Apple Security and Compliance Updates for Government and Child-Safety Requirements
Apple announced new age-assurance capabilities aimed at complying with expanding child-safety regulations, centered on an updated Declare Age Range API that returns an age bracket (e.g., under 13, 16–17) rather than a precise birthdate. In certain jurisdictions (including Australia, Brazil, and Singapore), Apple also plans to block downloads of 18+ apps until the user confirms they are an adult via an App Store-managed flow, alongside OS-level family settings intended to enforce age-appropriate restrictions without pushing sensitive identity collection to individual apps and websites.
Separately, Apple’s iOS 26 and iPadOS 26 (with specific hardware) were reported as receiving NATO Restricted approval, enabling use for classified information up to the Restricted level under an “Indigo” configuration listed in NATO’s Information Assurance Product Catalogue. The approval was attributed to platform security features such as encryption, Face ID, and Memory Integrity Enforcement, with additional emphasis on Secure Enclave capabilities in newer chips; the evaluation reportedly involved Germany’s BSI. A third item provides general guidance on CUI enclaves and NIST SP 800-171 controls for protecting Controlled Unclassified Information on mobile/remote-access workflows, but it does not describe the Apple/NATO certification or Apple’s age-verification tooling as a specific event.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Apple expands age-verification and age-assurance tools in the App Store
Apple rolled out expanded age-assurance capabilities centered on an updated Declare Age Range API, allowing apps to request age categories without collecting exact birth dates. In some jurisdictions including Australia, Brazil, and Singapore, Apple also began blocking downloads of 18+ apps until users confirm they are adults through the App Store.
NATO approves Apple iOS 26 and iPadOS 26 for Restricted data use
NATO listed Apple iOS 26 and iPadOS 26 in its Information Assurance Product Catalogue for handling information up to the "Restricted" classification level when used with the specified Indigo configuration and approved hardware. The certification followed testing and analysis by Germany's Federal Office for Information Security (BSI).
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Apple Expands App Store Age Assurance and 18+ Download Restrictions
Apple introduced expanded *age assurance* capabilities for the App Store to support compliance with new or emerging regulations in multiple jurisdictions, including Brazil, Australia, Singapore, Utah, and Louisiana. As of **Feb. 24, 2026**, Apple began blocking downloads of **18+ rated apps** in Brazil, Australia, and Singapore unless the user is confirmed to be an adult, using what Apple describes as “reasonable methods” for age confirmation. Apple also expanded the **Declared Age Range API** (iOS/iPadOS/macOS) and related platform components (including PermissionKit’s *Significant Change API*, a new StoreKit age-rating property type, and App Store Server Notifications) to provide developers with an age category plus signals about the assurance method and whether regulatory requirements apply; in Brazil, certain disclosures (e.g., loot boxes) can drive an app’s rating to **18+**. Broader policy debate continues around online age assurance in the U.S. and internationally, with jurisdictions adopting or considering stricter mandates and platforms preparing new verification requirements. Public skepticism remains elevated due to backlash against age-gating (including reported VPN usage spikes in response to the UK’s requirements) and concerns about data security following breaches at age-verification providers (e.g., **Sumsub** disclosing a previously undetected 2024 compromise). The policy environment is also being shaped by U.S. state laws and litigation, including the Supreme Court’s decision in *Free Speech Coalition v. Paxton* upholding Texas’s age verification law, while proponents argue that privacy-preserving age assurance approaches are becoming more technically mature and scalable.
Mar 26, 2026
Apple iPhone and iPad Approved for NATO ‘Restricted’ Classified Data Handling
Apple announced that **standard iPhone and iPad devices** running **iOS 26** and **iPadOS 26** have been approved for handling NATO classified information up to the **“NATO Restricted”** level, meaning the devices no longer require special software or bespoke configurations for use in NATO restricted environments. The approval follows extensive security evaluation and testing, including assessments led by Germany’s **Federal Office for Information Security (BSI)**, and results in the devices being certified for use across **all NATO member states** and listed in the **NATO Information Assurance Product Catalogue**. Separately, research coverage reported that **Intellexa’s Predator spyware** can suppress iOS’s camera and microphone recording indicators (the green/orange “privacy dots”) on compromised devices by hooking into `SpringBoard` (e.g., via `HiddenDot::setupHook()`), preventing UI updates when sensors are activated. This Predator technique requires deep system access and is a distinct issue from NATO’s platform assurance decision, but it underscores that sophisticated spyware can undermine user-facing privacy signals even on iOS versions where those indicators are expected to provide transparency.
Mar 21, 2026
Apple iOS/iPadOS Security Updates and CVE Fixes Across Multiple Releases
Apple published security advisories detailing vulnerability fixes across multiple iOS and iPadOS versions, including iOS/iPadOS **16.7**, **17.2**, **18.1**, **18.3**, **26.1**, and **26.2**. The advisories describe a range of impacts such as sandbox escapes (including Web Content sandbox breakout), privacy issues where apps could access or expose sensitive user data via insufficient log redaction, file-system modification via temporary-file handling, and memory-safety flaws (e.g., out-of-bounds reads, type confusion, and bounds-checking issues) that could lead to crashes or memory corruption. Apple attributes fixes to changes like improved protocol handling, cache handling, input validation, and additional permission restrictions, and references issues by **CVE** where available. Several advisories also highlight device-state and authentication/logic weaknesses: iOS/iPadOS 18.3 includes a case where an attacker with physical access to an **unlocked** device could access Photos while the app is locked (`CVE-2025-24141`), while iOS/iPadOS 18.1 includes a lock-screen exposure issue (`CVE-2024-44274`) and a Shortcuts-related path-handling flaw that could allow arbitrary shortcut execution without user consent (`CVE-2024-44255`). The iOS/iPadOS 26.x advisories include privacy and permission issues (e.g., identifying installed apps, screenshots of sensitive embedded views), potential kernel memory corruption/system termination conditions, and logic/UI issues affecting security posture (e.g., passcode requirement timing after Face ID enrollment restore scenarios and potential FaceTime caller ID spoofing), with multiple findings credited to external researchers and teams (including Google Project Zero, ByteDance IES Red Team, and others).
Mar 21, 2026