1. 6
    1. 5

      PR piece, but the buried lede here is lockdown mode, which offers much stricter security for those with stronger threat models.

      1. 3

        This Ars Technica article has more about Lockdown Mode. I like this bit:

        It’s useful that Apple is upfront about the extra friction Lockdown adds to the user experience because it underscores what every security professional or hobbyist knows: Security always results in a trade-off with usability

    2. 1

      From what I’ve understood the “lockdown mode” is in practical terms nothing more than a “more sensible (security-wise) mode”, because it just seems to:

      • disable site-previews – I never understood the actual need for these; (*)
      • disable opening of attachments except images – something many other software should implement (especially email clients);
      • disable JIT for JavaScript – perhaps no JS would be better, but that would break most of the internet nowdays; (no more random blogs that require JS…)
      • disabling some behind-the-scene actions like MDM or connecting via cable when not unlocked; (*)
      • no new contacts for Apple’s own software;

      In fact, I don’t understand why the items I’ve marked with (*) aren’t the default…

      Going further, perhaps there could be a few security modes:

      • “trust me I’m an expert and certainly I won’t be powned” – i.e. the current standard mode;
      • the “new standard mode” whith some improved security, focusing on people that don’t have an IT background, which should include at least the items marked with (*), perhaps coupled with a built-in “safe DNS” (that filters out some malware);
      • the “secure mode” – what they call the new lockdown mode;
      • the “actual lockdown mode” – that should limit even more things, like for example disable access to camera, microphone, GPS, bluetooth, allow internet connection only through a designated VPN (and thus WiFi and data can only be used to service that VPN), disable applications installation, etc.; (the camera, microphone, etc. could be enabled on demand by explicit action in an iOS generated dialogue, and that only for limited time;)