen register' protection.
Phone device security is very strong, but it's made largely moot if you turn on iCloud backups (which is the default behavior if you provide an Apple ID. I'm not sure there's even a way to stop the initial backup from happening?)
Apple reportedly doesn't offer e2ee on iCloud, or even encrypted device backups, out of compromise with the federal government...specifically the FBI, CIA, and NSA.
Why might people care about this? Criminalizing abortion and miscarriages...and what looks like at the very least a re-recognizing, and possibly criminalization, of LGBTQ relationships.
When Apple says "state actor threats" they're not talking about future-state theoretical breaches of domestic privacy by your own government. Apple is always going to follow the law. They're talking about the types of situations where data from people's phones is used to commit international criminal activity, espionage, assassinations, etc.
Microsoft has a “Democracy Forward” team (previously called “Defending Democracy”) that aims to protect government officials and systems from adversarial state actors. It’s been ongoing for a few years now.
Given their track record, I'd trust Microsoft approximately 0% to secure my critical/sensitive systems. The funny thing is that the U.S. government does, in fact, trust them.
There's a bit of a journey from "protecting you against government hackers and spooks" to full-on sovereign states; and there's a lot of things that a country's government funds that Apple couldn't even begin to take on[0]. Physical security and military operations are a hell of a different field from that of locking down computers.
Furthermore this isn't the first of its kind; Google has been alerting high-risk Gmail users about state-sponsored hacking for about a decade now. Microsoft probably does something similar. Apple is comparatively late to the party on this. On the offensive side you have the zero-day vendors that broker exploits between hackers and the government.
A better explanation is that Apple isn't supplanting the US government. It's supplanting Halliburton. As more and more people and things go online, hacking and doxxing them is becoming more militarily valuable than just arresting someone or firing a missile. After all, physical attacks risk counterattacks and escalation, but Internet attacks are relatively cheap, not really treated as an attack by many sovereign states, and, most importantly, difficult to attribute.
[0] Call me when Apple black-bags Louis Rossman for illegally repairing MacBooks, or threatens literal nuclear war - like, with uranium bombs and radioactive fallout - on the EU for breaking the App Store business model.
I'm not saying it never happens, and I don't want to assume anything about your background, but I think most people who work in software would agree there's no need. Plenty of problems get in on their own.
yep if that were your goal it would be way more cost effective to get a zero day from just not trying that hard with security practices. Not having any security knowledge on the team. Not patching/upgrading dependencies with security bugs.
It doesn't make sense from numbers perspective, there's simply not that much potential for profit there. In general, the sale price of a zero-day or ten in some popular product is tiny compared to, for example, the marketing budget of that product.
That money is significant from the perspective of a particular employee (i.e. if they personally would get the money) or for a specialized consulting company, but it's a drop in the ocean for the large companies actually making the products. So we should expect some backdoors intentionally placed by rogue employees (either for financial motivation or at the behest of some government) but not knowingly placed by the organizations - unless in cooperation with their host government, not for financial reasons.
Furthermore this isn't the first of its kind; Google has been alerting high-risk Gmail users about state-sponsored hacking for about a decade now. Microsoft probably does something similar.
It’s great that Google alerted Gmail users, but then what?
“We believe you may be a target of a state-sponsored attacker; have a nice day.”
Beyond just telling you, Apple is providing some tools to do something about it.
Google advanced protection mode has been available for a while.
The threat models are different because the companies provide different services (spear phishing defenses from the web services company, hardware defences from the hardware provider), but still.
I think Apple's announcement (and as I've learned from this thread MS's and Google's similar programmes) represent a significant step-change. A single defense attorney performs this action on a case-by-case basis, and they earn "single human" levels of income from it. They (to some degree) use that money to make themselves comfortable and perhaps share it with charities and make investments. All the defense attorney's in the world combined still, probably, have access to a fraction of Apple's budget, and a fraction of Apple's audience. Defence attorneys don't always win all their cases.
Apple have the kind of money that makes 1000s of attorneys envious. Apple use that money to make infrastructure and client devices and then sell/share that technology with billions of people. Most of Apple customers buy their phones on loan agreements over some contract time-frame. It's "cheap", and the protections are automated.
I'm tired and getting rambly about this now, but I intuitively feel like the combination of state-level power (albeit exercised with a very narrow focus), and the way so many people live their (digital) lives interacting with a "noosphere" that crosses international borders are facets of a complex phenomenon we have not witnessed before, and which will merge with other related facets and then emerge as something really different. I accept I'm getting very fuzzy in my thinking here. I'm leaning into my inner sci-fi author (who's not come out for 30years and wasn't too talented when it did).
> Apple is saying "we operate at the same level as nation states; we are a nation-state level entity operating in the "digital world": It's a flag-raise
Maybe. But these security “features” feel like things that should have been there from the beginning. Windows 11 has already had a much wider and deeper array of security options. Sure, it’s not mobile, but many of those security options would be unlikely to be needed against unsophisticated attacks.
Flag-raise or marketing gimmick? You be the judge I guess.
>Apple is saying "we operate at the same level as nation states; we are a nation-state level entity operating in the "digital world"
Making mountains out of molehills.
I'm pretty sure they are saying that they will "offer specialized additional protection to users who may be at risk of highly targeted cyberattacks from private companies developing state-sponsored mercenary spyware".
There is a looooong list of things which nation states can do which Apple cannot, some examples of that are in other comments in this thread.
>but this is the first public announcement, and tool, from a corporation with more spare, unrestricted capital than many countries.
Google & Microsoft have both had fairly long-standing tools and procedures (which were publicly announced) to both alert users and aid users against nation state attacks.
After the Snowden leaks that showed even in-country citizen-to-citizen communication was being scooped up by the NSA without a warrant through fiber taps (if I remember that right) when Google replicated the data to out-of-country data centers, Google announced encryption of those links:
Google encrypts data amid backlash against NSA spying
You haven't been paying attention. Many tech companies have been protecting accounts from state attackers for many years, and explicitly calling out state sponsored attacks. Google introduced state-sponsored attack warnings in 2012 [1] and the Advanced Protection program explicitly protects from state sponsored attacks [2].
Many tech companies have been protecting accounts from state attackers for many years…
How many people have Microsoft and Google actually helped?
Incase you didn’t notice, Apple is in the process of giving a few hundred million iPhone owners--every iPhone since the 2017 iPhone 8--protection from state-level actors, for free, in the next operating system update due this fall.
It totally dwarfs anything that any other company has done in this area. So there’s that.
Google sent more than 50,000 state sponsored attack warnings in 2021. And those warnings started in 2012. So a lot of people have been helped. Meanwhile Apple didn't start doing similar warnings until less than a year ago.
> Apple is in the process of giving a few hundred million iPhone owners
Um, no? Lockdown mode is explicitly for "very few users". There's no way a hundred million iPhone users would benefit. Google's Advanced Protection offers protection from state-level actors to anyone with a Google account, so if you want to count by the number of people offered optional protection, Google wins by a landslide.
> for free
Haha, no, you have to buy an iPhone from Apple first. Google offers protection to anyone actually for free. All you need is a free Google account and a security key which doesn't have to be purchased from Google.
The point is the several hundreds of millions of existing Apple customers who own an iPhone 8 or newer are going to get Lockdown Mode in the next version of iOS for those "who may be at risk of highly targeted cyberattacks from private companies developing state-sponsored mercenary spyware" at no cost.
While it's true that very few iPhone users should ever need to activate this feature for the described use case, Apple has already indicated there will be more features added in the future where this could change.
There are likely additional use cases where an iPhone user may want to activate Lockdown Mode, such as traveling to an authoritarian country.
This article makes the argument that Lockdown Mode could benefit iPhone users who never activate it. [1]
Apple is following the lead of Microsoft in this regard. Microsoft has been acting as an international cyber defense agency for a few years. On the effectiveness of Ukraine's cyber defense: "Microsoft in particular has been hard at work" 21:45
Counterpoint - the EU has been passing laws that force apple to be more fair in their markets, and this "we're protecting you from bad guys" stuff is apple trying to figure out deniable methods to protest or sue against the EU passing laws to restrict apple's ability to lock other developers out.
