Apple Platform Security (Jan 2026) [pdf]
help.apple.com222 points by pieterr 3 days ago
222 points by pieterr 3 days ago
They made C memory safe? This is a big thing to gloss over in a single paragraph. Does anyone have extra details on this?
> On devices with iOS 14 and iPadOS 14 or later, Apple modified the C compiler toolchain used to build the iBoot bootloader to improve its security. The modified toolchain implements code designed to prevent memory- and type-safety issues that are typically encountered in C programs. For example, it helps prevent most vulnerabilities in the following classes:
> • Buffer overflows, by ensuring that all pointers carry bounds information that’s verified when accessing memory
> • Heap exploitation, by separating heap data from its metadata and accurately detecting error conditions such as double free errors
> • Type confusion, by ensuring that all pointers carry runtime type information that’s verified during pointer cast operations
> • Type confusion caused by use after free errors, by segregating all dynamic memory allocations by static type
Many years ago. It’s called Firebloom. I think it’s similar in theory and lineage to Fil-C.
Sort of. From my understanding they’ve been heavily using clang with fbounds checks to insert checks into functions. I think there was work done to try to insert them into existing code as well. They memory tagging in new processors help avoid overflow exploitation. Maybe someone can jump in and add more details
Yes, that is however a dialect, and one of the goals to Swift Embedded roadmap is to replace it.
So they were not joking when they say they want Swift to replace from Assembly to Javascript.
I dont think this will end well.
It has been on Swift and Apple's official documentation since the early days.
People keep forgetting that Objective-C also had a full stack role on NeXTSTEP.
And the same full stack approach was also a thing on Xerox PARC systems, which mostly failed due to mismanagement.
Usually ends well for closed source platform vendors when developers aren't allowed to come up with alternatives like on FOSS operating systems.
At least, as long as the platform stays market relevant.
>People keep forgetting that Objective-C also had a full stack role on NeXTSTEP.
In terms of Apps and Low Level Stack Objective-C doesn't seems wrong in my book. The problem is Swift begin as a much larger language and evolve into a gigantic pile of a little of everything.
Doesn't seem to hinder C++, which modern C compilers are written with nowadays.
Despite all its complexity, LLVM and GCC aren't getting rewritten any time soon, or the OSes that rather use C++ subsets instead of being stuck with C.
Apple's commitment to privacy and security is really cool to see. It's also an amazing strategic play that they are uniquely in the position to take advantage of. Google and Meta can't commit to privacy because they need to show you ads, whereas Apple feels more like a hardware company to me.
modeless linked to this article earlier today:
https://james.darpinian.com/blog/apple-imessage-encryption/
My current understanding of the facts:
1. Google defaults to encrypted backups of messages, as well as e2e encryption of messages.
2. Apple defaults only to e2ee of messages, leaving a massive backdoor.
3. Closing that backdoor is possible for the consumer, by enabling ADP (advanced data protection) on your device. However, this makes no difference, since 99.9% of the people you communicate will not close the backdoor. Thus, the only way to live is to assume that all the messages you send via iMessage will always be accessible to Apple, no matter what you do.
It's not like overall I think Google is better for privacy than Apple, but this choice by Apple is really at odds with their supposed emphasis on privacy.
Enabling ADP breaks all kinds of things in Apple’s ecosystem subtly with incredibly arcane errors.
I was unable to use Apple Fitness+ on my TV due to it telling me my Watch couldn’t pair with the TV.
The problem went away when turning off ADP.
To turn off ADP required opening a support case with Apple which took three weeks to resolve, before this an attempt to turn off would just fail with no detailed error.
Other things like iCloud on the web were disabled with ADP on.
I just wanted encrypted backups, that was it.
That chimes roughly with my experience, but to be fair ADP is designed not just for encrypted backups, but to harden the ecosystem for people who may be under the greatest threat. Worth noting that it has been outlawed in the UK and cannot be enabled, which makes me think it's pretty decent
> Worth noting that it has been outlawed in the UK and cannot be enabled
For the record, there is an ongoing court battle between Apple and UK government about getting it overturned.
Which also says many positive things for Apple that they are willing to put their money where their mouth is and put up a fight.
Huh, that’s crazy because ADP doesn’t break anything for me. Then again, I’m not trying to connect an Apple Watch to a tv. What a simple life I live.
