iPhone 17 Introduces 'Groundbreaking' New Memory Security Feature

[MacRumors]

Apple has added a "groundbreaking" new memory security feature to its new iPhone 17 lineup called Memory Integrity Enforcement (MIE), which the company describes as "the most significant upgrade to memory safety in the history of consumer operating systems."

The new security feature targets spyware tools like Pegasus that exploit vulnerabilities to hack targeted devices. According to Apple, MIE provides comprehensive, always-on memory-safety protection covering the kernel and over 70 userland processes, built on the Enhanced Memory Tagging Extension (EMTE).

The new feature is supported by the new A19 and A19 Pro chips found across the iPhone 17 lineup as well as the iPhone Air. Apple says it has also added memory safety improvements for older hardware that doesn't support the new memory tagging features. In addition, Apple is making EMTE available to all Apple developers in Xcode as part of the new Enhanced Security feature that the company released earlier this year during WWDC.

The approach includes mitigation for Spectre V1 attacks that Apple claims works with "virtually zero CPU cost," addressing performance concerns that have plagued similar security features in the past. Apple says these changes make "mercenary spyware" significantly more expensive to develop, and present a major challenge to the surveillance industry.

Based on our evaluations pitting Memory Integrity Enforcement against exceptionally sophisticated mercenary spyware attacks from the last three years, we believe MIE will make exploit chains significantly more expensive and difficult to develop and maintain, disrupt many of the most effective exploitation techniques from the last 25 years, and completely redefine the landscape of memory safety for Apple products.

For in-depth information about the new MIE security feature, readers should refer to Apple's Security Research blog.

Article Link: iPhone 17 Introduces 'Groundbreaking' New Memory Security Feature

 

[Havalo]

I maybe wrong but I believe GrapheneOS on Pixel phones have been doing this for a while now…

 

[applicious84]

This is good timing if it really works out:

Ice obtains access to Israeli-made spyware that can hack phones and encrypted apps

Trump administration contract with Paragon Solutions gives immigration agency access to one of the most powerful stealth cyberweapons

www.theguardian.com

 

[applyr]

Apple says it has also added memory safety improvements for older hardware that doesn't support the new memory tagging features.

Does this mean security is also improved on previous generation iPhones?

 

[Mr. Heckles]

I maybe wrong but I believe GrapheneOS on Pixel phones have been doing this for a while now…

Cloud be, but what is their market share compared to iOS? Having one of the biggest phone makers make this a standard going forwards is pretty cool.

 

[Apple_Robert]

I maybe wrong but I believe GrapheneOS on Pixel phones have been doing this for a while now…

Why should that matter to someone using an iPhone? I see comments like that all the time about Android has done this for years etc. I don't get the point of saying it especially from iPhone users. So many are quick to brag about Android being first with x,y, and z features and yet, many stay with iPhone.

I reported on this new security feature yesterday and I think it is an excellent move by Apple. Hopefully, most of us will never be attacked.

 

[neuropsychguy]

There is an interesting discussion about this feature here: https://tianpan.co/forum/t/apples-memory-integrity-enforcement-breakthrough-or-hype/28

One benefit of this over the ARM-included Memory Tagging Extension (MTE) that Android uses is the feature is apparently more secure and a default, system-wide safeguard built deeply into Apple Silicon and the OS stack.

From my quick reading of what this does (cybersecurity is not my area of expertise though so I could be wrong about this), it might be like this -- this MIE security feature might be like moving from locking the doors and windows to the 'house' to set an active alarm for every piece of furniture and wiring inside the house -- all supposedly with minimal CPU overhead.

 

[btrach144]

If you are truly at risk, I assume you need all devices to support this otherwise they can just target another device with weaker security?

 

[iMac The Knife]

"Apple has added a "grounbreaking...". Grounbreaking huh? I know we aren't supposed to point out spelling and grammar issues in here, but come on! Spell check has been around for what, 25-30 years now?

 

[neuropsychguy]

I maybe wrong but I believe GrapheneOS on Pixel phones have been doing this for a while now…

You're partially correct (although, we shouldn't ignore that Apple also had all sorts of security features already). Why only partially? Yes, Android on Pixels and GrapheneOS both use Memory Tagging Extension (MTE), but it appears to be a more basic method than what Apple is implementing. More importantly, MTE on those systems is optional, although GrapheneOS enables MTE for the system server and key system apps but it is optional for user apps. Why does GrapheneOS not make it mandatory? Some components or apps still can’t tolerate the performance/compatibility hit. Plus, GrapheneOS is on maybe 200,000 devices in the world so comparisons between iOS and that OS are basically moot.

What Apple's MIE does is build on Enhanced Memory Tagging Extension (EMTE) by also adding secure memory allocation and tagged memory confidentiality. It makes this all available by default with low system overhead.

One way to think of the difference is Pixel phones and GrapheneOS both had locks on doors, windows, and alarms on furniture in the house but much of those were optional. iOS adds more and makes them mandatory. My analogy could be a little off, but that's what I'm getting out of this.

iOS was already one of the most secure mainstream OSes (likely the most secure); this appears to make it considerably more secure.