Throw together a basic set of options that should have been available long ago, now apple is protecting you, don't strip apple of the ability to protect you, etc.
This feels like an argument the government would make against strong encryption like in the case a few years ago where the government tried to force Apple to unlock an iPhone and Apple refused claiming it wasn't possible.
Apple are basically saying that they're going to do their best in terms of security measures to thwart even state actors, which is only as much of a nation-state level thing as "military grade encryption" is a thing only applicable to militaries.
“Flag-raise” seems a bit hyperbolic but at any rate I think the BSA asserted such reach and power, long ago. Both have to act within the oversight of actual nation states.
Beyond that, a secure phone is necessary but not sufficient to defend oneself against a nation state.
A nation state has more than one way of extracting information from enemies of said state. There's the civilized way we now call hacking, and then there's the traditional way, which may or may not involve technology.
I don't know if you've been paying attention to Apple's strategy over the last year, but it's basically been "granting user privacy also happens to grant us an advertising/data monopoly"
I don't think the aim here is to block at state actors but to basically continue to close all security holes that can be exploited by any other company and continually proving to users that Apple cares about privacy.
The things is I really like Apple even more now since they have realize that my privacy interests can be tightly aligned with their own economic interests. I never trust companies to be good or look out for my interest even when I pay them to, but when my privacy ultimately means they gain a very strong competitive edge the I'm much more trusting.
Apple has realized they can become to privacy what Google has been to ubiquitous search, and doing so can reap even larger and more secure rewards.
They started with a walled garden and now extending it to fortress surrounding the garden.
Other than running ads inside the App Store, do you have any knowledge or evidence of Apple collecting personal information for advertising or any other use?
Google has been dealing with nation state actors targeting its users (Gmail specifically) for a decade now. They have Advanced Protection program. We actually regularly used to hear about how human rights activists were targeted in spear phishing campaigns and then arrested.
> from a corporation with more spare, unrestricted capital than many countries
... than most countries. There are only 7 countries with a higher GDP than Apple's market cap.
I have been concerned for some time about these mega corporations being as powerful if not more powerful than governments. They wield tremendous economic and political power. Corporations have very little allegiance to countries and have little to check them. It is a major concern of mine. Democracy in the U.S. is already being sold to the highest bidders.
These corporations are feudal lords but much, much more powerful because there is not a single person who can be brought down. Corporations are a collective who are treated as people when it's convenient and as something else when it's not.
It's bothersome to me, because these corporations are tax sinks. They get absolutely massive tax breaks on everything they do and pay as little as possible income taxes, comparatively speaking, all the while keeping billions offshore.
Billionaires and mega-corporations are national security threats to the countries that house them.
Pick whatever comparison you'd like, and the rest of my comment still stands. What you said may be true, although I'm not sure it's as simple as you state. But debating the semantics of the exact comparison used isn't really important to the sentiment I espoused.
"state actors" doesn't mean the US government in its full force or any other government Apple is in bed with to make money (like China).
It means in the best case shady agencies, foreign services, small governments, and in the likelier case just unhinged people with some access to state facilities (tax employees, unofficial police investigations, lawyers...)
I was dripping with disdain and sarcasm as I clicked "reply" but I actually want to engage you and have you seriously consider the history of oil and gas exploration and extraction.
This may, in fact, be a first for a US tech company ... but not in any way whatsoever a first for a business interest or corporation, etc.
This is also a very tame, roundabout and implied flag-raise - as opposed to "... summary execution, crimes against humanity, torture, inhumane treatment and arbitrary arrest and detention ...":
Good points. I had not thought about oil at all. I’ve become aware through light skimming that wars, coups and similar incursions have occurred around other resources.
This feeds into the point I was aiming at. The tech megacorps now have tooling to protect a narrow aspect of their customers lives from state incursion, regardless of which country that customer live in. I’ve not read the link you shared yet, so I don’t know the angle it takes or the angle you want to dig into my ideas from.
They don't "operate at the same level as nation states", protecting against state actors isn't the only thing in that level, unless you mean cyber-security only. Abstracting this to anything "nation-state level entity" is the crux of your argument.
I dislike big tech as much as the next hacker, but this seems like quite a leap. Protecting from nation-state actors digitally can be a job for digital powerhouses. In this case, the hackers are just very determined hackers with a lot of resources. Apple is a very motivated company with a lot of resources. Slightly to your point though, they have higher income than 96% of the countries on the planet. So they have the wealth to establish an Appletopia.
What they are doing is giving users an easy-to-use option to sacrifice part of the default user experience to enhance security by disabling features that are common vectors (which happen to be used by, as they phrase it multiple times in the announcement, "private companies developing state-sponsored mercenary spyware").
IMHO, whatever the reason why they are doing it, it's a good addition to their value proposition; but I don't think it's the same as what appears to be your understanding ("they will protect users from state actors"), at all.
I wonder if this mode would be helpful to protect myself if US border control forces me to unlock my phone so they can make a copy of all of my phone contents.
If you are a US Citizen or Permanent Resident, Border Patrol cannot prevent you from entering the United States. They can, however, detain you for up to 72 hours and confiscate the locked device if they have "reasonable suspicion". The confiscated property will be returned eventually.
If you are not a US citizen, refusal to unlock a phone and allow inspection, inclusive of allowing access to social media and corporate apps, will probably result in denied entry. They also have the right to detain you until indefinitely until you unlock the phone if they have "reasonable suspicion", but requires a court order within 72 hours.
Most foreign counties have similar rules in place for residents and non-residents.
They don't usually return the devices they steal, and most people travel with a total device value lower than the cost of an attorney and lawsuit to force the return.
The sterile area between the gate and the border control is treated as international waters/lands, which sounds fine, and IIUC there is the logic that laws don't apply there so you can be forced-forced anything free from constitutional protections. Not sure if that actually works though.
It would be a good idea to enable this before going though any border controls. Doubly so for countries that require apps to be installed before entry/upon entry/after entry.
ArriveCAN (Canada), Mobile Passport Control (USA), WeChat (China), and other mandatory government apps would be perfect vectors to stage highly targeted attacks.
I hope Apple expands this quickly through minor updates to the OS rather than waiting for a next major release. This needs faster iteration than anything else.
Quoting what’s in the first release:
> At launch, Lockdown Mode includes the following protections:
> Messages: Most message attachment types other than images are blocked. Some features, like link previews, are disabled.
> Web browsing: Certain complex web technologies, like just-in-time (JIT) JavaScript compilation, are disabled unless the user excludes a trusted site from Lockdown Mode.
> Apple services: Incoming invitations and service requests, including FaceTime calls, are blocked if the user has not previously sent the initiator a call or request.
> Wired connections with a computer or accessory are blocked when iPhone is locked.
> Configuration profiles cannot be installed, and the device cannot enroll into mobile device management (MDM), while Lockdown Mode is turned on.
I’m not a target (I think, and hopefully don’t get to be one), but nevertheless I’d feel safer with this turned on (I very rarely use FaceTime, so not accepting it is not a big deal).
I’d also love more protections. Not allowing specific apps to connect to any network (WiFi included), Apple handling issue reports on apps with urgency (right now they seem to be ignored even when policy violations which are against the user’s interests are reported), etc.
Lots and lots of privacy stuff in the point releases. (And accessibility stuff, they’ve been on a tear there.) They’re still in a monolithic mindset when it comes to the “big” apps, but they’re iterating faster on these sorts of things as the release cycle goes along.
That…is seemingly a thing they should have done a long time ago…but it’s still smart, and I’m glad they’re doing it. Now they don’t have to rush the QA of a point release to vanquish yet another PDF parsing security threat.
> I’m not a target (I think, and hopefully don’t get to be one), but nevertheless I’d feel safer with this turned on (I very rarely use FaceTime, so not accepting it is not a big deal).
Good. We need people with nothing to hide to turn Lockdown Mode on, so that Lockdown Mode isn't a telltale signal that you have something to hide.
