Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
The impact of iOS 16 Lockdown mode in Safari
99 views
Skip to first unread message
Jolly Roger
Jul 22, 2022, 8:08:18 PM7/22/22
to
Alexis Lours did some testing and published details about the effects of
Apple's upcoming Lockdown Mode on Safari - cool stuff.
The impact of iOS 16 Lockdown mode in Safari
<https://blog.alexi.sh/posts/2022/07/lockdown-jsc/>
---
A look at how the new iOS lockdown mode affects web performances and features.
July 22, 2022 · 5 min · 966 words · Alexis LOURS
The iOS 16 beta 3 introduced a new privacy feature: Lockdown Mode. The
idea is to disable some features in iOS to reduce the possibility of
privacy related attacks.
Apple also gives a rough list of the features disabled in Lockdown,
including one which caught my eye:
Web browsing: Certain complex web technologies, like just-in-time (JIT)
JavaScript compilation, are disabled unless the user excludes a trusted
site from Lockdown Mode.[1]
The first thing I thought was that disabling JavaScript JIT compilation
in JavaScriptCore would cause a major drop in performance, given the
amount of JavaScript used in webpages. I wanted to test how big this
impact would be.
The second was figuring out what’s included in “Certain complex web
technologies," since Apple did not provide an explanation.
Disabled features
Through manual testing and Modernizr feature detection, the following
features get disabled in Lockdown mode:
* WebAssembly
* MP3 Playback
* MathML
* Gamepad API
* Web Audio API
* WebGL
* JPEG 2000
* Speech Recognition API
* MediaDevices.getUserMedia()
* RTCDataChannel
* PDF Viewer
Most of these have been disabled as a way to reduce possible user tracking.
Let’s go over each of the feature to make sense of why they were disabled.
*WebAssembly*
WASM, while incredibly powerful, can be used to very quickly and
effectively fingerprint clients through canvas rendering
discrepancies[2] or local ports scanning[3] among other options and make
them harder for ad blockers to detect. This can be a major pain point
for Blazor sites and other frameworks relying on Web Assembly since they
simply won’t work without a JavaScript fallback.
*MP3 Playback*
MP3 support is a bit of an outlier for me here. Most browsers support
MP3 playback and disabling it could allow to identify the target as a
macOS or iOS device running in Lockdown mode. One possible option would
be avoiding some crafted MP3 decoding attacks. This will break sites
that use MP3 playback without some fallback to AAC or OGG formats.
*MathML*
MathML rendering can be slightly different on a per device basis, which
might allow an attacker to track a device through the DOMRect object of
a MathML render[4].
*Gamepad API*
Without fingerprinting mitigation, the Gamepad API can be used to track
users through the id and buttons property once users have interacted
with the page[5]. This will break most in browser games and game
streaming platforms that use a controller to play games.
*Web Audio API*
The Web Audio API can be used to fingerprint Safari users through the
webkitOfflineAudioContext interface and signal variation[6].
*WebGL*
WebGL fingerprinting is one of the oldest way to track users through
“unconventional” methods with rendering discrepancies between individual
devices, even running the same hardware. The WebGLRenderingContext can
also be used to detect user hardware and support WebGL versions[7].
*JPEG 2000*
JPEG 2000 support is nowadays a sure way to identify a device as running
Safari since it is the only browser supporting it[8].
*Speech Recognition API*
While the Web Speech API runs on device on macOS and iOS, it can be used
to record an unsuspecting user.
This isn’t related to the iOS dictation or Siri, both of which will
still work just fine and aren’t accessible to websites. A demo of the
Web Speech API by Google can be found here.
*MediaDevices.getUserMedia()*
The MediaDeviceInfo can be used to track user across sessions on a
single origin through its deviceId property of a webcam, speaker, or
camera. Access to said device could also be a privacy risk. This means
that most sites requiring access to the microphone or cameras of the
device wont work.
*RTCDataChannel*
The WebRTC API can be used to leak the public and local IP of a device,
even under a VPN, when communicating with a STUN server[9].
*PDF Viewer*
The WebKit PDF viewer is disabled, clicking on a document will instead
trigger a download. It is still possible to open them with the Files
application once the download completed.
*Performance impact*
Disabling the JIT compilation of JavaScriptCore will impact the
performance of most website, which could also lead to increased battery
consumption.