Apple's other emphasis is customer experience, and there are more "I forgot my code, help me recover my stuff" people than you can imagine.
It would be bad PR for Apple if everybody constantly kept losing their messages because they had no way to get back into their account.
That’s all fine, but then show the sender whether their connection is actually end to end encrypted, or whether all their messages end up in Apple’s effective control.
One might consider differently colored chat message bubbles… :)
You think there are fewer people who forget using Google devices? I don’t it. The article talks about how Google prevents that from happening.
ADP isn’t the default, and almost nobody who isn’t a journalist/activist/potential target turns it on, because of the serious (potentially destructive) consequences.
How does Google manage this, such every normie on earth isn’t freaking out?
Nobody expects their text messages to be backed up.
They get deleted and people shrug.
Or IOW, Googles solution affects only messages. Apple’s solution affects your whole digital life so the consequences are a lot more dire.
> Apple’s solution affects your whole digital life
I don’t know if that’s generally true. I could lose my apple account and not really give a a damn. Not that I see how such a thing would happen, save for apple burning down all their datacenters. I’m running ADP
Google’s solution also ensures that they know all the metadata of your messages, except the content of the message itself.
> because of the serious (potentially destructive) consequences
Huh? What are you talking about? I don’t see anything destructive about it.
People don't always have enough Apple devices to justify confidence that they couldn't lose them all at the same time, which with ADP is a permanent death sentence if you don't have your recovery key.
(Apple says you can also use a device passcode; I'm not sure if this works if the device is lost. Maybe it does?)
I have 2 or 3 yubikeys associated with my account. I think apple does a decent job at communicating the importance of having recovery keys to the point where they deter those who can’t be bothered.
Yubikeys are great
I'm always put off by the incredibly low limits on yubikeys. What's the point of having a security key if you can only have 25 accounts in its lifetime? What are you supposed to do, buy tons of keys and then figure out a system to remember which key each account is? Like fucking hell just let me use passkeys in iCloud Keychain. My bank's mobile app specifically supports only security keys and explicitly not passkeys for literally no reason because passkeys are practically just as secure as any security key. It's actually harder to specifically exclude passkeys and allow only security keys than it is to just use passkeys which automatically include security keys.
I still like to encourage people to watch all of https://www.youtube.com/watch?v=BLGFriOKz6U&t=1993s for the details (from Apple’s head of Security Engineering and Architecture) about how iCloud is protected by HSMs, rate limits, etc. but especially the timelinked section. :)
I still recommend Mr. Fart's Favorite Colors as a refutation, describing why all of these precautions cannot protect you in a real-world security model: https://medium.com/@blakeross/mr-fart-s-favorite-colors-3177...
Unbreakable phones are coming. We’ll have to decide who controls the cockpit: The captain? Or the cabin?Krstić: “Here’s how we reduce the chance that even Apple can access or alter X, and here’s how we can make that credible.”
Ross: “Even if you make X cryptographically airtight, the real fight becomes political/physical coercion: ‘ship this or else.’”
Those can both be true at the same time.
I don't understand.
That article (written in 2016) says that Apple will build unbreakable phones in the future. Now is the future. So it seems to imply that Apple phones today are unbreakable.
Also, where does the article discuss "all of these protections"? (HSMs, rate limits, etc.)
> So it seems to imply that Apple phones today are unbreakable.
Indeed. If you don't control the "unbreakable" security though, then the lock is not for your benefit.
> where does the article discuss "all of these protections"?
You could read the danged article, it's pretty clear about the vulnerability of proprietary mitigations. I hate quoting spoilers verbatim but here you go:
The sharper you get, the more important the work. But the more valuable the work, the craftier — and more determined — your adversaries. Every attack is more novel than the last. [...] By the time you land an engineering gig at Apple, you are a twitchy, tinfoily mess.
And it is in this spirit that you develop one of the most secure systems the world has ever known. [...] So adversaries be damned: You finally win on the merits. But who said anything about meritocracy? During the champagne toast, Mr. Fart steps from behind the curtain and pulls the pistol of last resort:
“Don’t ship this. Or else.”Can someone explain what the real difference is to a consumer user between an iPhone and a Pixel or a Samsung device? Across all services, push notifications, and device backups.