Which is exactly why it's optional. Plenty of other people, myself included, look at that list and would not want them all or would like to pick and choose which subsets are locked down.
I see they're running the reality distortion field at full power.
This is a load of bullshit and marketing hype. They are letting you turn off features for security reasons, i.e. what basically every OS has let you do, and what every half-competent IT department has been doing, for decades. In fact, iOS was an outlier in how unconfigurable it was, and with the pitiful MDM options not letting you turn off many of these features that are constant sources of vulnerabilities and social engineering.
Nothing that novel here other than the framing and cybersecurity marketing bullshit about Nation State Actors and "mercenaries."
Because it's being made to sound like something it's not. The comments are full of people fawning over how innovative and groundbreaking this is. Just trying to offer a dose of bitter reality to bring people back down to earth.
To what end? What new insight is gained from such a reframing?
I personally don’t think the individual features are as interesting as the overall framing and the fact that Apple is publicly announcing their intentions. The feature set will doubtless change over time - such is the nature of any software endeavor - but starting that journey is the interesting part.
Getting stuck on “but it’s just xyz dumb feature…” or “but they should have done x long ago”, etc. just obscure the more interesting fact that they’re explicitly embarking on this path to begin with.
Apple's been making it real difficult to pick Android lately. Only thing Android still has going for it is the ability to flash custom ROMs, eg CalyxOS or Graphene.
My point is that if you care about e2e crypto and privacy, you already have iCloud turned off in full, including the e2e bits, because it's a privacy minefield.
I explored installing a custom ROM on my android phone, but ended up questioning the utility of them. There appears to be many banking apps, random apps (McDonalds??) and others that will not work if the device is running a custom ROM.
That makes my phone useless to me.
Our only hope is a proper Linux phone with an Android emulation layer
You can get around that by spoofing safteynet stuff using Magisk. But yeah, it is a few more hoops to jump through and you need to be rooted which is itself not great for security.
Compare the actual features of Android vs. the actual features (instead of the marketing) of iOS, and it's clear that Apple doesn't care about user privacy. With Android, you get to choose which if any Google services to use. On iOS, you can't run any apps without telling Apple which ones, you can't get your location without also sending your location to Apple, and you can't practically run your own apps without fully deanonymizing yourself with banking details.
- you can't install apps without an apple account(making the phone useless really)
- you can't download apps from outside the app store
- there is no security enhanced or de-appled version if IOS, while on android GrapheneOS and CalyxOS exist
- you are limited to Safari as a browser engine(no extensions).
What? No, not even close.
- no way to use the phone without an account
- no way to install apps from outside the store
- no browsers other than Safari reskins.
These are all fixed by the DMA, but it will take a lot of time for things to mature, however other issues persist
- no way to put apps on the bottom of the screen
- the FOSS scene on IOS basically doesn't exist, while on android there is a whole app store for it(https://f-droid.org) this is a big point for me.
- no way to duplicate apps
- no separate work profile
- limited file mangament
- no notification chat bubbles(a pretty good feature on android 11/10?+
- no advanced apps like local terminal emulators, virtual firewalls or virtual tracker blockers(partially because the FOSS community rightly doesn't care about iOS)
- non encrypted iCloud backups(basically a backdoor into WhatsApp) or any important file medium
- CSAM Scanning inbound
And many other issues, iOS is hardly making Android hard to choose, its still locked down prison, its just a bit nicer inside now.
Since I value my privacy and like FOSS iOS is even more useless for me.
Last year I wrote: "In the world I inhabit, I’m hoping that Ivan Krstić wakes up tomorrow and tells his bosses he wants to put NSO out of business. And I’m hoping that his bosses say 'great: here’s a blank check.' Maybe they’ll succeed and maybe they’ll fail, but I’ll bet they can at least make NSO’s life interesting." [1]
And yet this feels like it’s too little too late. If I’m likely to be the target of the kind of state-sponsored malware “lockdown mode” supposedly protects me from I shouldn’t have been using Apple products in the first place. Which begs the question: what are current security best practices to protect from state-level hostile actors?
Really? Not something like Tails or Qubes? Am I too paranoid? I’m genuinely interested in learning about this. What am I supposed to use these days when I’m working on a project that would make me a target for state-level actors?
Too bad that Google does not offer this same “Lockdown Mode” as Apple does.
Instead, they (Google Play Store) removed our ability to see what “app privileges” that an app would required BEFORE we do the installation step from the Google Play Store. What we got instead was an obfuscated “Data Security” section that is pretty much always “blank”.
My flashlight app should not require GAZILLION app privilegeS nor hide that fact before I can determine whether I can safely install it, much like Apple App Store can do by doing the CRUCIAL pre-reveal of any needed app privilege(s) … for our leisure perusual and applying any applicable but personalize privacy requirement BEFORE we do the app install.
Google removed the install-time permissions dialog because they replaced it with runtime permissions. This makes sense - some users wants PayPal or WhatsApp to access their contact list, and others won't. It also fixes "permission blindness", where users blindly accept a long list of permissions because they need the app, or just stop caring because it's too much to comprehend all at once.
Obviously, this isn't perfect, especially since Google removed the internet permission and allowed all apps to access it. Allowing advanced users like us to toggle off internet access in the "App info" permission page would be a good compromise, and I hope and Android team does so to match Apple on their security efforts.
Fixes “permission blindness”? So, the current form of Google Play (app) Store “Data Security” section of each app being shown as “(blank)” is surely yet another form of “permission blindness”.
Google Play Store being proactive in protecting these end-users from their own form of stupidity (or “permission blindness”, as you have eloquently pointed out) is just opening themselves to potential liability ramifications instead of deferring to end-user’s responsibility of maintaining their own privacy.
I think that the term “permission blindess” is better referred to as an app having zero privilege.
And “App Privileges” should have referred to runtime permissions and should have been displayed in the first place at the Google Play Store instead of install-time privileges.
Your apps have no permissions until you allow them. If you install spyware and it wants all your contacts and files it has to ask. You simply select "no" and then remove it.
Apps would force you to consent to eg contact permissions "in case you want to share something to a contact" and then harvest all your contacts. Apps can no longer use that pretense.
It's taken a decade, but it's pretty much moved back to the permission model that j2me had, which iOS and Android deliberately removed & sold as better UX. Seems like the original devs of j2me knew what they were doing - only the joe public's weren't ready for permission popups then like they are now. :sigh:
Google hiding information about apps in the app store is a big problem - but its not as big a problem as not having a Little Snitch equivalent built into Android. This alone is a reason for real capital to be spent on startups in the alt-android space. Imagine a company that lets you use your current Samsung or Google or Sony or ASUS or whatever flagship phone, but with a truly open-source fork of Android with a Little Snitch built in, and security updates guaranteed for as long as you stay current with your subscription, which is like $5/mo. (Maybe that's too low). Maybe you could even wipe your device and mail it in to have the software installed if you can't be bothered to do it yourself. Or maybe even a partnership with a phone repair chain. (And if you don't want to pay the fee you can always install updates yourself manually, from source.)
> Imagine a company that lets you use your current Samsung or Google or Sony or ASUS or whatever flagship phone, but with a truly open-source fork of Android with a Little Snitch built in, and security updates guaranteed
You describe the direction CalyxOS / DivestOS are going. And of course, there's the Pixel phones on GrapheneOS which arguably is more security-focused.
I just read their homepage, and they don't have Google Play support. The requirement to run Google Play Services to access and run apps represents a serious anti-trust concern to me (and to the DoJ under any administration, I would imagine). Perhaps more importantly, I see no mention of any facility for network monitoring.
>DivestOS
Hadn't heard of this LineageOS fork, thanks. TBH I can't really tell how it differs from either Calyx or Divest. None of these tools have the top-line features I mentioned.
I’ve been using that for years but was wondering whether the documentation is current about Chrome - they offer things like disabling the JIT (nearly half of Chrome’s exploits last year) as a group policy option on Windows, for example, but it doesn’t appear that APP does anything for Chrome users other than mandatory Safe Browsing.
