Apple Platform Security (Jan 2026) [pdf](help.apple.com) |
Apple Platform Security (Jan 2026) [pdf](help.apple.com) |
> On devices with iOS 14 and iPadOS 14 or later, Apple modified the C compiler toolchain used to build the iBoot bootloader to improve its security. The modified toolchain implements code designed to prevent memory- and type-safety issues that are typically encountered in C programs. For example, it helps prevent most vulnerabilities in the following classes:
> • Buffer overflows, by ensuring that all pointers carry bounds information that’s verified when accessing memory
> • Heap exploitation, by separating heap data from its metadata and accurately detecting error conditions such as double free errors
> • Type confusion, by ensuring that all pointers carry runtime type information that’s verified during pointer cast operations
> • Type confusion caused by use after free errors, by segregating all dynamic memory allocations by static type
They made a dialect of C with bounds safety, see:
https://james.darpinian.com/blog/apple-imessage-encryption/
My current understanding of the facts:
1. Google defaults to encrypted backups of messages, as well as e2e encryption of messages.
2. Apple defaults only to e2ee of messages, leaving a massive backdoor.
3. Closing that backdoor is possible for the consumer, by enabling ADP (advanced data protection) on your device. However, this makes no difference, since 99.9% of the people you communicate will not close the backdoor. Thus, the only way to live is to assume that all the messages you send via iMessage will always be accessible to Apple, no matter what you do.
It's not like overall I think Google is better for privacy than Apple, but this choice by Apple is really at odds with their supposed emphasis on privacy.
I was unable to use Apple Fitness+ on my TV due to it telling me my Watch couldn’t pair with the TV.
The problem went away when turning off ADP.
To turn off ADP required opening a support case with Apple which took three weeks to resolve, before this an attempt to turn off would just fail with no detailed error.
Other things like iCloud on the web were disabled with ADP on.
I just wanted encrypted backups, that was it.
It would be bad PR for Apple if everybody constantly kept losing their messages because they had no way to get back into their account.
How does Google manage this, such every normie on earth isn’t freaking out?
Unbreakable phones are coming. We’ll have to decide who controls the cockpit: The captain? Or the cabin?Both promise security, Apple promises some degree of privacy. Google stores your encryption keys, and so does Apple unless you opt in for ADP.
Is it similar to Facebook Messenger (encrypted in transit and at rest but Meta can read it) and Telegram (keys owned by Telegram unless you start a private chat)?
There are things Pixels do that iPhones don’t, e.g., you get notified when a local cell tower picks your IMEI. I mean it’s meaningless since they all do it, but you can also enable a higher level of security to avoid 2G. Not sure it’s meaningful but it’s a nice to have.
Differences in capabilities, experience and implementation are all downstream from that. In other words, everyone pays lip service to privacy and security, but it's very difficult to believe that parties like Meta or Google are actually being honest with you. The incentives just aren't there.
With Apple, you get to fork over your wallet, but at least you seem the be primarily the user they've got to provide services to.
With Google/Meta, you're a sucker to bleed dry.
By default, Apple offers you at no charge: email aliases, private relay, Ask No Track barrier. These are just the ones I can think of right now. I am sure there are more. A big thing with Apple is not that they offer different privacy services but they make it EASY and SEAMLESS to use. No other company comes close.
Apple also makes it easier to achieve that privacy:
- They put all the privacy controls in one place in Settings so you can audit
- App developers are mandated to publish what they collect when publishing apps to the App Store.As was demonstrated in LA, it's starting to have significant civil rights consequences.
https://www.apple.com/newsroom/pdfs/fy2024-q4/FY24_Q4_Consol...
https://www.macrumors.com/2025/10/30/apple-4q-2025-earnings/
Would Google or Meta go bankrupt if they stopped selling ads? Yes. Apple wouldn’t.
I know, I'm living in a fantasy world in my head.
Two years ago I was locked out of my MacBook pro.
Then I just booted in some recovery mode and just..reset the password!?
Sure macos logged me off from (most) apps and website, but every single file was there unencrypted!
I swear people that keep boasting that whole apple privacy thing have absolutely no clue what they are talking about, nothing short of tech illiterate charlatans. But God the propaganda works.
And don't start me on iMessage.
Would you prefer that Apple did not give you the option to disable the security feature you disabled during setup?
