One of the new features of iOS 16 is Lockdown Mode, which helps users protect themselves against targeted cyber attacks by disabling multiple device features. Among everything Lockdown Mode changes, it also restricts web browsing – and now software engineer Alexis Lours details how exactly that happens.
Lours shared on his personal blog how he ran multiple tests to find out which web features are disabled when Lockdown Mode is turned on. Thanks to Modernizr, a JavaScript library that detects features available in a web browser, the engineer has obtained a list of WebKit features that can potentially be used to spy on users.
Lockdown Mode’s impact on web browsing
The first thing noticed by the engineer is that Lockdown Mode disables just-in-time JavaScript compilation (JIT), which compiles code on the fly during its execution. Without JIT enabled, web browsing performance drops by up to 95% based on benchmark tests. This results in longer loading times and even higher battery consumption.
Lockdown Mode in iOS 16 disables also disables WebAssembly. WASM a powerful binary code format that enables high-performance apps on web pages. However, it can also be used to create a digital “fingerprint” of users, which helps third parties track people across websites and apps.
Interestingly, support for MP3 players on webpages is also disabled with Lockdown Mode. Lours believes that Apple wants to prevent attackers from using MP3 decoding for malicious purposes. Of course, this ends up breaking any website with MP3 playback without a fallback to the AAC or OGG formats.
The Gamepad API, which was created to let users interact with game controllers on websites, doesn’t work with Lockdown Mode enabled. This is because malicious websites can use details like the controller ID to track users. Unsurprisingly, this breaks down web games and platforms that rely on an external game controller.
Previewing files in web browsers is also restricted with Lockdown Mode. For instance, JPEG 2000 images and SVG fonts, which are exclusively supported by Safari, are disabled so websites can’t use these formats to target iOS users. PDF previewing for websites is also disabled, as multiple PDF-related exploits have been found in the past.
Other disabled features include WebGL, Speech Recognition API, and the Web Audio API.
What else does Lockdown Mode restrict?
In addition to restricting web browsing, Lockdown Mode in iOS 16 also blocks most message attachments and link previews in Apple’s Messages app. Users with Lockdown Mode enabled only get FaceTime calls from known numbers and iCloud Shared Albums are removed from the Photos app.
Apple also blocks configuration profiles and access to the device over a wired connection with Lockdown Mode turned on.
Of course, Apple emphasizes that Lockdown Mode is intended for a specific group of users who may be targeted by sophisticated espionage threats. These users include journalists, activists, and members of governments. This came after the company filed a lawsuit against ‘Pegasus’ spyware creator NSO Group last fall.
Lockdown Mode is available as part of iOS 16, which is expected to be released this fall. Developers and users registered in the Apple Beta Software Program can now try out iOS 16 beta.
Author: Filipe Espósito
Source: 9TO5Google