Here’s How Lockdown Mode in iOS 16 Restricts Web Browsing

One of the new features in iOS 16 is Lockdown Mode, which helps users protect against targeted cyberattacks by disabling several device features. Among all the lockdown mode changes, it also restricts web browsing – and now software engineer Alexis Lours details exactly how that happens.

Bear shared on his personal blog how he ran several tests to find out which web features are disabled when lockdown mode is enabled. Using Modernizr, a JavaScript library that detects features available in a web browser, the engineer got a list of WebKit features that can potentially be used to spy on users.

The Impact of Lockdown Mode on Web Browsing

The first thing the engineer noticed was that Lockdown mode disables just-in-time (JIT) JavaScript compilation, which compiles code on the fly as it runs. Without JIT enabled, web browsing performance drops by up to 95% based on benchmark tests. This results in longer charging times and even higher battery consumption.

Lockdown mode in iOS 16 also disables WebAssembly. WASM a powerful binary code format that enables high performance applications on web pages. However, it can also be used to create a digital “fingerprint” of users, which helps third parties track people across websites and apps.

Interestingly, support for MP3 players on web pages is also disabled with lockdown mode. Lours thinks Apple wants to prevent attackers from using MP3 decoding for malicious purposes. Of course, this ends up breaking any website with MP3 playback without resorting to AAC or OGG formats.

The Gamepad API, which was created to allow users to interact with game controllers on websites, does not work with lockdown mode enabled. This is because malicious websites can use details like Controller ID to track users. Unsurprisingly, this breaks down web games and platforms that rely on an external game controller.

Previewing files in web browsers is also limited with lock mode. For example, JPEG 2000 images and SVG fonts, which are exclusively supported by Safari, are disabled so that websites cannot use these formats to target iOS users. PDF preview for websites is also disabled, as several PDF-related exploits have been discovered in the past.

Other disabled features include WebGL, Speech Recognition API, and Web Audio API.

What else is Restricted Lockdown Mode?

In addition to restricting web browsing, Lockdown Mode in iOS 16 also blocks most message attachments and link previews in Apple’s Messages app. Users with lockdown mode enabled only receive FaceTime calls from known numbers, and iCloud shared albums are removed from the Photos app.

Apple also blocks configuration profiles and access to the device over a wired connection with lock mode enabled.

Of course, Apple emphasizes that Lockdown Mode is aimed at a specific group of users who may be targeted by sophisticated spying threats. These users include journalists, activists and members of governments. This happened after the company filed a lawsuit against spyware creator “Pegasus” NSO Group last fall.

Lockdown Mode is available as part of iOS 16, which is slated for release this fall. Developers and users registered in the Apple Beta Software Program can now try iOS 16 beta.

FTC: We use revenue-generating automatic affiliate links. After.


Check out 9to5Mac on YouTube for more Apple news:

Comments are closed.