Apple has since confirmed in a statement provided to Ars that the US federal government “prohibited” the company “from sharing any information,” but now that Wyden has outed the feds, Apple has updated its transparency reporting and will “detail these kinds of requests” in a separate section on push notifications in its next report.We know now that it was all marketing talk. Apple didn’t like Meta so they spun a bunch of obstacles. Apple has and would use your data for ads, models and anything that keeps the shareholders happy. And we don’t know the half of the story where as a US corp, they’re technically obliged to share data from the not-E2EE iCloud syncs of every iPhone.
Illegal to do this in (at least) the EU, California and China.
Our choices are either (A) an OS monitized by tracking user interaction and activity, or (B) monitized by owning the basic act of installing software on the device, both of these options suck and I struggle to give up the more open option for one that might be more secure.
I wouldn't say they are sound. First, macOS provides the freedom to install your own applications (ok, they need to be signed and notarized if the quarantine attribute is set) and it's not the case that the Mac has mass malware infestations. Second, the App Store is full of scams, so App Store - safe, external - unsafe is a false dichotomy.
Apple uses these arguments, but of course the real reason is that they want to continue to keep 30% of every transaction made on an iPhone or iPad. This is why they have responded to the DMA with a lot of malicious compliance that makes it nearly impossible to run an alt-store financially.
(Despite my qualms about not being able to install apps outside the app store, I do think they are doing a lot of good work of making the platform more secure.)
Security, privacy, and ownership aren't equally separated in my mind.
This apparently includes retrieving all photos from iCloud in chunks of specified size, which seems an infinitely better option than attempting to download them through the iCloud web interface which caps downloads to 1000 photos at a time at less than impressive download speeds.
1. Constant popups about "application requesting access" on macOS. That often happens without any user's activity.
2. If you leave the permission popup open for some time (because it's on a different screen), it auto-denies. And then you won't be able to find ANY mention of it in the UI.
3. macOS developers can't be assed to fix mis-features, like inability to bind low ports to localhost without having root access (you can open any listening port on 0.0.0.0 but you can't open 127.0.0.1:80).
If you want to see security done well (or at least better), see the GrapheneOS project.
Apple’s implementation of MTE is relatively limited in scope compared to GrapheneOS (and even stock Android with advanced security enabled) as it’s hardware intensive and degrades performance. I imagine once things get fast enough we could see synchronous MTE enabled everywhere.
It is curious at the moment though that enabling something like Lockdown Mode doesn’t force MTE everywhere, which imo it should. I think the people who are willing to accept the compromises of enabling that would likely also be willing to tolerate the app crashes, worse performance etc that would come with globally enabled MTE.
Macs are PCs now? This coming directly from Apple is hilarious.
I would really like to see a benchmark with and without security measures.
Apple makes available on a highly controlled basis iPhones which permit the user to disable “virtually all” of the security features. They’re available only to vetted security researchers who apply for one, often under some kind of sponsorship, and they’re designed to obviously announce what they are. For example they are engraved on the sides with “Confidential and Proprietary. Property of Apple”.
They’re loaned, not sold or given, remain Apple’s property, and are provided on a 12-month (optionally renewable) basis. You have to apply and be selected by Apple to receive one, and you have to agree to some (understandable but) onerous requirements laid out in an legal agreement.
I expect that if you were to interrogate these iPhones they would report that the CPU fuse state isn’t “Production” like the models that are sold.
They refer to these iPhones as Security Research Devices, or SRDs.
Isn’t whole disk encryption nowadays done in hardware on the storage controller?
Zeroing allocated memory is complicated because it also has performance benefits, since it improves compressed swap.
There is no point creating such document if elephant in the room is not addressed.
The developers also appear to believe that the apps have a right to inspect the trustworthiness of the user's device, by offering to support apps that would trust their keys [1], locking out users who maintain their freedom by building their own forks.
It's disheartening that a lot of security-minded people seem to be fixated on the "AOSP security model", without realizing or ignoring the fact that a lot of that security is aimed at protecting the apps from the users, not the other way around. App sandboxing is great, but I should still be able to see the app data, even if via an inconvenient method such as the adb shell.
1. https://grapheneos.org/articles/attestation-compatibility-gu...
But if you wish to build it from source, it could probably be a good option.
