On iPhones and iPads there are several technologies available for monitoring and filtering network traffic. Filter network traffic from the Apple Deployment Guide has an overview of the technologies and their trade-offs.

I’m glad you find this informative. It’s a topic that’s important to me both personally and professionally, and there’s a lot of wrong information out there. But the best and most reliable info is in the Apple Platform Security Guide, such as Activating data connections securely and Direct memory access protections for Mac computers.

In this topic I don’t think there’s any important difference between USB-C and lightning. Both form factors support a bunch of USB protocols as well as some Apple-only protocols, and both have USB restricted mode.

It’s more complicated than that. It’s called USB restricted mode. The lightning port is always willing to do a minimal subset of the protocols that it supports in order to do smart charging. By default most of the protocols it supports are disabled in BFU state. In AFU state it gets more complex than that. Accessories that you’ve previously connected can connect for one hour after the device is locked. This helps keep USB restricted mode from being really annoying if you briefly disconnect and reconnect an accessory.

USB restricted mode can be disabled by a user option (Settings > [Touch / Face] ID & Passcode > Allow Access When Locked > Accessories) or by a configuration profile. Disabling it allows accessories to connect at any time, and generally lowers the security of your device. But in some cases that’s necessary, for instance when you use an accessibility accessory to use your device.

If USB restricted mode is a concern for you, you should consider Lockdown Mode (Settings > Privacy & Security > Lockdown Mode). This changes several settings on your device to make it much more resilient to attack.

It’s not that simple. iOS has a really sophisticated system for deciding which things to keep in memory and which to evict, and it only does that when it needs more resources. Choosing which apps to kill is based on how recently an app was used, how much of share resources are in use, how often the app gets used, if it’s doing background processing, and other more subtle signals.

Usually if people notice apps being killed when in the background a lot it’s because one of the apps they’re switching to is using a lot of resources, which forces the eviction of other apps.

When you first boot up a device, most data on that device is encrypted. This is the Before First Unlock (BFU) state. In order to access any of that data, someone must enter the passcode. The Secure Enclave uses it to recreate the decryption keys that allow the device to access that encrypted data. Biometrics like Face ID and Touch ID won’t work: they can’t be used to recreate the encryption keys.

Once you unlock the device by entering the passcode the device generates the encryption keys and uses them to access the data. It keeps those keys in memory. If it didn’t, you’d have to enter your passcode over and over again in order to keep using your device. This is After First Unlock (AFU) state.

When you’re in AFU state and you lock your device, it doesn’t throw away the encryption keys. It just doesn’t permit you to access your device. This is when you can use biometrics to unlock it.

In some jurisdictions a judge can legally force someone to enter biometrics, but can’t force them give up their passcode. This legal distinction in the USA is that giving a passcode is “testimonial” because it requires giving over the contents of your mind, and forcing suspects to do that is not legal in the USA. Biometrics aren’t testimonial, and so someone can be forced to use them, similar to how arrested people are forced to give fingerprints.

Of course, in practical terms this is a meaningless distinction because both biometrics and a passcode can grant access to nearly all data on a device. So one interesting thing about BFU vs AFU is that BFU makes this legal hair-splitting moot: biometrics don’t work in BFU state.

But that’s not what the 404 Media articles are about. It’s more about the forensic tools that can sometimes extract data even from a locked device. A device in AFU state has lots of opportunities for attack compared to BFU. The encryption keys exist, some data is already decrypted in memory, the lightning port is active, it will connect to Wi-Fi networks, and so on. This constitutes a lot of attack surface that hackers could potentially exploit to pull data off the device. In BFU state, there’s very little data available and almost no attack surface. Automatically returning a device to BFU state improves resistance to hacking.

Become ungovernable.

Elphaba from Wicked.

Also delete your expired certificate if you have one (for example after a year)

This is likely a bad mistake. Keep the old cert around.

There’s two possibilities:

The first possibility is that Actalis uses the same key pair for the new cert. This is not a great approach because it doesn’t defend against a leaked key or key overuse. After all, if the key can be trusted longer than a year, the first cert they issued should be valid for longer.

The second, and much worse possibility, is that renewing the cert gets a different private key. This can case data loss. Deleting the old identity means you lose the ability to decrypt any messages that were encrypted using that key! Even if your mail client stores the previously encrypted emails in decrypted form, you may receive a new email from a sender who does not yet have your new cert.

Actalis sends you your private key. This means they have access to your private key, and theoretically could use it to sign and decrypt your emails. A more secure but somewhat more complex system would use a certificate signing request (CSR) instead. In that case, you are the only person who ever has your private key, so only you can sign or decrypt your email.

Releasing the app on the same day to the Apple App Store and Apple Arcade is a nice win for Apple Arcade.

An old favorite of mine is Harvest: Massive Encounter. Expand, harvest, defend, optimize, and eventually get wiped out.

Mister Softee is headquartered in Runnymede, NJ so the east coast association makes sense. It’s a franchisor so there’s trucks in 18 states.

The Wikipedia article about them says the song is titled “Jingle and Chimes”, and it’s based on “The Whistler and his Dog”. There’s lyrics too!

Apparently it was adapted to “Did you ever see a lassie?” which has much brighter and simpler lyrics than the original, which is very dark.

It reminds me of O Du Lieber Augustin. And it took me a really long time to figure out that title… I thought it was some well-known nursery rhyme melody, but it’s a 224 year old Viennese tune.

Yeah, Mr. Softee in San Francisco uses the same music. I don’t recognize it from anywhere else. It sounds like a music box, especially because many of the notes don’t hit the beats.

Yes, device management systems can push apps directly to devices, but the devices have to be managed first. So I think it probably is about the lack of Google Play.

One of the hardest parts of managing devices is getting them enrolled in device management in the first place. Microsoft uses the Microsoft Authenticator app to authenticate users as part of the enrollment process, so they know which employee is using the device and how to configure it. They need a reliable app store to distribute that app, and they need to do it before the device is managed. So usually they rely on Google Play.

It tells when the user is online. This is useful for sending spam, because being on top of the inbox makes it more likely your message will be read.

To be fair, I doubt anyone’s implemented this specifically for ICMP. Instead I’d expect tracking that watches for any IP traffic whatsoever, and that happens to include ICMP.

ICMP reveals your IP address, which is easily correlated with other traffic…

And IntelliSync, so you could have the same contacts in your PC and your Palm Pilot.