Both promise security, Apple promises some degree of privacy. Google stores your encryption keys, and so does Apple unless you opt in for ADP.
Is it similar to Facebook Messenger (encrypted in transit and at rest but Meta can read it) and Telegram (keys owned by Telegram unless you start a private chat)?
There are things Pixels do that iPhones don’t, e.g., you get notified when a local cell tower picks your IMEI. I mean it’s meaningless since they all do it, but you can also enable a higher level of security to avoid 2G. Not sure it’s meaningful but it’s a nice to have.
Some of these companies don't make money from you, the end user, but by selling ads and data to more effectively deliver said ads.
Differences in capabilities, experience and implementation are all downstream from that. In other words, everyone pays lip service to privacy and security, but it's very difficult to believe that parties like Meta or Google are actually being honest with you. The incentives just aren't there.
With Apple, you get to fork over your wallet, but at least you seem the be primarily the user they've got to provide services to.
With Google/Meta, you're a sucker to bleed dry.
I think there’s also a topology chasm at play. Apple controls most of its hardware stack, with Qualcomm modems and Samsung displays, but the SoC is now Apple’s own. Google relies on rotating third parties to assemble the Pixels, hence poor QC. Samsung makes its own Exynos modems which they don’t dog-food and like Apple rely on Qualcomm instead, while Google still depends on Exynos.
Then there’s a big disparity across all Android hardware vendors. Google must cater to that more or less federated topology of Android devices. It’s much harder.
Yet I don’t see any technical blocker for an opt-in for an Apple-grade ADP in Pixels and Galaxies.
It’s all quite weird. Even with Google Passwords, how do I know that it’s E2EE if I can unlock it from a browser with just a device PIN? Lots of loopholes.
Addendum: this just in. Apple has much more to lose if they pull something like this; for meta, news like this... barely registers? At least I'm not surprised at all
https://www.theguardian.com/technology/2026/jan/31/us-author...
Apple, Samsung and Google all earn money from ads on your phone, just with different monetization pathways.
My understanding though is that the monetization pathways for Samsung and Google are 3rd party—Apple keeps your data to itself.
Apple sends your searches to Google for money. I would call search queries data?
I wonder how exactly Apple Intelligence works with ChatGPT and soon with Gemini. If I remember correctly, there’s no privacy there? If so, where’s the privacy boundary in Apple Intelligence?
Google pushes Gemini everywhere and wants to keep on to your interactions, with human reviews. While I applaud the transparency, having Gemini scrape my screen makes me uneasy. My frog’s not warm enough for that, yet.
And Gemini in Sheets and Docs is just a toy. Microsoft 365 Copilot is a step ahead but is wrong more often than not, at least from my interactions with them. Both very disappointing. No way to justify access to my personal or my company’s or clients’ information.
Apple promises something they call Secure Compute or so, don’t remember the exact name, which appears to be encrypted and randomized in their cloud compute, which is off-device. With iPhone being the most powerful to date (per GeekBench), Tensor Pixels will have to offload most of the edge compute to GCP, and Snapdragon Samsungs while being powerful (I have no idea but would assume) must follow the Pixel Android approach.
So AI features will exfiltrate even more personal information, occasionally, accidentally, or purposefully, and the user would have consented to that and the human reviews just to get access to the smart features.
> Apple sends your searches to Google for money. I would call search queries data?
Yawn. Changing your default search engine takes 5 seconds.
That’s true, though I wish Apple gave me the freedom to define a new search engine, beyond the small provided selection.
> Apple promises some degree of privacy.
Apple also makes it easier to achieve that privacy:
- They put all the privacy controls in one place in Settings so you can audit
- App developers are mandated to publish what they collect when publishing apps to the App Store.> - They put all the privacy controls in one place in Settings so you can audit
That’s true. On Pixel Android, there’s several unrelated places in the various settings for the device and for the Google account to take care of and see that they do not collide. And for every function there’s always some sort of small print like “it’s all private to you unless you choose to share” - but to use any of the features/services you have to “share” like with Google Photos and Calendar and Tasks, you lose track of what you share with whom in the end. So essentially not only the metadata is collected but also the content and nothing’s private as a result, at least that’s what I got to understand. And even if you ask Google to delete your personal information, it will retain it for a while for compliance purposes.