That is not a bad thing. The alternative is not having apps that do these checks available on the platform at all. It’s ridiculous that someone should expect that every fork of it should have that capability (because the average developer is not going to accept the keys of someone’s one off fork).
If there’s anyone to blame, it should be the app developers choosing to do that (benefits of attestation aside).
Attestation is also a security feature, which is one of the points of GOS. People are free to use any other distribution of Android if they take issue with it.
Obviously I could be wrong here, this is just the general sentiment that I get from reading GOS documentation and its developer’s comments.
That doesn't seem like avoiding the elephant in the room to me. It seems like very much acknowledging the issue and speaking on it head-on.
You might as well enumerate all the viruses ever made on Windows, point to them, and then ask why Microsoft isn’t proving they’ve shut them all down yet in their documents.
Microsoft does not sell Windows as a sealed, uncompromisable appliance. It assumes a hostile environment, acknowledges malware exists, and provides users and third parties with inspection, detection, and remediation tools. Compromise is part of the model.
Apple’s model is the opposite. iOS is explicitly marketed as secure because it forbids inspection, sideloading, and user control. The promise is not “we reduce risk”, it’s “this class of risk is structurally eliminated”. That makes omissions meaningful.
So when a document titled Apple Platform Security avoids acknowledging Pegasus-class attacks at all, it isn’t comparable to Microsoft not listing every Windows virus. These are not hypothetical threats. They are documented, deployed, and explicitly designed to bypass the very mechanisms Apple presents as definitive.
If Apple believes this class of attack is no longer viable, that’s worth stating. If it remains viable, that also matters, because users have no independent way to assess compromise. A vague notification that Apple “suspects” something, with no tooling or verification path, is not equivalent to a transparent security model.
The issue is not that Apple failed to enumerate exploits. It’s that the platform’s credibility rests on an absolute security narrative, while quietly excluding the one threat model that contradicts it. In other words Apple's model is good old security by obscurity.
> Lockdown Mode is an optional, extreme protection that’s designed for the very few individuals who, because of who they are or what they do, might be personally targeted by some of the most sophisticated digital threats. Most people are never targeted by attacks of this nature. When Lockdown Mode is enabled, your device won’t function like it typically does. To reduce the attack surface that potentially could be exploited by highly targeted mercenary spyware, certain apps, websites, and features are strictly limited for security and some experiences might not be available at all.
One might consider differently colored chat message bubbles… :)
I don't actually disagree with this. The auditor is a perfectly valid use of it. It's good to be able to verify cryptographically your device is running what it's supposed to.
The problem is when it transcends ownership boundaries and becomes a mechanism to exert control over things someone doesn't own, like your bank or government controlling your phone. It is one of the biggest threats to ownership worldwide.
Note also that getting "trusted" comes at the cost of other security features, such as spoofing your location securely to apps:
I have been cocky for 30 heads with the thought that I could always find a job quickly - and have even in 2023 (3 offers within 2 weeks) after being Amazoned and in 2024 (just replied to one recruiter the day after a layoff). But even I shut up and keep my head down these days. As long as we ain’t killing kids, I am not saying anything.
Even that level of non-involvement is getting increasingly difficult with anything Big Tech given their IDF involvement, although Apple might just be a rare exception.
I agree that the privacy controls on Apple systems are well-organized.
Still, it’s more important to have confidence that the privacy services are not smoke and mirrors with carefully carved-out loopholes. It’s one thing to provide something and hold the competitor as the litmus test, the other to sustainably live up to your promises, like the now pejorative “do no evil” slogan, with retroactive ramifications. There’s really little users can effectively validate about Apple’s privacy promises.
I don't currently have any root on the phone, but I reserve the right to add it or run the userdebug build at a later date
I fully agree with your original comment - AOSP security model is NOT a proper solution to the security problem, and I'd add to it that it was also designed to be anticompetitive - Google can do what third party apps can't.
Android architecture is tainted by Google's business model and it shouldn't be used as an example of a secure operating system..
People keep forgetting that Objective-C also had a full stack role on NeXTSTEP.
And the same full stack approach was also a thing on Xerox PARC systems, which mostly failed due to mismanagement.
Usually ends well for closed source platform vendors when developers aren't allowed to come up with alternatives like on FOSS operating systems.
At least, as long as the platform stays market relevant.
In terms of Apps and Low Level Stack Objective-C doesn't seems wrong in my book. The problem is Swift begin as a much larger language and evolve into a gigantic pile of a little of everything.
