Apple’s Secure Lock Mode May Reduce Web Browsing Anonymity

AppleInsider is supported by its audience and is eligible to earn an Amazon Associate and Affiliate Partner commission on qualifying purchases. These affiliate partnerships do not influence our editorial content.

Apple’s new Lock Mode greatly increases the security of your iPhone, but how it works could actually reduce your device’s privacy while browsing online.

Lockdown mode is an extreme security setting for high-risk groups — like journalists and politicians — who may find themselves targeted by nation states or other malicious actors. It works by disabling a number of system functions, such as blocking message attachments and web technologies.

However, restricting lockdown mode functionality could make it easy for websites to determine if someone is using the high security setting, John Ozbay, CEO of privacy firm Cryptee, Told Motherboard.

This is because websites can detect if certain common features, such as custom fonts, are missing from a device. This is called fingerprinting, and it relies on collecting information about a user’s browser, device, and other metrics.

When you consider that websites can link your iPhone’s lock status to your IP address, it becomes clear that the high-risk security mode could itself be a privacy risk.

In other words, it’s about exchanging anonymity online with increased security. As Ozbay explained to AppleInsider“Lockdown mode makes you safer, but also makes it easier to identify yourself in a crowd.”

To prove his point, Ozbay and the Cryptee team put together a proof of concept which can detect if a user is in lockdown mode. According to Ozbay, the code took about “five minutes” to write.

The fact that websites can detect when a device is in lock mode is not a bug but the result of how the system is designed to make iPhones more secure. There is no way to mitigate the privacy drawbacks.

“Apple is doing a good job, but I wanted to draw attention to a trade-off that happens with lockdown mode,” Ozbay said. AppleInsider. “Think of it this way, if you were to put up big barbed wire around your house, add cameras, hire guards, dogs, etc., it would keep you ‘safe’ but attract attention, and you might be identified.”

Similar privacy or security-focused platforms, like the Tor Browser, have similar issues. For example, while Tor goes to great lengths to reduce website fingerprinting, Anonymous Browser users usually end up standing out because their browsers are the only ones with a specific set of settings.

Ozbay reportedly contacted Apple and spoke with an engineer. This Apple staffer explained that the feature intentionally disables web fonts to reduce the online attack surface. Due to the threat model that lockdown mode addresses, they said it wouldn’t make sense to make an exception for custom fonts.

Ryan Stortz, an independent security researcher, says that if enough people turn on lockdown mode, they’ll blend in, and it’ll be harder for websites to detect an interesting target.

Comments are closed.