If Apple could somehow make phone and sms not useless due to spam that'd really save the average person. They must have the resources to throw at something like this. I'm not claiming to be an expert, I'm not saying I'm right, but phone spam is fucking awful.
Surely that's the responsibility of the providers, though? Apple can improve the situation a bit, maybe, but you'd really need to get AT&T & co to crack down on it to have any chance of solving it for good.
I know that I've had approximately zero spam on my German number (that I've had for ~2.5 years) - I'm sure why, whether I'm just lucky, or whether it's much more under control here. My UK number definitely had problems with spam, though. Maybe a couple of spam calls a week.
Nice, glad to hear it's at least reasonable elsewhere, It's very, very bad in the US, at least for my partner and I. We started getting unsolicited calls days after starting the house buying process because the credit reporting companies sell you off immediately. Very frustrating.
This seems to be a problem mostly localized to some countries. Device manufacturers should not be fighting a rotten network, the networks should be fixed instead.
Yeah but... here we are. In the US at least, I don't see this ever being addressed at the root. Everything between the user and the phone service is at least somewhat malleable, what's the problem with at least trying in one of those places?
> If Apple could somehow make phone and sms not useless due to spam
1) A full solution to this problem is going to depend on mobile carriers making changes. It isn't something which Apple can unilaterally fix.
2) This is completely irrelevant to the purpose of "Lockdown Mode". It's intended to protect high-risk users from certain sophisticated threats -- it isn't a feature which most users should use.
> USB Restricted Mode prevents USB accessories that plug into the Lightning port from making data connections with an iPhone, iPad, or iPod Touch if your iOS device has been locked for over an hour.
Android asks every time for every device. There is no 1-hour grace period.
Does this offer any protection after you are already pwned? Is the expectation that you have it permanently on if you are a high value target or do you turn it on temporarily before clicking on a link for example?
Don’t know enough about iOS to say for sure about persistence, but recent Pegasus (NSO Group spyware) versions don’t bother[1], instead repeatedly exploiting bugs starting with “features” like background Messages attachment parsing.
Those are the kind of threats Lockdown Mode finally acknowledges — targets (well IMO everyone) would need it permanently enabled.
Otherwise the temporary protection before clicking a link can be had today in other ways, like disabling Settings > Safari > Advanced > JavaScript.
If you're going to run a crippled-ass phone to protect yourself, because the regular phone is so fucking insecure, why even bother with a smartphone? They'll just find an exploit in something that the "security mode" hasn't disabled.
If you have already been pwned, the OS is compromised so it clearly is not able to retroactively undo that - any checkbox, option or whatever can just be turned into a no op that lies.
If you're already pwned to the point where they have kernel-level access and can bypass code signature enforcement, all bets are off. Even if lockdown mode interfered with their activity, at this point nothing prevents them from modifying the Settings app to not really enable lockdown mode even if you request it to.
772 comments
[ 0.18 ms ] story [ 1133 ms ] threadWith a bit of luck, this will cause site operators to reduce their usage of unnecessary JS, so maybe this has positive impacts :)
My sense is that the functionality to provide those experiences resulted in a decrease in user security and privacy when they were introduced -- and that those risks were widely-discussed and well-understood.
It's weird (although not unexpected) to see the reversal of them touted as a selling point.
Highly interesting, that Apple is doing this. This is a thing. MS and Google are also taking steps to harden Chromium security against JIT compiler issues with JavaScript. https://www.zdnet.com/article/securing-microsoft-edge-switch...
I seen some cool simulation, small apps, small games that I can just test online and not have to install them on my machine. Apple would love that we all got scared and only use installed apps from their store but the web is a decent deliver platform.
If we could have a modern subset of html and css for news websited and blogs , and the rest of js for web apps then you can have the option to turn off teh advanced settings or we could have different browsers that could focus on different things, like a website reader browser that does not care about super fast JITed JS it would not support webgl,camera or microphone acccess, it would just focus on text layout and simple forms,
and a web app browser that focuses on extreme optimizing for JS , canvas and webgl operations, camera and microphone access.
What OP wishes for is rather an experience that decidedly doesn't use JS, similar to Google's AMP or Gemini. A subset of HTML that makes publishing possible, without moving parts.
It's still very niche, but it's growing and the protocol is so simple that I'm writing software for it, specifically a multi platform browser (more like a viewer?)
More seriously, I guess they might want a way of avoiding sites that don't have a good no-script experience. Perhaps if there were a trustworthy way to vote on that (or detect it automatically), someone could offer an extension which puts scary red boxes around hyperlinks which point to such sites.
This should be ON by default. It would force webdevs to write efficient websites.
For example, say I would like to install a photo editing application. It would need access to my photos. That is fine, so long as it is not allowed to connect to the Internet (or any other network). There is currently no way to ensure this.
https://www.wired.com/story/ios-15-app-privacy-report/
It's under Settings > Privacy > App Privacy Report.
Does iOS not expose such functionality? Surely there's some kind of VPN API?
[1]: https://github.com/M66B/NetGuard
The Android app you link to seems to have the functionality I think should exist as a built-in. It needs to be built-in so that non-geeks can use it.
Just as users are asked the first time an application attempts to use the microphone and are able to prevent it before it starts, they should be able to limit network access and revoke it at any time.
(I don’t think users should be necessarily be forced to approve Internet access for every app install. Just make it possible to revoke in the global Settings widget and encourage users to think about personal data and Internet access being mutually exclusive.)
I tend to use that, and use Netguard as a fallback because the latter has an off by default config incase I forget to disable it for new apps.
Netguard on its own is insufficient because sometimes you'd need to use an actual VPN (which turns off Netguard)
I've also seen the toggles placed in the data usage graph, the other, older data usage graph you can sometimes find via a workaround, and in a separate app that pretends to be one of those system storage optimizers.
I'm sure Android supports it at the system level but how you get to those settings is anyone's guess, really.
I worked on AOSP for longer than I care to admit. This is mostly an illusion. System apps (like Google Play) can pretty much do whatever the heck it is that they want to. NetGuard, sure, "firewalls" it... but it wouldn't even know if a system app bypassed its tunnel. For installed apps, NetGuard is golden (as long as NetGuard itself doesn't leak).
disclosure: I co-develop a FOSS NetGuard alternative (and yes, this alternative has similar limitations).
I'm using my VPN as a Pihole tunnel and I don't notice any extra logs or requests when I turn off the VPN, but I may just be lucky. I did purge a lot of preinstalled Facebook crap…
For installed apps, there's no such respite, iff one enables 'Block connections without VPN' (the VPN lockdown mode) on Android 10+ (but NetGuard doesn't support it). This means in the times when NetGuard crashes or restarts (which it does on network changes, for example, or even on screen-off/screen-on, from what I recall), there's a chance the traffic flows through underlying interfaces rather than the tunnel (because the tunnel simply doesn't exist in the interim).
Datura (ebpf based) on CalyxOS and AfWall+ on any rooted Android can block out everything it pleases, though.
I don't mean to downplay NetGuard, because the codebase has evolved in response to years of addressing flaky networks, flawed apps, buggy Android forks. Marcel, the lead developer, has put his life's work into it and gave it away for free. The app I co-develop is, in fact, inspired from his efforts.
[0] https://github.com/celzero/rethink-app/issues/224
I absolutely love Netguard even though I don't really use a firewall in practice (I was sort of hoping a permanent VPN with some "real" traffic meddling would be enough to block most violations of my privacy). It's the one rootless firewall that actually just works on practically any device you can think of, among a sea of broken/scammy firewalls that fail all kinds of edge cases.
You should try the one I am building (: Promise, no scams in that one: https://f-droid.org/packages/com.celzero.bravedns/
Encrypted memory isn't part of arm yet, I was holding out hope with armv9 "realms" but not so.
This is not in any way intended for most use-cases, it's very clearly intended for a single, specific, uncommon use-case. The press release says as much more than once.
In other words: there's no "instead" here, any more than there's an "instead" between e.g. UI work and backend server work. Different people, different competencies, concurrent capacity.
