Friday, July 24, 2015

Security and Privacy Changes in iOS 9

Alban Diquet:

To further prevent user tracking, Apple has extended MAC address randomization to additional services, and seems to now include location services scans.


Keychain items can now be encrypted using both the device’s passcode and an “Application password”; both values are then needed to decrypt and retrieve the item. This allows Apps to control when the data is accessible/decrypted, instead of having the data decrypted as soon as the device is unlocked.


iOS 9 brings several new extension points geared toward network filtering and VPNs:

  • The Packet Tunnel Provider extension point, to implement the client-side of a custom VPN tunneling protocol.
  • The App Proxy Provider extension point, to implement the client-side of a custom transparent network proxy protocol.
  • The Filter Data Provider and the Filter Control Provider extension points, to implement dynamic, on-device network content filtering.

These extension points can only be used with a special entitlement, thereby requiring Apple to approve the extension first.

Maybe someday Little Snitch for iOS will be possible.

4 Comments RSS · Twitter

"Maybe someday Little Snitch for iOS will be possible."

Pretty damn funny, Michael.

The thing I'm really curious about is if Little Snitch will be possible on OS X for 10.11 without disabling rootless.

(Interesting to note that Default Folder X is planning on releasing a 10.11 compatible version, which will only work with rootless disabled, of course. Wonder how that'll go. And all this points to the 'middle ground' Apple could've implemented to make rootless adequately granular. Still make the user jump through massive hoops to 'jailbreak', but allow the user to do so just for a single dev, still toss up all kinds of warnings and disclaimers, but then verify with an security certificate, possibly run through Cupertino, that would be revocable if it became apparent if the dev was shipping malware. Or something along those broad lines. But, of course, Apple would need to want to accommodate edge-cases for that kind of solution to make sense, and that sure as hell doesn't seem in the cards...)

There's nothing that prevents Little Snitch from working on 10.11:

- 3rd party NKEs are still supported
- launch daemons and lauch agents are still supported
- you can still find the path of a process from its pid
- you can still find the parent process of a given process

Indeed, it looks like there is already a Little Snitch pre-release for 10.11.

Thanks much for the info, someone and Michael. I did some quick research on the topic before posting, but I was obviously lazy and negligent.

(However, I still think it's utterly hilarious to imagine LS ever coming to iOS...)

Leave a Comment