Despite all its complexity, LLVM and GCC aren't getting rewritten any time soon, or the OSes that rather use C++ subsets instead of being stuck with C.
Ross: “Even if you make X cryptographically airtight, the real fight becomes political/physical coercion: ‘ship this or else.’”
Those can both be true at the same time.
That article (written in 2016) says that Apple will build unbreakable phones in the future. Now is the future. So it seems to imply that Apple phones today are unbreakable.
Also, where does the article discuss "all of these protections"? (HSMs, rate limits, etc.)
Indeed. If you don't control the "unbreakable" security though, then the lock is not for your benefit.
> where does the article discuss "all of these protections"?
You could read the danged article, it's pretty clear about the vulnerability of proprietary mitigations. I hate quoting spoilers verbatim but here you go:
The sharper you get, the more important the work. But the more valuable the work, the craftier — and more determined — your adversaries. Every attack is more novel than the last. [...] By the time you land an engineering gig at Apple, you are a twitchy, tinfoily mess.
And it is in this spirit that you develop one of the most secure systems the world has ever known. [...] So adversaries be damned: You finally win on the merits. But who said anything about meritocracy? During the champagne toast, Mr. Fart steps from behind the curtain and pulls the pistol of last resort:
“Don’t ship this. Or else.”Nothing in the article is saying that HSMs, rate limits, etc are weak.
>If Apple believes this class of attack is no longer viable, that’s worth stating.
To say it more directly this time: they do explicitly speak to this class of attack in the keynote that I linked you to in my previous comment. It's a very interesting talk and I encourage you to watch it:
For the record, there is an ongoing court battle between Apple and UK government about getting it overturned.
Which also says many positive things for Apple that they are willing to put their money where their mouth is and put up a fight.
iCloud on the web not being available is kind of expected; how would it work with E2EE?
That’s 20% of their profit
That’s true. On Pixel Android, there’s several unrelated places in the various settings for the device and for the Google account to take care of and see that they do not collide. And for every function there’s always some sort of small print like “it’s all private to you unless you choose to share” - but to use any of the features/services you have to “share” like with Google Photos and Calendar and Tasks, you lose track of what you share with whom in the end. So essentially not only the metadata is collected but also the content and nothing’s private as a result, at least that’s what I got to understand. And even if you ask Google to delete your personal information, it will retain it for a while for compliance purposes.
As for
> - App developers are mandated to publish what they collect when publishing apps to the App Store.
I believe that’s still moot and rather a voluntary disclosure that no one vets. I’ve seen apps with no collection stated on App Store but deviating privacy policies, or app functions that contradicted their own privacy policy.
From what I heard and read, I understood that as a well-meant idea but still a misconception on the consumer part due to lack of enforcement by Apple.
I'm not familiar with the detail so I cannot comment directly on what you are saying. I don't have the time to go read up on it right now.
But what I would say is that many aspects will be indirectly enforced by Apple (and can be audited/enforced by the user) through the privacy controls (location services, microphone, camera etc.). Clearly that does not cover everything, but it covers a large chunk.
Apple have also made it impossible to for example get a device-level ID, you can only get an app-level pseudo-device-id. So there are various code-level enforcements too.
Then there’s a big disparity across all Android hardware vendors. Google must cater to that more or less federated topology of Android devices. It’s much harder.
Yet I don’t see any technical blocker for an opt-in for an Apple-grade ADP in Pixels and Galaxies.
It’s all quite weird. Even with Google Passwords, how do I know that it’s E2EE if I can unlock it from a browser with just a device PIN? Lots of loopholes.
https://www.theguardian.com/technology/2026/jan/31/us-author...
Ah, the apps^Wgovernment (look at that page, most of it is government IDs) should be able to discriminate against me for daring to assert control over my own device. And GrapheneOS is saying:
Hey government! We pinky promise to oppress the user just the same, but even more securely and competently than Google/Samsung!
> what does it matter to you
It shows that the developers maybe don't fully have your best interests at heart?
Ah, classic false choice. Do you know it is illegal to do cash transactions over a certain amount in most Western countries now? In my mind, if I have a right to do something (buy a home), and there is only one approved way to do it, then I automatically have the right to use the approved way.