I decided to test these four popular browser benchmarks to get a rough
idea of the performance impact.
All the benchmark results are the average over 10 runs, on an iPhone 13
mini running iOS 16 developer beta 3.
*Octane*
While not supported anymore, Octane remains a good basis to benchmark
JavaScript performance on the same browser.
<https://blog.alexi.sh/posts/2022/07/lockdown-jsc/images/octane.svg#center>
Ouch, a 95% drop in performance. While this result looks dramatic, it
should be noted that the browser itself is not 95% slower since it only
concerns JavaScript performance.
*JetStream 2.0*
While I would have loved to test JetStream, its focus on Web Assembly
just makes it impossible to test since it will just crash.
*Speedometer 2.0*
Speedometer aims to benchmark real world applications by emulating page
action on multiple frameworks. This should allow us to get a decent idea
of the performance drop in JavaScript heavy frameworks.
<https://blog.alexi.sh/posts/2022/07/lockdown-jsc/images/speedometer.svg#center>
A 65% drop in performance, while this is still a heavy hit on
performance, compared to a 95% drop, this shifts the value from a no-go
to a compromise worth considering for people seeking the extra privacy.
*MotionMark 1.2*
Unlike most browser graphics benchmarks, MotionMark mostly relies on
HTML and SVG rendering through CSS and canvas operations instead of
WebGL.
<https://blog.alexi.sh/posts/2022/07/lockdown-jsc/images/motionmark.svg#center>
In this case, the performance loss only amounts to 20%, which would be
unnoticeable by most users.
*Conclusion*
For people in need of privacy against targeted tracking, Lockdown mode
seems to be a decent way to easily reduce some attack surface,
especially with how easy it is to enable.
While it will not provide a way to protect against all fingerprinting,
Apple chose to target some specific Web API and features that make
tracking easy and hard to block for non-technical users.
1.
<https://www.apple.com/newsroom/2022/07/apple-expands-commitment-to-protect-users-from-mercenary-spyware/>
2. <https://github.com/drbh/wasm-fingerprint>
3.
<https://infosecwriteups.com/identify-website-users-by-client-port-scanning-using-webassembly-and-go-e9798b4aa05c>
4. <https://privacycheck.sec.lrz.de/active/fp_ml/fp_ml.html>
5. <https://www.xda-developers.com/chrome-gamepad-api-changes/>
6. <https://fingerprint.com/blog/audio-fingerprinting/>
7. <https://privacycheck.sec.lrz.de/active/fp_wg/fp_webgl.html>
8. <https://caniuse.com/jpeg2000>
9.
<https://developer.mozilla.org/en-US/docs/Web/API/WebRTC_API/Connectivity>
---
--
E-mail sent to this address may be devoured by my ravenous SPAM filter.
I often ignore posts from Google. Use a real news client instead.
JR
Apple's upcoming Lockdown Mode on Safari - cool stuff.
The impact of iOS 16 Lockdown mode in Safari
<https://blog.alexi.sh/posts/2022/07/lockdown-jsc/>
---
A look at how the new iOS lockdown mode affects web performances and features.
July 22, 2022 · 5 min · 966 words · Alexis LOURS
The iOS 16 beta 3 introduced a new privacy feature: Lockdown Mode. The
idea is to disable some features in iOS to reduce the possibility of
privacy related attacks.
Apple also gives a rough list of the features disabled in Lockdown,
including one which caught my eye:
Web browsing: Certain complex web technologies, like just-in-time (JIT)
JavaScript compilation, are disabled unless the user excludes a trusted
site from Lockdown Mode.[1]
The first thing I thought was that disabling JavaScript JIT compilation
in JavaScriptCore would cause a major drop in performance, given the
amount of JavaScript used in webpages. I wanted to test how big this
impact would be.
The second was figuring out what’s included in “Certain complex web
technologies," since Apple did not provide an explanation.
Disabled features
Through manual testing and Modernizr feature detection, the following
features get disabled in Lockdown mode:
* WebAssembly
* MP3 Playback
* MathML
* Gamepad API
* Web Audio API
* WebGL
* JPEG 2000
* Speech Recognition API
* MediaDevices.getUserMedia()
* RTCDataChannel
* PDF Viewer
Most of these have been disabled as a way to reduce possible user tracking.
