Apple iPhone and iPad Approved for NATO ‘Restricted’ Classified Data Handling
Apple announced that standard iPhone and iPad devices running iOS 26 and iPadOS 26 have been approved for handling NATO classified information up to the “NATO Restricted” level, meaning the devices no longer require special software or bespoke configurations for use in NATO restricted environments. The approval follows extensive security evaluation and testing, including assessments led by Germany’s Federal Office for Information Security (BSI), and results in the devices being certified for use across all NATO member states and listed in the NATO Information Assurance Product Catalogue.
Separately, research coverage reported that Intellexa’s Predator spyware can suppress iOS’s camera and microphone recording indicators (the green/orange “privacy dots”) on compromised devices by hooking into SpringBoard (e.g., via HiddenDot::setupHook()), preventing UI updates when sensors are activated. This Predator technique requires deep system access and is a distinct issue from NATO’s platform assurance decision, but it underscores that sophisticated spyware can undermine user-facing privacy signals even on iOS versions where those indicators are expected to provide transparency.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Apple says no special software is required for NATO RESTRICTED use
In describing the approval, Apple said the certified iPhone and iPad devices can be used in NATO RESTRICTED environments without special software or custom settings, relying on built-in platform security. Apple also framed the milestone as evidence that standardized commercial platforms can replace bespoke secure-device programs.
NATO approves iPhone and iPad for RESTRICTED-classified use
Apple announced that standard consumer iPhone and iPad devices running iOS 26 and iPadOS 26 were approved for handling NATO information up to the RESTRICTED classification level. The approval applies across NATO member states and the devices were added to the NATO Information Assurance Product Catalogue.
Germany's BSI completes security evaluation of Apple devices
Germany’s Federal Office for Information Security (BSI) conducted testing and technical assessments of iPhone and iPad security as part of the process leading to NATO approval. The evaluation included the government-oriented configuration referred to as Apple iNDIGO/“indigo configuration.”
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
iPhone and iPad are the first consumer devices cleared for NATO ’s ‘RESTRICTED’ classification
securityaffairs.com
Open sourceNATO greenlights iPhone and iPad for classified information handling - Help Net Security
helpnetsecurity.com
Open sourceThe iPhone in your pocket is now trusted for classified NATO data | ZDNET
zdnet.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Apple Security and Compliance Updates for Government and Child-Safety Requirements
Apple announced new *age-assurance* capabilities aimed at complying with expanding child-safety regulations, centered on an updated **Declare Age Range API** that returns an age bracket (e.g., under 13, 16–17) rather than a precise birthdate. In certain jurisdictions (including Australia, Brazil, and Singapore), Apple also plans to **block downloads of 18+ apps** until the user confirms they are an adult via an App Store-managed flow, alongside OS-level family settings intended to enforce age-appropriate restrictions without pushing sensitive identity collection to individual apps and websites. Separately, Apple’s **iOS 26** and **iPadOS 26** (with specific hardware) were reported as receiving **NATO Restricted** approval, enabling use for classified information up to the Restricted level under an “Indigo” configuration listed in NATO’s Information Assurance Product Catalogue. The approval was attributed to platform security features such as encryption, **Face ID**, and **Memory Integrity Enforcement**, with additional emphasis on Secure Enclave capabilities in newer chips; the evaluation reportedly involved Germany’s BSI. A third item provides general guidance on **CUI enclaves** and **NIST SP 800-171** controls for protecting Controlled Unclassified Information on mobile/remote-access workflows, but it does not describe the Apple/NATO certification or Apple’s age-verification tooling as a specific event.
Mar 21, 2026
Predator iOS Spyware Suppresses Camera and Microphone Recording Indicators via SpringBoard Hooking
**Jamf Threat Labs** reverse-engineered *Intellexa/Cytrox Predator* iOS spyware and documented how it defeats Apple’s iOS 14+ privacy indicators (green dot for camera, orange dot for microphone) while conducting covert surveillance. The analysis describes a **post-compromise** capability (not a new iOS vulnerability): Predator requires a device to already be fully compromised, including **kernel-level access** and the ability to inject code into system processes, after which it can silently stream camera and microphone feeds without triggering the on-screen indicators. Technically, Jamf found Predator uses a **single SpringBoard hook** (e.g., `HiddenDot::setupHook()`) to intercept sensor-activity updates before they reach the UI, targeting the method `_handleNewDomainData:` associated with `SBSensorActivityDataProvider`. By nullifying or suppressing the object/updates responsible for indicator state changes (including via Objective-C `nil` messaging behavior), Predator prevents the indicator dots from ever lighting up. Reporting on the research, *BleepingComputer* highlighted that the mechanism does not exploit an iOS flaw itself, but leverages previously obtained privileged access; Jamf also noted an operational limitation where **VoIP recording** may not have the same built-in stealth capability as the camera/microphone indicator bypass.
Mar 21, 2026
Apple iOS/iPadOS Security Updates and CVE Fixes Across Multiple Releases
Apple published security advisories detailing vulnerability fixes across multiple iOS and iPadOS versions, including iOS/iPadOS **16.7**, **17.2**, **18.1**, **18.3**, **26.1**, and **26.2**. The advisories describe a range of impacts such as sandbox escapes (including Web Content sandbox breakout), privacy issues where apps could access or expose sensitive user data via insufficient log redaction, file-system modification via temporary-file handling, and memory-safety flaws (e.g., out-of-bounds reads, type confusion, and bounds-checking issues) that could lead to crashes or memory corruption. Apple attributes fixes to changes like improved protocol handling, cache handling, input validation, and additional permission restrictions, and references issues by **CVE** where available. Several advisories also highlight device-state and authentication/logic weaknesses: iOS/iPadOS 18.3 includes a case where an attacker with physical access to an **unlocked** device could access Photos while the app is locked (`CVE-2025-24141`), while iOS/iPadOS 18.1 includes a lock-screen exposure issue (`CVE-2024-44274`) and a Shortcuts-related path-handling flaw that could allow arbitrary shortcut execution without user consent (`CVE-2024-44255`). The iOS/iPadOS 26.x advisories include privacy and permission issues (e.g., identifying installed apps, screenshots of sensitive embedded views), potential kernel memory corruption/system termination conditions, and logic/UI issues affecting security posture (e.g., passcode requirement timing after Face ID enrollment restore scenarios and potential FaceTime caller ID spoofing), with multiple findings credited to external researchers and teams (including Google Project Zero, ByteDance IES Red Team, and others).
Mar 21, 2026