Regardless, I was just lamenting that we don't (yet) have a feature that should be table stakes at this point.
That said, I think this is pretty unrelated to protecting yourself from nation state actors. Mercenary spyware (like NSO) doesn't use a legitimate app store app as their initial infection point. I can think of many reasons for this: difficulty getting target to install it, app store approvals, leaking their 0days, leaving more of a paper trail, and avoiding scrutiny in general, etc. I'd of course love this feature for my own data privacy of course.
Yeah, I would not want to have to approve every app. What I would like is a machine readable description of the app's capabilities to include Internet access, just as is required for access to the microphone or photos. This would encourage app developers to advertise to users that they don't need such capability and encourage users to realize that privacy and Internet access are mutually exclusive.
There are many small apps I simply will not buy/install (e.g., apps for editing photos or contacts or calendars) because they cannot be trusted. Even if you trust the developer, the developers are often embedding third party analytics libraries that cannot be trusted.
The Charles proxy iOS app doesn’t have the ui to support this, it’s clumsy to whitelist domains, but it does provide some visibility into what domains are being accessed.
(Of course, they could make some new MDM policies to individually turn these features on. You can already block external devices with MDM, and you can completely disable FaceTime/iMessage/iCloud. It wouldn't be much of a jump to add the more granular protections this has.)
[0] https://www.nbcnews.com/id/wbna28780205
It's the first such flag-raise I've seen. Security researchers talk about protections from state actors all the time, and there are tools which support that... but this is the first public announcement, and tool, from a corporation with more spare, unrestricted capital than many countries. It comes at a time when multiple nation states are competing for energy and food security; and Apple are throwing up a flag for a security-security fight (or maybe data-security). This is not just handy tech, it's full-on cultural zeitgeist stuff. Amazing.
The relationship between state and private industry has never been binary and has always had features like this. I don't think this is a "Jennifer Government" type scenario.
on the other hand, this is how democracy dies. what structures (systems) exist to prevent apple (and other comparable corporations) from being an oppresive force against human persons? moreover, what incentives do they have?
https://en.wikipedia.org/wiki/Company_rule_in_India
I only found out about this bank because the former president of the mexican central bank -- Mr. Carstens, left the central banking gig to go to that bank.
Source: friend used to work in the BIS and I've also been involved in banking off and on for a long time, including dealing with various international banking regulators.
Some fun BIS facts:
1) They process payments via regular SWIFT[2] messages. So the $100m in aid comes as a message just the same as if you transfer $5 from one bank account to another. It has an IBAN number with a regular bank account, so if you changed that to your own account details and the message was processed suddenly $100m would appear in your checking account instead of going fund an aid programme for some government in Africa or whatnot.
2) The number of payments they process is very low (>100 per day max and usually in the low tens of messages) so every payment message is checked by hand by several independent people as well as having automated checks. Partly to avoid the risk of funds getting sent to the wrong places etc.
3) My friend worked there in the 90s and said that even back then they had extremely strong security with multifactor biometrics on every entry to the premises. You got in via an entrance where you had to step into a cylander which would only unlock after it had taken multiple photos including an iris scan
[1] https://www.bis.org/bcbs/
[2] https://www.swift.com/about-us/discover-swift/messaging-and-...
Also, few know this, but many African slaves who were victims of the slave trade became slaves due to debt-slavery (though this didn't involve formal banks). I've seen estimates of up to 25% of slaves back then having been debt-slaves.
I hadn't realized that about African slaves; debt for what?
https://www.un.int/orderofmalta/about#:~:text=in%20your%20br....
https://www.youtube.com/watch?v=vsazo-Gs7ms
Apple doesn't have a military or police force with jurisdiction over me. They don't have the legal power to arrest me or throw me into prisons, which they also don't have. I don't have to pay taxes to Apple. I don't have to do business with them or interact with them in any way if I don't want to. I don't need Apple's permission to do anything unrelated to their product lines.
Same is true for any megacorporation. It's a big stretch to say they are even remotely as powerful as nation-states, let alone more powerful.
Many nation states don't have control over interest rates (because their central banks are run independently of the government) or even the ability to print money, if they have adopted another currency.[0]
> Mandatory taxes
States typically tax transactions which happen on their territory (e.g. wages and sales), and in the case of Apple, their devices are their territory, like feudally controlled tracts of land in cyberspace. Taking a cut of all app sales and in-app purchases seems very much like a tax under this analogy.
[0] https://en.wikipedia.org/wiki/Currency_substitution
And many others do. The State can abdicate such power and it usually does in stable economies where markets can self regulate. Given a big enough crisis, however, and the State will usually take that power back.
>or even the ability to print money, if they have adopted another currency.
Usually in cases of near total State bankruptcy
>Taking a cut of all app sales and in-app purchases seems very much like a tax under this analogy.
That's an interesting take.
Nope. You can avoid buying an iphone, but you cannot escape Google. I'm often forced to "do business" with google. I've seen several government websites that require code hosted on Google's servers. I need Google's permission to do all kinds of things unrelated to their service (reCAPTCHA) and google will track everywhere you go online even if you never use any of their services. Facebook also doesn't give you any option. They'll create a profile for you and start collecting data on you even if you've never created an account. You could argue that you pay these companies taxes in the form of your data rather than money, or that the fees they charge developers drive up consumer prices (acting as a tax on the purchases), and I suspect that should Apple/Google pay become more commonplace they will start charging a fee (tax) for that as well. Nothing stops them from doing it.
Some corporations even have their own literal armies (Blackwater/Xe/Academi), but others don't bother because they have the ability to command the police and military wherever they are. The RIAA have their own "swat" team. They participate directly in raids breaking down doors and handling evidence.
Companies like Apple and Google are far more invasive than police watching everything you do, listening to everything you say, recording every person you're in contact with. They censor and ban with impunity. If they really wanted to, they could plant data on your devices that would get you arrested and thrown in prison in any country around the globe.
corporations might not yet be as powerful as a nation state, but they're a lot closer than you give them credit for, and they likely have more direct influence on your day to day life and what happens to you.
Captchas are definitely worthy of criticism, but they are not remotely on the same level as forcefully controlling the land under someone's feet.
[0]: https://landing.google.com/advancedprotection/faq/
That is, they're turning features off for security. Something every IT department has been doing for decades. Windows supports this. Mac OS supports this. In fact, iOS was kind of notable in being so unconfigurable. The settings available in their MDM implementation were pitiful and didn't let admins disable many of these features.
Apple's profits are bigger than my country's (Slovenia) whole GDP. You bet your butt they're a state level actor in the digital world. They have more resources than many countries.
If Apple was a country, their $365bn in revenue would make them the 43rd richest country in the world right after Hong Kong.
https://en.wikipedia.org/wiki/List_of_countries_by_GDP_(nomi...
GDP per capita for Slovenia is $25,179 in comparison. 100x less.
For Hong kong, which makes a bit more GDP than Apple does revenue, the per capita number is $46,323. 50x less than Apple.
But your iMessage data...well there, your ass is hanging out in the breeze. In fact, I'm not sure it's possible to log into an iPhone with your Apple ID and not have an iCloud backup immediately fire off, which means your private encryption keys hit iCloud and stay there until it is purged according to their data retention policies. And we have no idea what those policies actually are; those keys made end up stored forever.
The US Government pressured them to drop a plan for fully encrypted cloud backups.
>Apple dropped plan for encrypting backups after the FBI complained
https://www.reuters.com/article/us-apple-fbi-icloud-exclusiv...
If you want a fully encrypted backup of your device, you have to make it to your local Mac or Windows computer.
Yes, it absolutely is possible. I have never turned on iCloud backup so I have no cloud backups of any of my phones or other devices.
You are correct there’s a bit of dark pattern going on here, but it is possible (to the extent the code does what it says of course). To be extra sure I have a custom lockdown MDM profile to disallow iCloud backups, as well as a number of other nefarious things like analytics, and whenever I get a new device, I first DFU restore it to the latest iOS image to ensure software (post bootrom) isn’t tampered with, then activate and install the MDM profile via a Mac and only then I interact with the device and go through setup.