Let’s go over each of the feature to make sense of why they were disabled.
*WebAssembly*
WASM, while incredibly powerful, can be used to very quickly and
effectively fingerprint clients through canvas rendering
discrepancies[2] or local ports scanning[3] among other options and make
them harder for ad blockers to detect. This can be a major pain point
for Blazor sites and other frameworks relying on Web Assembly since they
simply won’t work without a JavaScript fallback.
*MP3 Playback*
MP3 support is a bit of an outlier for me here. Most browsers support
MP3 playback and disabling it could allow to identify the target as a
macOS or iOS device running in Lockdown mode. One possible option would
be avoiding some crafted MP3 decoding attacks. This will break sites
that use MP3 playback without some fallback to AAC or OGG formats.
*MathML*
MathML rendering can be slightly different on a per device basis, which
might allow an attacker to track a device through the DOMRect object of
a MathML render[4].
*Gamepad API*
Without fingerprinting mitigation, the Gamepad API can be used to track
users through the id and buttons property once users have interacted
with the page[5]. This will break most in browser games and game
streaming platforms that use a controller to play games.
*Web Audio API*
The Web Audio API can be used to fingerprint Safari users through the
webkitOfflineAudioContext interface and signal variation[6].
*WebGL*
WebGL fingerprinting is one of the oldest way to track users through
“unconventional” methods with rendering discrepancies between individual
devices, even running the same hardware. The WebGLRenderingContext can
also be used to detect user hardware and support WebGL versions[7].
*JPEG 2000*
JPEG 2000 support is nowadays a sure way to identify a device as running
Safari since it is the only browser supporting it[8].
*Speech Recognition API*
While the Web Speech API runs on device on macOS and iOS, it can be used
to record an unsuspecting user.
This isn’t related to the iOS dictation or Siri, both of which will
still work just fine and aren’t accessible to websites. A demo of the
Web Speech API by Google can be found here.
*MediaDevices.getUserMedia()*
The MediaDeviceInfo can be used to track user across sessions on a
single origin through its deviceId property of a webcam, speaker, or
camera. Access to said device could also be a privacy risk. This means
that most sites requiring access to the microphone or cameras of the
device wont work.
*RTCDataChannel*
The WebRTC API can be used to leak the public and local IP of a device,
even under a VPN, when communicating with a STUN server[9].
*PDF Viewer*
The WebKit PDF viewer is disabled, clicking on a document will instead
trigger a download. It is still possible to open them with the Files
application once the download completed.
*Performance impact*
Disabling the JIT compilation of JavaScriptCore will impact the
performance of most website, which could also lead to increased battery
consumption.
I decided to test these four popular browser benchmarks to get a rough
idea of the performance impact.
All the benchmark results are the average over 10 runs, on an iPhone 13
mini running iOS 16 developer beta 3.
*Octane*
While not supported anymore, Octane remains a good basis to benchmark
JavaScript performance on the same browser.
<https://blog.alexi.sh/posts/2022/07/lockdown-jsc/images/octane.svg#center>
Ouch, a 95% drop in performance. While this result looks dramatic, it
should be noted that the browser itself is not 95% slower since it only
concerns JavaScript performance.
*JetStream 2.0*
While I would have loved to test JetStream, its focus on Web Assembly
just makes it impossible to test since it will just crash.
*Speedometer 2.0*
Speedometer aims to benchmark real world applications by emulating page
action on multiple frameworks. This should allow us to get a decent idea
of the performance drop in JavaScript heavy frameworks.
<https://blog.alexi.sh/posts/2022/07/lockdown-jsc/images/speedometer.svg#center>
A 65% drop in performance, while this is still a heavy hit on
performance, compared to a 95% drop, this shifts the value from a no-go
to a compromise worth considering for people seeking the extra privacy.
*MotionMark 1.2*
Unlike most browser graphics benchmarks, MotionMark mostly relies on
HTML and SVG rendering through CSS and canvas operations instead of
WebGL.
<https://blog.alexi.sh/posts/2022/07/lockdown-jsc/images/motionmark.svg#center>
In this case, the performance loss only amounts to 20%, which would be
unnoticeable by most users.
*Conclusion*
For people in need of privacy against targeted tracking, Lockdown mode
seems to be a decent way to easily reduce some attack surface,
especially with how easy it is to enable.