As for
> - App developers are mandated to publish what they collect when publishing apps to the App Store.
I believe that’s still moot and rather a voluntary disclosure that no one vets. I’ve seen apps with no collection stated on App Store but deviating privacy policies, or app functions that contradicted their own privacy policy.
From what I heard and read, I understood that as a well-meant idea but still a misconception on the consumer part due to lack of enforcement by Apple.
> From what I heard and read, I understood that as a well-meant idea but still a misconception on the consumer part due to lack of enforcement by Apple.
I'm not familiar with the detail so I cannot comment directly on what you are saying. I don't have the time to go read up on it right now.
But what I would say is that many aspects will be indirectly enforced by Apple (and can be audited/enforced by the user) through the privacy controls (location services, microphone, camera etc.). Clearly that does not cover everything, but it covers a large chunk.
Apple have also made it impossible to for example get a device-level ID, you can only get an app-level pseudo-device-id. So there are various code-level enforcements too.
> Can someone explain what the real difference is to a consumer user between an iPhone and a Pixel or a Samsung device? Across all services, push notifications, and device backups.
By default, Apple offers you at no charge: email aliases, private relay, Ask No Track barrier. These are just the ones I can think of right now. I am sure there are more. A big thing with Apple is not that they offer different privacy services but they make it EASY and SEAMLESS to use. No other company comes close.
Aren’t they part of iCloud+ only? Ask no-track can arguably compromise your privacy by fingerprinting.
I agree that the privacy controls on Apple systems are well-organized.
Still, it’s more important to have confidence that the privacy services are not smoke and mirrors with carefully carved-out loopholes. It’s one thing to provide something and hold the competitor as the litmus test, the other to sustainably live up to your promises, like the now pejorative “do no evil” slogan, with retroactive ramifications. There’s really little users can effectively validate about Apple’s privacy promises.
It's all tempered by them ultimately controlling what you can put on your phone though.
As was demonstrated in LA, it's starting to have significant civil rights consequences.
Security is pointless if platform allows 90% users to be social engineered into running code disabling that security
The ability for people to do stupid things is the inescapable price of freedom. That does not make freedom not worth it.
What's funny is you could read that statement as being an argument for or against walled gardens, depending on what kind of social engineering is being referred to.
What happened in LA?
I forgot about that and hadn't tied it to LA specifically in my head. Thanks for reminding me, really shitty thing that made me a lot more sympathetic to alternative app stores where I'd been against them before.
Apple is an ad company now though
Apple's ad revenue was 1% of its total in 2024. It was estimated to be 2-3% in 2025.
https://www.apple.com/newsroom/pdfs/fy2024-q4/FY24_Q4_Consol...
https://www.macrumors.com/2025/10/30/apple-4q-2025-earnings/
Their net profit was a little over $100 billion last fiscal year. They get $20 Billion+ in pure profit from Google being their default search engine.
That’s 20% of their profit
Google paying Apple to be the default search engine is not the same as Apple selling $20 billion worth of ads to track you.
Google isn’t just paying Apple $20 billion, it’s based on click throughs on ads in Safari. Apple is very much getting paid based on the ad economy.
But it still isn't Apple doing the tracking or receiving the data about your Google searches. They aren't Apple's ads, they're Google's ads.
How does that matter? Apple is still seeing 20% of its profits from ads and Google is still tracking you through Apple’s browser and Apple is getting paid for it.
> How does that matter?
Keeping in mind the context of the overall thread we're in, where the OP said this:
> Apple's commitment to privacy and security is really cool to see. It's also an amazing strategic play that they are uniquely in the position to take advantage of. Google and Meta can't commit to privacy because they need to show you ads, whereas Apple feels more like a hardware company to me.
And then further down somebody replies with this:
> Apple is an ad company now though
The implication was that, because Apple sells ads now, they must be tracking all of your personal data in the same way that Google does. And then that train of thought was further continued with the implication that, because Apple receives "20% of its profits from ads and Google" (lumping them both together), Apple ergo is receiving 20% of its profits through tracking all of your personal data. But it's not Apple tracking all of your personal data, it's Google tracking it, and they would track it whether they're the default search engine on iOS or not.
The distinction matters to me, and it's why I buy Apple products but not Google products.