Almost all users can't handle this; to support people, you need to be able to recover their account when they've lost every single password and proof of identity they possibly can. It's not a backup if you can't restore it.
The only persistent connection Apple has that I can think of to implement such a concept is for push notifications. Which would be a massive security hole if a HTTP response to that daemon was capable of bypassing the lock screen, secure enclave etc.
And the logical question is if they had such a system why would they bother triggering an iCloud Backup when they could ask the device to specifically hand over certain information e.g. Messages. Which at least could be done quietly over Cellular.
I mean, Apple has killswitches for every iPhone they ship. I wouldn't be the least bit surprised if that suite of tools also included settings management (MacOS has such a thing built-in, fwiw).
https://www.cpomagazine.com/data-privacy/icloud-data-turned-...
IMHO it should still be an option but only as part of Lockdown Mode, with the explicit caveat that turning it on risks losing data.
https://www.reuters.com/article/us-apple-fbi-icloud-exclusiv...
Also, there are many users who would benefit from e2ee iCloud backups who are not targets of NSO Group-type attacks, so I don't think it makes sense to make it only available in "Lockdown Mode".
Reuters makes two claims:
1) The FBI talked to Apple (duh) 2) An unannounced plan to implement fully E2EE backups was no longer discussed with the FBI at their next meeting
Both of those things might be true! Reuters isn't known for just making stuff like this up, like, say Bloomberg, but the article specifically says:
"When Apple spoke privately to the FBI about its work on phone security the following year, the end-to-end encryption plan had been dropped, according to the six sources. Reuters could not determine why exactly Apple dropped the plan."
So we've got an unannounced product, which the FBI didn't like, which Apple stopped talking to the FBI about (according to some leakers at the FBI).
This does not add up to "Apple dropped plans due to pressure from [the] FBI/DOJ". It adds up to "secretive company discusses plans with secretive agency, and some stuff about that conversation leaked".
This is likely the real reason E2E hasn't been done yet. I would wager Apple deals with orders of magnitude more people who are locked out of their phones than the number impacted by the lack of E2E backups. Trusted recovery contact added in the last iOS version is a step in a direction of providing some way to implement E2E, and still give people a way to recover.
https://www.reuters.com/article/us-china-apple-icloud-insigh...
https://www.forbes.com/sites/roslynlayton/2022/06/08/silicon...
https://www.theinformation.com/articles/facing-hostile-chine...
Microsoft handed over control of Azure in China to a Chinese company years ago.
"You" only means you if you're a Chinese citizen.
I wish we were more willing to cite our own government(s) as the bad actors here, rather than pretending that we have to reach for China/Russia/North Korea to find the kind of behavior Apple is attempting to protect its users against here.
The CLOUD Act expressly brings data stored by US-based companies anywhere in the world under the purview of US warrants and subpoenas.
https://en.wikipedia.org/wiki/CLOUD_Act
Who wins? The USA, the EU, no one, everyone?
https://nextcloud.com/blog/the-new-transatlantic-data-privac...
Most companies affected are currently awaiting the results of these processes, because following the current precedent to it's logical conclusion, it appears unlawful to transfer any personal data of an EU resident to a US-based company (even if that data remains physically in the EU or another adequate country). That would obviously have catastrophic consequences for the current status quo, so it's hard to believe that a compromise won't be found to avoid it.
However, it's also hard to see a compromise unless the United States exempts EU data subjects from the CLOUD Act, which seem unlikely. Hard to know where it'll go.
Bureaucrats are capable of breathtaking sophistry when it makes their jobs easier. If red was illegal but convenient they’d make a policy that red was actually green and argue it was until they were blue in the face.
You unfortunately need something like this because otherwise people will just hide documents, money, stolen property, etc. in foreign countries out of reach of US courts, even if they are US persons and corporations.
It isn't just pro-government. Imagine you are a criminal defendant and there is evidence proving your innocence in a foreign server controlled by an American person or company. This rule makes sure you can legally compel that entity to go get the data, the laws of that other country be damned, so you can present your defense.
Such a blunt rule was considered a little too harsh, and a potential source of international problems, so Congress passed a law softening the rule and allowing judges more discretion in considering the burdens of complying with the order. The law had the effect of making the Supreme Court case moot.
Sorry that the truth is more nuanced than you’d like it to be.
It is unambiguously an expansion of Government powers. You're the first and only person I've ever come across who has argued the opposite. It's such a ridiculous thing to write that I am wondering if you're trolling me?
What part of this do you think is incompatible with the fact that almost everyone expected Microsoft to lose the case?
And in fact, Microsoft, Apple, and Google lobbied for the CLOUD Act.
So maybe instead of accusing people of bad faith, you should have a little humility and open-mindedness to improving your understanding of the world. Believe it or not, techie discussion forums and Wired are not reliable sources of legal information, so that would explain why you're so misinformed.
If this is trolling, I applaud your creativity. If not, I'm in awe of the irony.
I think it's maths preventing e2e backup.
E2E supports sending messages to known devices.
Backups need to support unknown devices in order to restore to your new device when all your existing devices are lost or broken.
Maths and common sense. If you back up encrypted data and don’t back up the keys it’s not much of a backup.
iMessage offers excellent privacy of message content, but no 'pen register' protection.
Phone device security is very strong, but it's made largely moot if you turn on iCloud backups (which is the default behavior if you provide an Apple ID. I'm not sure there's even a way to stop the initial backup from happening?)
Apple reportedly doesn't offer e2ee on iCloud, or even encrypted device backups, out of compromise with the federal government...specifically the FBI, CIA, and NSA.
Why might people care about this? Criminalizing abortion and miscarriages...and what looks like at the very least a re-recognizing, and possibly criminalization, of LGBTQ relationships.
Apple should offer other sorts of backups, and offline iCloud systems.
You can backup to a Mac or PC. And it's offline and encrypted.
Not anything against LGBTQ or the like, though.
https://www.microsoft.com/en-us/corporate-responsibility/dem...
Furthermore this isn't the first of its kind; Google has been alerting high-risk Gmail users about state-sponsored hacking for about a decade now. Microsoft probably does something similar. Apple is comparatively late to the party on this. On the offensive side you have the zero-day vendors that broker exploits between hackers and the government.
A better explanation is that Apple isn't supplanting the US government. It's supplanting Halliburton. As more and more people and things go online, hacking and doxxing them is becoming more militarily valuable than just arresting someone or firing a missile. After all, physical attacks risk counterattacks and escalation, but Internet attacks are relatively cheap, not really treated as an attack by many sovereign states, and, most importantly, difficult to attribute.
[0] Call me when Apple black-bags Louis Rossman for illegally repairing MacBooks, or threatens literal nuclear war - like, with uranium bombs and radioactive fallout - on the EU for breaking the App Store business model.
That money is significant from the perspective of a particular employee (i.e. if they personally would get the money) or for a specialized consulting company, but it's a drop in the ocean for the large companies actually making the products. So we should expect some backdoors intentionally placed by rogue employees (either for financial motivation or at the behest of some government) but not knowingly placed by the organizations - unless in cooperation with their host government, not for financial reasons.
I do suspect the number of 0days which were deliberately added by plants from Five Eyes or elsewhere is not zero.
It’s great that Google alerted Gmail users, but then what?
“We believe you may be a target of a state-sponsored attacker; have a nice day.”
Beyond just telling you, Apple is providing some tools to do something about it.
The threat models are different because the companies provide different services (spear phishing defenses from the web services company, hardware defences from the hardware provider), but still.
Not to sound flippant, but defense attorneys do this, too. I don't think it's as big a zeitgeist as you think
I think Apple's announcement (and as I've learned from this thread MS's and Google's similar programmes) represent a significant step-change. A single defense attorney performs this action on a case-by-case basis, and they earn "single human" levels of income from it. They (to some degree) use that money to make themselves comfortable and perhaps share it with charities and make investments. All the defense attorney's in the world combined still, probably, have access to a fraction of Apple's budget, and a fraction of Apple's audience. Defence attorneys don't always win all their cases.
