The impact of iOS 16 Lockdown mode in Safari
The iOS 16 beta 3 introduced a new privacy feature: Lockdown Mode. The idea is to disable some features in iOS to reduce the possibility of privacy related attacks.
Apple also gives a rough list of the features disabled in Lockdown, including one which caught my eye:
The second was figuring out what’s included in “Certain complex web technologies,” since Apple did not provide an explanation.
Through manual testing and Modernizr feature detection, the following features get disabled in Lockdown mode:
- MP3 Playback
- Gamepad API
- Web Audio API
- JPEG 2000
- Speech Recognition API
- PDF Viewer
- SVG Fonts
Most of these have been disabled as a way to reduce possible user tracking.
Let’s go over each of the feature to make sense of why they were disabled.
MP3 support is a bit of an outlier for me here. Most browsers support MP3 playback and disabling it could allow to identify the target as a macOS or iOS device running in Lockdown mode. One possible option would be avoiding some crafted MP3 decoding attacks. This will break sites that use MP3 playback without some fallback to AAC or OGG formats.
MathML rendering can be slightly different on a per-device basis, which might allow an attacker to track a device through the
DOMRect object of a MathML render4.
Without fingerprinting mitigation, the Gamepad API can be used to track users through the
buttons property once users have interacted with the page5. This will break most in browser games and game streaming platforms that use a controller to play games.
The Web Audio API can be used to fingerprint Safari users through the
webkitOfflineAudioContext interface and signal variation6.
WebGL fingerprinting is one of the oldest way to track users through “unconventional” methods with rendering discrepancies between individual devices, even running the same hardware. The
WebGLRenderingContext can also be used to detect user hardware and support WebGL versions7.
JPEG 2000 support is nowadays a sure way to identify a device as running Safari since it is the only browser supporting it8.
While the Web Speech API runs on device on macOS and iOS, it can be used to record an unsuspecting user.
This isn’t related to the iOS dictation or Siri, both of which will still work just fine and aren’t accessible to websites. A demo of the Web Speech API by Google can be found at this link.
MediaDeviceInfo can be used to track user across sessions on a single origin through its
deviceId property of a webcam, speaker, or camera. Access to said device could also be a privacy risk. This means that most sites requiring access to the microphone or cameras of the device won’t work.
The WebRTC API can be used to leak the public and local IP of a device, even under a VPN, when communicating with a STUN server9.
The WebKit PDF viewer is disabled, clicking on a document will instead trigger a download. It is still possible to open them with the Files application once the download completed.
SVG fonts are disabled, this is probably a similar situation to JPEG 2000 where only Safari supports them.
These changes are applied to all iOS and iPadOS browsers since they have to use WebKit under the hood.
Using Chrome, Firefox, or Brave will still disable these features.
I decided to test these four popular browser benchmarks to get a rough idea of the performance impact.
All the benchmark results are the average over 10 runs, on an iPhone 13 mini running iOS 16 developer beta 3.
While I would have loved to test JetStream, its focus on Web Assembly just makes it impossible to test since it will just crash.
A 65% drop in performance, while this is still a heavy hit on performance, compared to a 95% drop, this shifts the value from a no-go to a compromise worth considering for people seeking the extra privacy.
Unlike most browser graphics benchmarks, MotionMark mostly relies on HTML and SVG rendering through CSS and canvas operations instead of WebGL.
In this case, the performance loss only amounts to 20%, which would be unnoticeable by most users.
While the privacy aspect are minimal at best at the moment, since the disabled API could indicate that user is using Lockdown mode, this should become slightly better once Lockdown rolls out for all users.
Nonetheless, Apple targeted some key APIs that can be abused as a mean to get a very precise fingerprint of a user and also reduced the total surface of attack for other means of exploitation.