undefined | Better HN

0 pointsAnsil8493y ago0 comments

> So this would have prevented Hermit as you'd need to install a new configuration profile to allow sideloading of applications from that source.

Are you sure that's true? I haven't seen a Hermit sample firsthand, but from everything I've read about it targets did not need to install an MDM profile, they simply needed to click a link. Looking at Apple's distribution guidelines - https://support.apple.com/en-bw/guide/deployment/depce7cefc4... - MDM is listed as one option, and simply going to a link is listed as another:

> There are two ways you can distribute proprietary in-house apps: > > Using MDM > > Using a website

It seems like the latter was used, so I don't think installation of a custom profile was required, which brings me back to my original question of whether Lockdown would have prevented it.

0 comments

buran773y ago

An yet I wouldn't immediately jump to the conclusion that it's "security theater" because it only protects you from the vast majority of attacks and it may still be vulnerable to many 0-days. By this definition we have nothing but security theater in everything. And as the saying goes, if everything is security theater, nothing is security theater.

Ansil849OP3y ago

Lockdown is literally presented by Apple as being for people targeted by APTs like those developed by NSO Group, therefore I expect it to prevent attack vectors used by these APTs, like exploitation of the Developer program to facilitate sideloading malicious apps. I don't feel like this is an unrealistic expectation, and not having the mode actually do that amounts to security theater, which is a far cry from decrying everything as such.

ylk3y ago

> I expect it to prevent attack vectors used by these APTs

It does, it just doesn't close all attack vectors used by APTs.

They say[0]:

> Turning on Lockdown Mode [...] further hardens device defenses and strictly limits certain functionalities, sharply reducing the attack surface that potentially could be exploited by highly targeted mercenary spyware.

They don't say "turn this on and you'll be unhackable". They go on to say:

> Apple will continue to strengthen Lockdown Mode and add new protections to it over time.

So what they released in the current beta is just the start. They decided that releasing Lockdown mode with only some additional protections would be worthwhile to at-risk users and I personally agree. It's both true that Lockdown likely helps at-risk users (see reply by _kbh_) and still has lots of room for improvement.

[0]: https://www.apple.com/newsroom/2022/07/apple-expands-commitm...

1 more reply

_kbh_3y ago

> Lockdown is literally presented by Apple as being for people targeted by APTs like those developed by NSO Group, therefore I expect it to prevent attack vectors used by these APTs, like exploitation of the Developer program to facilitate sideloading malicious apps. I don't feel like this is an unrealistic expectation, and not having the mode actually do that amounts to security theater, which is a far cry from decrying everything as such.

These APTs overwhelming use RCE vectors that are less obvious then side loading apps, iMessage is probably the most popular and I would hazard a guess that other popular messaging applications (WeChat, signal, telegram, etc) and safari would be next.

olliej3y ago

Running an enterprise app still is not a trivial single tap on iOS.

Obviously with the new EU legislation mandating support for unrestricted malware of this kind, that's kind of a moot factor in EU and EU-adjacent markets.

Ansil849OP3y ago

> Running an enterprise app still is not a trivial single tap on iOS.

Yes, but still successful, as Hermit demonstrated. So my question is whether Lockdown mode would have prevented APTs like Hermit which it claims to prevent against. If not, then the move is security theater which doesn't address the actual flaws (like poor vetting into the Enterprise Program) being successfully leveraged in the wild.

olliej3y ago

I had a more detailed reply to an earlier post you made - but the summary is "What constitutes an enterprise that should be allowed to have 'enterprise apps'"

1 more reply

j / k navigate · click thread line to collapse

0 pointsAnsil8493y ago0 comments

> So this would have prevented Hermit as you'd need to install a new configuration profile to allow sideloading of applications from that source.

> There are two ways you can distribute proprietary in-house apps: > > Using MDM > > Using a website

It seems like the latter was used, so I don't think installation of a custom profile was required, which brings me back to my original question of whether Lockdown would have prevented it.

0 comments

buran773y ago

Ansil849OP3y ago

ylk3y ago

> I expect it to prevent attack vectors used by these APTs

It does, it just doesn't close all attack vectors used by APTs.

They say[0]:

They don't say "turn this on and you'll be unhackable". They go on to say:

> Apple will continue to strengthen Lockdown Mode and add new protections to it over time.

[0]: https://www.apple.com/newsroom/2022/07/apple-expands-commitm...

1 more reply

_kbh_3y ago

olliej3y ago

Running an enterprise app still is not a trivial single tap on iOS.

Obviously with the new EU legislation mandating support for unrestricted malware of this kind, that's kind of a moot factor in EU and EU-adjacent markets.

Ansil849OP3y ago

> Running an enterprise app still is not a trivial single tap on iOS.

olliej3y ago

I had a more detailed reply to an earlier post you made - but the summary is "What constitutes an enterprise that should be allowed to have 'enterprise apps'"

1 more reply

j / k navigate · click thread line to collapse