Apple have the kind of money that makes 1000s of attorneys envious. Apple use that money to make infrastructure and client devices and then sell/share that technology with billions of people. Most of Apple customers buy their phones on loan agreements over some contract time-frame. It's "cheap", and the protections are automated.
I'm tired and getting rambly about this now, but I intuitively feel like the combination of state-level power (albeit exercised with a very narrow focus), and the way so many people live their (digital) lives interacting with a "noosphere" that crosses international borders are facets of a complex phenomenon we have not witnessed before, and which will merge with other related facets and then emerge as something really different. I accept I'm getting very fuzzy in my thinking here. I'm leaning into my inner sci-fi author (who's not come out for 30years and wasn't too talented when it did).
I don’t think it has sunk in for most HN readers that every iPhone since iPhone 8, released in 2017, can upgrade to iOS 16 and get Lockdown Mode.
Apple is providing some protection against state-level actors at scale--hundreds of million devices. That is a step change!
Maybe. But these security “features” feel like things that should have been there from the beginning. Windows 11 has already had a much wider and deeper array of security options. Sure, it’s not mobile, but many of those security options would be unlikely to be needed against unsophisticated attacks.
Flag-raise or marketing gimmick? You be the judge I guess.
Making mountains out of molehills.
I'm pretty sure they are saying that they will "offer specialized additional protection to users who may be at risk of highly targeted cyberattacks from private companies developing state-sponsored mercenary spyware".
There is a looooong list of things which nation states can do which Apple cannot, some examples of that are in other comments in this thread.
>but this is the first public announcement, and tool, from a corporation with more spare, unrestricted capital than many countries.
Google & Microsoft have both had fairly long-standing tools and procedures (which were publicly announced) to both alert users and aid users against nation state attacks.
[1]: “About Apple threat notifications and protecting against state-sponsored attacks” https://support.apple.com/en-us/HT212960
After the Snowden leaks that showed even in-country citizen-to-citizen communication was being scooped up by the NSA without a warrant through fiber taps (if I remember that right) when Google replicated the data to out-of-country data centers, Google announced encryption of those links:
https://www.washingtonpost.com/business/technology/google-en...You haven't been paying attention. Many tech companies have been protecting accounts from state attackers for many years, and explicitly calling out state sponsored attacks. Google introduced state-sponsored attack warnings in 2012 [1] and the Advanced Protection program explicitly protects from state sponsored attacks [2].
[1] https://security.googleblog.com/2012/06/security-warnings-fo...
[2] https://blog.google/threat-analysis-group/protecting-users-g...
How many people have Microsoft and Google actually helped?
Incase you didn’t notice, Apple is in the process of giving a few hundred million iPhone owners--every iPhone since the 2017 iPhone 8--protection from state-level actors, for free, in the next operating system update due this fall.
It totally dwarfs anything that any other company has done in this area. So there’s that.
> Apple is in the process of giving a few hundred million iPhone owners
Um, no? Lockdown mode is explicitly for "very few users". There's no way a hundred million iPhone users would benefit. Google's Advanced Protection offers protection from state-level actors to anyone with a Google account, so if you want to count by the number of people offered optional protection, Google wins by a landslide.
> for free
Haha, no, you have to buy an iPhone from Apple first. Google offers protection to anyone actually for free. All you need is a free Google account and a security key which doesn't have to be purchased from Google.
The point is the several hundreds of millions of existing Apple customers who own an iPhone 8 or newer are going to get Lockdown Mode in the next version of iOS for those "who may be at risk of highly targeted cyberattacks from private companies developing state-sponsored mercenary spyware" at no cost.
While it's true that very few iPhone users should ever need to activate this feature for the described use case, Apple has already indicated there will be more features added in the future where this could change.
There are likely additional use cases where an iPhone user may want to activate Lockdown Mode, such as traveling to an authoritarian country.
This article makes the argument that Lockdown Mode could benefit iPhone users who never activate it. [1]
[1]: "iPhone Lockdown Mode could benefit those of us who will never use it"—https://9to5mac.com/2022/07/07/iphone-lockdown-mode/
Assessing Russia’s War in Ukraine
https://youtu.be/CzbsPOaCrLw?t=1305
To be fair has anyone made it work safely ?
Throw together a basic set of options that should have been available long ago, now apple is protecting you, don't strip apple of the ability to protect you, etc.
I must that on one hand it’s anti-democratic, on the other hand western democracies have a rather poor track record on safeguarding this kind of info.
In some way it reminds me (with all the differences!) of how things like cryptocurrencies could remove the state from a monopoly.
Good news for me this announcement!
Apple are basically saying that they're going to do their best in terms of security measures to thwart even state actors, which is only as much of a nation-state level thing as "military grade encryption" is a thing only applicable to militaries.
Zuckerberg, 5 years ago: https://www.youtube.com/watch?v=mFPAe8Tc2NE
“Flag-raise” seems a bit hyperbolic but at any rate I think the BSA asserted such reach and power, long ago. Both have to act within the oversight of actual nation states.
Beyond that, a secure phone is necessary but not sufficient to defend oneself against a nation state.
I don't think the aim here is to block at state actors but to basically continue to close all security holes that can be exploited by any other company and continually proving to users that Apple cares about privacy.
The things is I really like Apple even more now since they have realize that my privacy interests can be tightly aligned with their own economic interests. I never trust companies to be good or look out for my interest even when I pay them to, but when my privacy ultimately means they gain a very strong competitive edge the I'm much more trusting.
Apple has realized they can become to privacy what Google has been to ubiquitous search, and doing so can reap even larger and more secure rewards.
They started with a walled garden and now extending it to fortress surrounding the garden.
not to be glib, but 'citation please?'
Other than running ads inside the App Store, do you have any knowledge or evidence of Apple collecting personal information for advertising or any other use?
https://landing.google.com/advancedprotection/
Tell me it's a Hacker News comment without telling me it's a Hacker News comment.
... than most countries. There are only 7 countries with a higher GDP than Apple's market cap.
I have been concerned for some time about these mega corporations being as powerful if not more powerful than governments. They wield tremendous economic and political power. Corporations have very little allegiance to countries and have little to check them. It is a major concern of mine. Democracy in the U.S. is already being sold to the highest bidders.
These corporations are feudal lords but much, much more powerful because there is not a single person who can be brought down. Corporations are a collective who are treated as people when it's convenient and as something else when it's not.
It's bothersome to me, because these corporations are tax sinks. They get absolutely massive tax breaks on everything they do and pay as little as possible income taxes, comparatively speaking, all the while keeping billions offshore.
Billionaires and mega-corporations are national security threats to the countries that house them.
It means in the best case shady agencies, foreign services, small governments, and in the likelier case just unhinged people with some access to state facilities (tax employees, unofficial police investigations, lawyers...)
I was dripping with disdain and sarcasm as I clicked "reply" but I actually want to engage you and have you seriously consider the history of oil and gas exploration and extraction.
This may, in fact, be a first for a US tech company ... but not in any way whatsoever a first for a business interest or corporation, etc.
This is also a very tame, roundabout and implied flag-raise - as opposed to "... summary execution, crimes against humanity, torture, inhumane treatment and arbitrary arrest and detention ...":
https://en.wikipedia.org/wiki/Ken_Saro-Wiwa#Family_lawsuits_...
This feeds into the point I was aiming at. The tech megacorps now have tooling to protect a narrow aspect of their customers lives from state incursion, regardless of which country that customer live in. I’ve not read the link you shared yet, so I don’t know the angle it takes or the angle you want to dig into my ideas from.
Thanks for sparing me the satcasm.
IMHO, whatever the reason why they are doing it, it's a good addition to their value proposition; but I don't think it's the same as what appears to be your understanding ("they will protect users from state actors"), at all.
BTW bringing up the power off UI on iPhone (holding power and up buttons at the same time) disables FaceID/TouchID until a passcode is entered.
https://www.cbp.gov/sites/default/files/documents/inspection...