While it will not provide a way to protect against all fingerprinting,
Apple chose to target some specific Web API and features that make
tracking easy and hard to block for non-technical users.
1.
<https://www.apple.com/newsroom/2022/07/apple-expands-commitment-to-protect-users-from-mercenary-spyware/>
2. <https://github.com/drbh/wasm-fingerprint>
3.
<https://infosecwriteups.com/identify-website-users-by-client-port-scanning-using-webassembly-and-go-e9798b4aa05c>
4. <https://privacycheck.sec.lrz.de/active/fp_ml/fp_ml.html>
5. <https://www.xda-developers.com/chrome-gamepad-api-changes/>
6. <https://fingerprint.com/blog/audio-fingerprinting/>
7. <https://privacycheck.sec.lrz.de/active/fp_wg/fp_webgl.html>
8. <https://caniuse.com/jpeg2000>
9.
<https://developer.mozilla.org/en-US/docs/Web/API/WebRTC_API/Connectivity>
---
--
E-mail sent to this address may be devoured by my ravenous SPAM filter.
I often ignore posts from Google. Use a real news client instead.
JR
Lewis
Jul 23, 2022, 12:01:30 AM7/23/22
to
In message <jk0sfg...@mid.individual.net> Jolly Roger <jolly...@pobox.com> wrote:
> Alexis Lours did some testing and published details about the effects of
> Apple's upcoming Lockdown Mode on Safari - cool stuff.
It's very good.
> Alexis Lours did some testing and published details about the effects of
> Apple's upcoming Lockdown Mode on Safari - cool stuff.
> The impact of iOS 16 Lockdown mode in Safari
> <https://blog.alexi.sh/posts/2022/07/lockdown-jsc/>
> Web browsing: Certain complex web technologies, like just-in-time (JIT)
> JavaScript compilation, are disabled unless the user excludes a trusted
> site from Lockdown Mode.[1]
that anyone cares about securing. I'd like to see a HIT toggle on iOS
and iPadOS and macOS that doesn't require the full lockdown mode.
Disabling it made no discernible difference in Safari's speed that I
could see.
> Most of these have been disabled as a way to reduce possible user tracking.
binary content from external sources is where nearly all attacks
originate. Don't process and interpret the data and you've made yourself
vastly more secure.
> For people in need of privacy against targeted tracking, Lockdown mode
> seems to be a decent way to easily reduce some attack surface,
> especially with how easy it is to enable.
noticeable thing is that URLs in messages are not clickable.
> While it will not provide a way to protect against all fingerprinting,
--
I SAW NOTHING UNUSUAL IN THE TEACHER'S LOUNGE Bart chalkboard Ep. 8F17
Jolly Roger
Jul 23, 2022, 8:54:49 AM7/23/22
to
RonTheGuy
Aug 8, 2022, 12:57:37 PM8/8/22
to
On Jul 23, 2022, Lewis wrote
(in article<news:slrntdmsko....@zephyrus.local>):
>> Most of these have been disabled as a way to reduce possible user tracking.
>
> Not really, they are disabled to reduce the attack surface. Processing
> binary content from external sources is where nearly all attacks
> originate. Don't process and interpret the data and you've made yourself
> vastly more secure.
I don't know what many of these "attack surfaces" are.
WebAssembly
MP3 Playback
MathML
Gamepad API
Web Audio API
WebGL
JPEG 2000
Speech Recognition API
MediaDevices.getUserMedia
RTCDataChannel
PDF Viewer
SVG Fonts
Why are they attack surfaces and how many of them do we really need?
Ron, the humblest guy in town.
(in article<news:slrntdmsko....@zephyrus.local>):
>> Most of these have been disabled as a way to reduce possible user tracking.
>
> Not really, they are disabled to reduce the attack surface. Processing
> binary content from external sources is where nearly all attacks
> originate. Don't process and interpret the data and you've made yourself
> vastly more secure.
WebAssembly
MP3 Playback
MathML
Gamepad API
Web Audio API
WebGL
JPEG 2000
Speech Recognition API
MediaDevices.getUserMedia
RTCDataChannel
PDF Viewer
SVG Fonts
Why are they attack surfaces and how many of them do we really need?
Ron, the humblest guy in town.
0 new messages