We'll have to wait to see what security experts find, but this is impressive if Apple is correct about what this offers and does while using low resources.

 

[MayaUser]

I wonder if apple put the same tech high density battery in their iphone pro line up like they did in the Air

 

[DougieS]

"Apple has added a "grounbreaking". Grounbreaking huh? I know we aren't supposed to point out spelling and grammar issues in here, but come on! Spell check has been around for what, 25-30 years now?

It’s just that groundbreaking, it broke the d!

 

[BeerDrinkerDan]

"across the iPhone 17 lineup as well as the iPhone Air"

Isn't the iPhone Air a 17?

EDIT:

I've come to learn that while it is a 17, Apple just calls it the Air and not the 17 Air.

-bdd

 

[turbineseaplane]

This is catnip for unneeded upgrade justification, even if buyers know absolutely nothing about the tech or if it's good/bad/needed or otherwise.

A wonderful bullet point for folks to throw around to help justify a purchase.

"I wanted Memory Integrity Enforcement"

Ok. lol

Resume scrolling socials, playing games, watching Netflix and taking selfies ... now with "Memory Security".

 

[confirmed]

Why should that matter to someone using an iPhone? I see comments like that all the time about Android has done this for years etc. I don't get the point of saying it especially from iPhone users. So many are quick to brag about Android being first with x,y, and z features and yet, many stay with iPhone.

I reported on this new security feature yesterday and I think it is an excellent move by Apple. Hopefully, most of us will never be attacked.

i don’t think Havalo was bragging about Android, just pointing out a fact. This feature is a highly technical security enhancement, I don’t think there’s anything wrong with sharing information about how similar features were built for a different security-focused operating system distro.

In this case, I’m a little sad to see Apple brag including “industry’s first ever, comprehensive, always-on memory-safety protection covering key attack surfaces”

On the other hand, I’m thrilled to see this sort of security enhancement effort going into such a widely used product. It’s a good thing that they’re building similar features to what Graphene is doing.

 

[Moukee]

I maybe wrong but I believe GrapheneOS on Pixel phones have been doing this for a while now…

Memory protection itself isn't new, but this hardware feature specifically might be? GrapheneOS can't really to anything in that regard that stock Pixel OS can't do. Do the Tensor chips support EMTE?

 

[neuropsychguy]

In this case, I’m a little sad to see Apple brag including “industry’s first ever, comprehensive, always-on memory-safety protection covering key attack surfaces”

On the other hand, I’m thrilled to see this sort of security enhancement effort going into such a widely used product. It’s a good thing that they’re building similar features to what Graphene is doing.

Just a minor clarification. Apple is essentially correct. What GrapheneOS includes is not fully comprehensive and always-on.

 

[Elwe]

Just finished reading the main Apple doc on this. Still need to descend into some of the deeper technical links. But it appears this will also be coming to M5-based Macs. Not sure this will be enough to significantly increase sales prior to the expected late 2026 tandem oled M6-based MacBook Pro redesign that most people would likely prioritize, but it is something real late this year for those of us who take security very seriously.

I know my then org tried doing something like this with AMD64 cpus half a decade ago. But there was too much of a performance impact for it to be widely used. It seems this generation of Apple silicon has made this a non-issue. If Apple ever gets into the game of general purpose Cloud hosting—which is a brutal game, and is only getting more competitive—this could be a real differentiator.

 

[Mr. Heckles]

"across the iPhone 17 lineup as well as the iPhone Air"

Isn't the iPhone Air a 17?

EDIT:

I've come to learn that while it is a 17, Apple just calls it the Air and not the 17 Air.

-bdd

Just like there's the iPad Air.

 

[maxpipersid]

"Apple has added a "grounbreaking...". Grounbreaking huh? I know we aren't supposed to point out spelling and grammar issues in here, but come on! Spell check has been around for what, 25-30 years now?

Perhaps what's even more shocking is that you had to edit your original post to most likely correct a spelling mistake.

 

[Mr. Heckles]

This is catnip for unneeded upgrade justification, even if buyers know absolutely nothing about the tech or if it's good/bad/needed or otherwise.

A wonderful bullet point for folks to throw around to help justify a purchase.

"I wanted Memory Integrity Enforcement"

Ok. lol

Resume scrolling socials, playing games, watching Netflix and taking selfies ... now with "Memory Security".

Along with banking info, passwords, and other important things we keep on our phones.

 

[BeerDrinkerDan]

Just like there's the iPad Air.

Is this the same idea? What version of iPad is the "Air" synonymous with? It's a lighter version of....?

-bdd

 

[bluecoast]

It’s amazing that Apple does this - but it still defaults to using a 4 pin unlock on the Apple Watch. Doh.

 

[iMac The Knife]

Perhaps what's even more shocking is that you had to edit your original post to most likely correct a spelling mistake.

I appreciate your concern, but that is not that case. There were no spelling errors to correct, because I know how to spell. And if I get something wrong, spellcheck. It's very simple really. I simply added ... to the quote.

 

[Blaine]

Does Mac OS have this feature or any of Apples Mac OS products like the M4 MBP or anything?