If you are not a US citizen, refusal to unlock a phone and allow inspection, inclusive of allowing access to social media and corporate apps, will probably result in denied entry. They also have the right to detain you until indefinitely until you unlock the phone if they have "reasonable suspicion", but requires a court order within 72 hours.
Most foreign counties have similar rules in place for residents and non-residents.
They also get to steal it and keep it if they want.
https://www.cbp.gov/sites/default/files/documents/inspection...
ArriveCAN (Canada), Mobile Passport Control (USA), WeChat (China), and other mandatory government apps would be perfect vectors to stage highly targeted attacks.
Quoting what’s in the first release:
> At launch, Lockdown Mode includes the following protections:
> Messages: Most message attachment types other than images are blocked. Some features, like link previews, are disabled.
> Web browsing: Certain complex web technologies, like just-in-time (JIT) JavaScript compilation, are disabled unless the user excludes a trusted site from Lockdown Mode.
> Apple services: Incoming invitations and service requests, including FaceTime calls, are blocked if the user has not previously sent the initiator a call or request.
> Wired connections with a computer or accessory are blocked when iPhone is locked.
> Configuration profiles cannot be installed, and the device cannot enroll into mobile device management (MDM), while Lockdown Mode is turned on.
I’m not a target (I think, and hopefully don’t get to be one), but nevertheless I’d feel safer with this turned on (I very rarely use FaceTime, so not accepting it is not a big deal).
I’d also love more protections. Not allowing specific apps to connect to any network (WiFi included), Apple handling issue reports on apps with urgency (right now they seem to be ignored even when policy violations which are against the user’s interests are reported), etc.
Why? The iOS 15.x update history.
https://en.wikipedia.org/wiki/IOS_15
Lots and lots of privacy stuff in the point releases. (And accessibility stuff, they’ve been on a tear there.) They’re still in a monolithic mindset when it comes to the “big” apps, but they’re iterating faster on these sorts of things as the release cycle goes along.
[1]: https://techcrunch.com/2022/06/07/apple-introduces-real-time...
That…is seemingly a thing they should have done a long time ago…but it’s still smart, and I’m glad they’re doing it. Now they don’t have to rush the QA of a point release to vanquish yet another PDF parsing security threat.
Good. We need people with nothing to hide to turn Lockdown Mode on, so that Lockdown Mode isn't a telltale signal that you have something to hide.
This is a load of bullshit and marketing hype. They are letting you turn off features for security reasons, i.e. what basically every OS has let you do, and what every half-competent IT department has been doing, for decades. In fact, iOS was an outlier in how unconfigurable it was, and with the pitiful MDM options not letting you turn off many of these features that are constant sources of vulnerabilities and social engineering.
Nothing that novel here other than the framing and cybersecurity marketing bullshit about Nation State Actors and "mercenaries."
Why do you find it necessary to reframe the introduction of these features as a load of bullshit?
Are you arguing that these features are bad or not useful?
Or are you just saying that “it’s about time”? And if so, why not just focus on the part where Apple is doing a thing that needed to be done?
The undertones in your comment feel a bit unnecessary.
I personally don’t think the individual features are as interesting as the overall framing and the fact that Apple is publicly announcing their intentions. The feature set will doubtless change over time - such is the nature of any software endeavor - but starting that journey is the interesting part.
Getting stuck on “but it’s just xyz dumb feature…” or “but they should have done x long ago”, etc. just obscure the more interesting fact that they’re explicitly embarking on this path to begin with.
My password manager app might be bought out and exfiltrate all my credentials, or any of the linked libraries it uses.
This is less likely if you use Apple Keychain for your passwords. lock-in intensifies
That makes my phone useless to me.
Our only hope is a proper Linux phone with an Android emulation layer
These are all fixed by the DMA, but it will take a lot of time for things to mature, however other issues persist
- no way to put apps on the bottom of the screen - the FOSS scene on IOS basically doesn't exist, while on android there is a whole app store for it(https://f-droid.org) this is a big point for me. - no way to duplicate apps - no separate work profile - limited file mangament - no notification chat bubbles(a pretty good feature on android 11/10?+ - no advanced apps like local terminal emulators, virtual firewalls or virtual tracker blockers(partially because the FOSS community rightly doesn't care about iOS) - non encrypted iCloud backups(basically a backdoor into WhatsApp) or any important file medium - CSAM Scanning inbound
And many other issues, iOS is hardly making Android hard to choose, its still locked down prison, its just a bit nicer inside now.
Since I value my privacy and like FOSS iOS is even more useless for me.
I think their should.
Maybe this is the blank check :)
[1] https://news.ycombinator.com/item?id=27897975
Instead, they (Google Play Store) removed our ability to see what “app privileges” that an app would required BEFORE we do the installation step from the Google Play Store. What we got instead was an obfuscated “Data Security” section that is pretty much always “blank”.
My flashlight app should not require GAZILLION app privilegeS nor hide that fact before I can determine whether I can safely install it, much like Apple App Store can do by doing the CRUCIAL pre-reveal of any needed app privilege(s) … for our leisure perusual and applying any applicable but personalize privacy requirement BEFORE we do the app install.
Obviously, this isn't perfect, especially since Google removed the internet permission and allowed all apps to access it. Allowing advanced users like us to toggle off internet access in the "App info" permission page would be a good compromise, and I hope and Android team does so to match Apple on their security efforts.
Google Play Store being proactive in protecting these end-users from their own form of stupidity (or “permission blindness”, as you have eloquently pointed out) is just opening themselves to potential liability ramifications instead of deferring to end-user’s responsibility of maintaining their own privacy.
I think that the term “permission blindess” is better referred to as an app having zero privilege.
And “App Privileges” should have referred to runtime permissions and should have been displayed in the first place at the Google Play Store instead of install-time privileges.
Apps would force you to consent to eg contact permissions "in case you want to share something to a contact" and then harvest all your contacts. Apps can no longer use that pretense.
Perhaps we can call what it is now as “trust me first, then we will let you verify”.
When it should be “trust but verify first”.
I find it frustrating when I install a simple app and it asks me for every permission possible. Waste of time.
You describe the direction CalyxOS / DivestOS are going. And of course, there's the Pixel phones on GrapheneOS which arguably is more security-focused.
I just read their homepage, and they don't have Google Play support. The requirement to run Google Play Services to access and run apps represents a serious anti-trust concern to me (and to the DoJ under any administration, I would imagine). Perhaps more importantly, I see no mention of any facility for network monitoring.
>DivestOS
Hadn't heard of this LineageOS fork, thanks. TBH I can't really tell how it differs from either Calyx or Divest. None of these tools have the top-line features I mentioned.
CalyxOS intends to build a comprehensive netmon: https://gitlab.com/CalyxOS/calyxos/-/issues/349
Right now, they've got an ebpf-based firewall: https://calyxos.org/docs/tech/datura-details/
> TBH I can't really tell how it differs from either Calyx or Divest.
The lead developer is pretty active on github and fdroid forums: https://forum.f-droid.org/t/10105
https://landing.google.com/advancedprotection/
Don't use Google Play Store, then. There are other APK repositories.
I know that I've had approximately zero spam on my German number (that I've had for ~2.5 years) - I'm sure why, whether I'm just lucky, or whether it's much more under control here. My UK number definitely had problems with spam, though. Maybe a couple of spam calls a week.
1) A full solution to this problem is going to depend on mobile carriers making changes. It isn't something which Apple can unilaterally fix.
2) This is completely irrelevant to the purpose of "Lockdown Mode". It's intended to protect high-risk users from certain sophisticated threats -- it isn't a feature which most users should use.
Android defaults to charging only.
Android asks every time for every device. There is no 1-hour grace period.
Those are the kind of threats Lockdown Mode finally acknowledges — targets (well IMO everyone) would need it permanently enabled.
Otherwise the temporary protection before clicking a link can be had today in other ways, like disabling Settings > Safari > Advanced > JavaScript.
[1] Lack of persistence likely an attempt at making it harder to analyze: https://www.amnesty.org/en/latest/research/2021/07/forensic-...