Lockdown Mode restrictions on APIs and web technologies are not documented

rotapple45 wrote:

"rotapple", eh? Sounds like you've already made up your mind about things.

I have an issue with Lockdown Mode in which an app does not work properly when lockdown mode is enabled, even when the app is added as an exception. The error is easily reproducible.

What is the error?

So, basically, if a user has Lockdown Mode and and the app does not work properly, the developers have no way to troubleshoot the issue

That's hardly true. It's your app. You have the source code. There is an infinite number of ways to troubleshoot the problem.

Well, with enough patience, they could perform a test by calling all the javascript/web functions

I thought you said you had an app. What does javascript/web functions have to do with that? Is this one of those "electron" apps or something? I guess it isn't your app and you don't have the source code then. Bummer.

Maybe there are researchers working on that, already.

I'm sure they are. That's why Apple won't disclose the details to you. Isn't that kind of the point? If any developer could file a bug report and get full technical details, wouldn't that be a really helpful way to bypass those restrictions?

You are correct that there is some element of security through obscurity at work. Part of the effort is to obscure those details so that Apple has more time to improve the internals. That's pretty much how this security song and dance works. By the time vulnerabilities are found and exposed, Apple has already patched them. Hackers get their bug bounties. Apple's competitors get their bad Apple press. Apple gets its updates and new device purchases to run them. Everybody win! Except the end users, of course. Luckily, they don't matter to security folks, only to Apple.

this in turn puts pressure on users to disable the Lockdown Mode because of functional issues, which in reality makes the iPhone less secure.

The iPhone is already secure, without Lockdown Mode. Most users aren't using Lockdown Mode. Hopefully, those few people who are sincerely at risk of targeted attacks aren't going to be disabling Lockdown Mode because some random electon app doesn't work correctly. But since there aren't that many people affected in the first place, it really isn't going to make a difference to anyone's bottom line, including yours.

In any case, if anyone has information about what APIs/functions are not available or have an altered behavior in Lockdown Mode, that would be cool.

If they didn't, they sure wouldn't be allowed to post it in this forum.

Apple doesn't even document how the Sandbox works. You can go to the Developer forums and they will give you solutions that flat-out won't work with an App Store app. It is the developer's responsibility to test the app under normal use. That normal use does not include Lockdown Mode.

rotapple45 wrote:

To be honest, I was myself appalled at my own nickname when I saw it after posting LoL. I haven't posted in a while and I don't remember where it comes from. Anyway, it looks like I can't change it.

There is an e-mail for contacting the Apple hosts in the Apple Support Community Terms of Use. They do change user names on a regular basis.

No, it's a regular news app with paid subscription. Nothing special about it. And you are right that I don't have the code; I'm only a user. That was not clear enough in my post. For privacy, I prefer not to post the app name here, but I am happy to share privately if you are interested.

I thought you were the developer. If you're a user, then you can either turn off Lockdown Mode or find an alternative app. When I search for Lockdown issues on the Developer site, what little I find does usually pertain to these kinds of embedded web apps. There is a distinct possibility that this limitation is a good thing. Maybe this app is doing some suspicious stuff behind the scenes.

Even if I am only a user, I am concerced because I happen to develop software. So, in the future, if I want to develop an app I might be impacted by the fact that users may cease to use my services because of those functional issues.

Theoretically, that would be a valid concern. But practically speaking, Lockdown mode doesn't affect most apps. If it does, that says more about the app than about Lockdown mode.

Also, when an app doesn't work well (even after having performed a million tests), that doesn't give good press and is very frustrating.

What makes you assume the app has been tested, at all, let alone in Lockdown mode?

The app has a main section for the news. That section is only loaded partly, and as you scroll a bit, the rest of the space is all black (or white, I don't remember). The other sections load, although they are pretty unresponsive with the Lockdown Mode. When I receive a notification about some news, clicking on the notification usually opens the article without issues.

Have you contacted the developer about these issues?

According to Apple, I'm the only user in the world to have this issue.

Do you have any evidence to the contrary?

I think that this is an over-generic statement. True in the vast majority of the cases (especially if users follow security higyene practices etc). But not true as in a 100%.

Don't believe what you read on the internet. 😄

I know I am only a drop in the ocean but, well, I wanted to at least state the issue.

But it sounds like this is just a problem with that app. Lots of people do come to these forums with complaints about 3rd party products. But in those cases, we can't test them. All we can do is recommend alternatives.

I'm not sure if I understand your point here. Developers do not need to know the technicalities of how sandboxing works (and they probably have no interest at all in knowing so), as long as the APIs and language primitives are documented and do the work that developers expect to be done.

But that's just the thing. Many developers do encounter sandbox issues. My app has lots of those. I was able to get one version of the app in the Mac App Store, but it wasn't worth the effort. Apple's APIs and documentation are completely ignorant of the sandbox. Developers just have to figure it out. Lockdown is much the same thing. But except for web activity, Lockdown seems to apply almost exclusively to Apple's own apps.

If the developer is sufficiently interested in this topic (and you’ll want to contact them), they can post a note indicating that their app is incompatible with lockdown (at least) in their documentation.

As for what lockdown blocks, yes, Apple doesn’t provide details past “Web browsing - Certain complex web technologies are blocked, which might cause some websites to load more slowly or not operate correctly. In addition, web fonts might not be displayed, and images might be replaced with a missing image”

Based on various reports, lockdown disables the JIT and WebAssembly support, MP3 support, and some game-related functions.

For those that are potential targets, this isn’t a game, and these restrictions as well as further app and services and contents-related restrictions the user might adopt locally are entirely appropriate. Apps that get blocked are best assumed to be a potential risk.

That app is fundamentally doing something that is perceived by Apple as being with some risk.

Either disable lockdown mode and use the app, or leave lockdown mode enabled and allow it to block risky behaviors.

For issues with a particular app, contact the app vendor.

user_493 wrote:

Without further details, I don't see how your case relates to mine.

You don't have a case. The developer of your app does. Unfortunately for you, they don't care.