Opt-in to Arm MTE / MIE #3767
Description
How to use GitHub
- Please use the 👍 reaction to show that you are interested into the same feature.
- Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
- Subscribe to receive notifications on status change and new comments.
Feature request
Opt in to Arm MTE aka Memory Integrity Enforcement (MIE.
MTE is an easy security improvement (at least for users with iPhone 17, which have the hardware for MTE).
To do so, you need to set the appropriate entitlement: https://developer.apple.com/documentation/xcode/enabling-enhanced-security-for-your-app
Nextcloud parses potentially attacker controlled data, so enabling MTE/MIE is an easy defense-in-depth.
Important: before enabling MIE in production, you need to thoroughly test on an iPhone 17 that there are no crashes!
If there are crashes "caused" by MTE, these need to be fixed. Note that these crashes are present even without MTE, MTE just makes them visible. So MTE is also a useful bug finding tool.
For background on MTE/MIE, see:
- Apple announcement: security.apple.com/blog/memory-integrity-enforcement/
- iOS docs: https://developer.apple.com/documentation/xcode/enabling-enhanced-security-for-your-app
- My blog post 😇 : https://thore.io/posts/2025/09/introduction-to-arm-memory-tagging-extensions/
For Nextcloud Files for Android I made a PR: nextcloud/android#15661