Apple Vision Pro’s security and privacy: How good is it really?
Posted on
by
Kirk McElhearn and Joshua Long
The Apple Vision Pro is the first hardware device to offer a new computing platform, which Apple calls “spatial computing.” These AR/VR goggles can perform most of the tasks of a laptop or desktop computer, while also providing brand-new, unique experiences. (Check out our overview and hands-on review of Apple Vision Pro.)
That may sound great, but how good is the platform’s security and privacy? Since the Vision Pro can access most of the features you use regularly (email, messaging, web browsing, and more), it needs the same robust security and privacy features of Apple’s other platforms.
Let’s examine the privacy and security features available with Apple Vision Pro—and what’s missing.
In this article:
- A brief overview of Apple Vision Pro
- Security and privacy features of Apple Vision Pro
- Some iOS malware and PUAs can run on visionOS
- What security and privacy features are missing from Apple Vision Pro?
- How can I learn more?
A brief overview of Apple Vision Pro
Apple’s Vision Pro is a mixed-reality headset, which combines augmented reality (AR) and virtual reality (VR), to create what Apple calls “spatial computing.” When using the Vision Pro, you can see your surroundings, and you can bring up virtual windows to work, play, and experience entertainment. The twin displays—one for each eye—total 23 million micro-LED pixels, providing an incredibly sharp image.
The Vision Pro has some unique technology for controlling how you interact with it. It tracks what you are looking at, and has the ability to understand hand gestures, using a number of cameras on the device, so you can control apps with simple hand movements, as well as with your voice.
All of this takes place within the Vision Pro headset, but the device also has cameras that let you view your surroundings. So the Vision Pro not only needs to protect the security and privacy of data that you interact with through apps, but also what’s around you.
Security and privacy features of Apple Vision Pro
Apple has had to create new security and privacy features for the Vision Pro, but has also included many of the features that are available in its other operating system.
Optic ID
The Vision Pro uses some new technologies to authenticate users and manage security and privacy. Optic ID is the Vision Pro version of Touch ID or Face ID. You use this to unlock your Apple Vision Pro, authenticate purchases, sign in to apps, and more.
Optic ID scans your irises using LEDs and infrared cameras inside the enclosure. Then machine learning creates a mathematical representation of them. All Optic ID data is encrypted and protected by the Secure Enclave of the Vision Pro’s M2 chip; this data does not leave your device and is never backed up to iCloud. You can choose to disable Optic ID if you wish, and authenticate using a passcode.
You can also use your iPhone to unlock your Vision Pro, if you have already authenticated on your iPhone. This is similar to the way you can unlock a Mac when wearing an Apple Watch. Go to Settings > Optic ID & Passcode, then tap your iPhone below “Nearby iPhone Enables Optic ID.”
You still need to enter your passcode after you restart the device to turn on Optic ID; this is similar to what you do on other Apple devices. To protect your Apple Vision Pro, you can set the device to erase all its contents and data after ten failed passcode attempts. (Go to Settings > Optic ID & Passcode to enable this.)
Ensuring the security and privacy of your surroundings
When you’re using the Apple Vision Pro, its cameras capture everything around you. It sees the layout of your home or office, the people in the room with you, what displays on the screen of a computer on your desk, and what notes may be on a whiteboard. Much of this data can be very personal, and even may contain intellectual property that needs to be protected.
Some apps will ask your permission to access information about your surroundings in order to provide immersive experiences. If you grant access to apps, they only get access to information about your surroundings within five meters of where you are. Nevertheless, it might be a good idea to only grant access to apps that you use when you are not looking at sensitive or business information. When used in sensitive locations, users should never grant this access, because malicious apps might be able to record sensitive data.
When people are around you, in the same room, or on the street, Apple Vision Pro helps you see and hear them, with video and audio amplification. But the Vision Pro does not share information about nearby people with the apps and websites you use, or with Apple. It’s important to communicate this to people who you interact with; the fact that these cameras encroach on the privacy of people around you led to the demise of Google Glass, an early AR device.
Security and privacy of what you see, and what you type
Users interact with the Vision Pro using their eyes, their hands, and their voice. Unlike with standard computing platforms, you can perform a lot without using a keyboard or pointing device. The Vision Pro tracks your eye movements; this information could be very valuable to marketers, who want to know what you look at on individual webpages. Fortunately, visionOS does not let apps know what you look at until you select something, such as “clicking” a button.
The same is true for your hand movements. You can grant apps permission to access your movements, and developers can create custom gestures based on hand movements. But unless you grant this access, no developers or websites get this information.
The Vision Pro offers a virtual keyboard, that seems to float in space, on which you can type by pointing your fingers. Apps only get the text that you type, and get no information about potential auto-complete suggestions, or any characters when you type a password.
Other security and privacy features
Apple has added many other security and privacy features to the Vision Pro (PDF), and most of these work the same way as they do on other devices. They include:
- Advanced Data Protection
- App Tracking Transparency
- Data Access prompts
- Data Protection classes
- Hide My Email
- iMessage encryption
- iCloud Private Relay
- Location Services
- Privacy indicators
- Private Network Address
- Safari Private Browsing
Most of these features have been around for many years; if you’ve been using Apple devices, you may be familiar with some of them. Many of them work in the background, and you may not be aware of them. None of these are specific to the Vision Pro. For example, iMessage encryption ensures that messages sent via the Messages app to other Messages users are secure. Or iCloud Private Relay, which is a way of hiding your IP address when you send emails.
Some iOS malware and PUAs can run on visionOS
Apple gives developers the option to let their users run iOS apps on other platforms. Some iPhone apps, therefore, can also run on iPadOS, macOS, and even visionOS.
Unfortunately, Apple routinely approves potentially unwanted apps (PUA) and lets them into the iOS App Store. These malicious apps can sometimes run on Vision Pro, too. So far, we’ve already seen a fraudulent password manager, “LassPass Password Manager” (a LastPass clone), that was able to run on visionOS.
Apple distributed a fake LastPass Password Manager in the App Store
What security and privacy features are missing from Apple Vision Pro?
Lockdown Mode
The main security feature missing from the Vision Pro is Lockdown Mode, a feature that Apple designed to protect users who are likely to be targeted by “state-sponsored mercenary spyware.” This category of malware includes Pegasus, Predator, TriangleDB, and others.
Lockdown Mode is available on iOS, iPadOS, macOS, and even watchOS. Since visionOS is based on the same underlying OS technologies, it has many of the same vulnerabilities. Therefore, Apple’s omission of Lockdown Mode on the Vision Pro is surprising.
If you’re concerned enough about potentially getting hacked by advanced threat actors that you use Lockdown Mode on all your other devices, then Apple Vision Pro may not be right for you until Apple adds Lockdown Mode.
The ability to run antivirus software
Also notably missing is the ability to run antivirus software on Apple Vision Pro. Since the platform’s underpinnings are more similar to Apple’s mobile operating systems, Vision Pro can’t run native Mac software. It can run some iPhone and iPad apps, but Apple banished the antivirus app category from the iOS App Store nearly a decade ago. It’s possible that the app category may return to iOS soon, exclusively in the EU, thanks to third-party app stores—but Vision Pro is currently only available in the United States.
By the way, Apple has never given antivirus companies the ability to create system-wide (i.e. active scanning) antivirus software for iOS. It’s unlikely that Apple will change its stance on this in the near future. And therefore, Vision Pro most likely won’t get system-wide antivirus, either.
How can I learn more?
Be sure to check out our overview of Apple Vision Pro and hands-on review.
We discussed Apple Vision Pro on episode 331 of the Intego Mac Podcast:
Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: 