Similarly, having a government ID might technically be a choice now, but it won't be soon with all these age verification BS rolling out. So no, this is not entitlement. Your argument would work for anticheat in online games or DRM media, but not banks or government services.
And Lockdown Mode is usually enabled _after_ user suspects targeting.
Americans are not one person.
> So I don’t think anyone cares
Clearly they do.
> every CEO (definitely not just Tim Cook) is schmoozing with Trump.
Tim Cook was (supposedly) principled. I guess it's hard to pretend that you care about privacy or human rights while eating dinner next to bin Salman.
I guess if you thought he had principles then yeah that could be disappointing. Personally I've never tried to moralize corporations though, I just assume the only principle that every company and CEO operates by is whatever increases the stock price.
Besides Trump‘s approval ratings are worse than ever so I don’t think people really got what they wanted, they got who they voted for not what they voted for.
Having controls is part of participating in society. I don't believe you should be able to make large transactions in total anonymity either. It's robbing you of a freedom, but society has deemed it a worthwhile tradeoff for preventing crime via money laundering and what not.
Google pushes Gemini everywhere and wants to keep on to your interactions, with human reviews. While I applaud the transparency, having Gemini scrape my screen makes me uneasy. My frog’s not warm enough for that, yet.
And Gemini in Sheets and Docs is just a toy. Microsoft 365 Copilot is a step ahead but is wrong more often than not, at least from my interactions with them. Both very disappointing. No way to justify access to my personal or my company’s or clients’ information.
Apple promises something they call Secure Compute or so, don’t remember the exact name, which appears to be encrypted and randomized in their cloud compute, which is off-device. With iPhone being the most powerful to date (per GeekBench), Tensor Pixels will have to offload most of the edge compute to GCP, and Snapdragon Samsungs while being powerful (I have no idea but would assume) must follow the Pixel Android approach.
So AI features will exfiltrate even more personal information, occasionally, accidentally, or purposefully, and the user would have consented to that and the human reviews just to get access to the smart features.
Yawn. Changing your default search engine takes 5 seconds.
That's pretty bad. Maybe not "reliant on ad monopoly" bad, but pretty close.
Have you considered that people just like Apple's products and services?
They sell third party ads: companies unaffiliated with Apple pay Apple to advertise on Apple platforms.
They’re an ad company. Just because it’s currently a small slice of their total revenue doesn’t make it untrue.
Making some cash on ads doesn’t have to rely on targeted tracking. That only matters if ads are an existential part of your business, and without huge ad revenue growth, your company is dead.
Keeping in mind the context of the overall thread we're in, where the OP said this:
> Apple's commitment to privacy and security is really cool to see. It's also an amazing strategic play that they are uniquely in the position to take advantage of. Google and Meta can't commit to privacy because they need to show you ads, whereas Apple feels more like a hardware company to me.
And then further down somebody replies with this:
> Apple is an ad company now though
The implication was that, because Apple sells ads now, they must be tracking all of your personal data in the same way that Google does. And then that train of thought was further continued with the implication that, because Apple receives "20% of its profits from ads and Google" (lumping them both together), Apple ergo is receiving 20% of its profits through tracking all of your personal data. But it's not Apple tracking all of your personal data, it's Google tracking it, and they would track it whether they're the default search engine on iOS or not.
The distinction matters to me, and it's why I buy Apple products but not Google products.
They get deleted and people shrug.
I don’t know if that’s generally true. I could lose my apple account and not really give a a damn. Not that I see how such a thing would happen, save for apple burning down all their datacenters. I’m running ADP
Huh? What are you talking about? I don’t see anything destructive about it.
(Apple says you can also use a device passcode; I'm not sure if this works if the device is lost. Maybe it does?)
Yubikeys are great
Hardware sales aren't picking up the slack, and advertisement revenue is also following a growth trend. Apple's stock would indeed be cooked if they went balls-out against the government that guarantees them access to cheap hardware and software that has been declared illegally anti competitive by foreign sovereigns. Apple needs this.
Compared to the S&P 500 which has gained around 75% since then
Notably, this hasn't stopped Apple from introducing multiple anti-tracking technologies into Safari which prevents Google from collecting information from Safari users.
If I open up a new tab in safari it tells me that in the last 30 days Safari prevented 109 trackers from profiling me and that 55% of the sites I use implement trackers. It also tells me that the most blocked tracker is googletagmanager.com across 78 websites