back to article Apple's 'incredibly private' Safari is not so private in Europe

Apple's grudging accommodation of European antitrust rules by allowing third-party app stores on iPhones has left users of its Safari browser exposed to potential web activity tracking. Developers Talal Haj Bakry and Tommy Mysk looked into the way Apple implemented the installation process for third-party software marketplaces …

  1. Pascal Monett Silver badge

    Ah Apple

    Between jailbreaking and locked ecosystem and now this, the iNazi has amply demonstrated its thirst for control of everything.

    And, as usual, when you're addicted, you don't think straight. Apple is addicted to control, and it has now undermined the security and privacy of its users.

    Congratulations for giving me yet another reason to never buy your products.

    1. Potemkine! Silver badge
      Big Brother

      Re: Ah Apple

      Everything in Apple

      Nothing outside Apple

      Nothing against Apple

    2. Anonymous Coward
      Anonymous Coward

      thirst for control of everything

      The film 'Iron Sky' and its sequel are well worh watching.

      1. Anonymous Coward
        Anonymous Coward

        Re: thirst for control of everything

        Judy (or is it Julie) Dietze is very lovely in it

    3. Cruachan Bronze badge

      Re: Ah Apple

      What's really funny about this is that the iDiots will continue to defend Apple and blame the EU for forcing them to make this change, rather than admit Apple did anything wrong.

      1. Lord Elpuss Silver badge

        Re: Ah Apple

        Would this have happened if the EU hadn't meddled?

      2. gnasher729 Silver badge

        Re: Ah Apple

        You're so funny, man. Any arguments or are you just a pre-teen trying to insult your elders or betters?

        1. Lord Elpuss Silver badge

          Re: Ah Apple

          Ach. He's just blowing off some pent-up frustration. Besides; empty barrels make the most noise ¯\_(ツ)_/¯

    4. Lord Elpuss Silver badge

      Re: Ah Apple

      "And, as usual, when you're addicted, you don't think straight. Apple is addicted to control, and it has now undermined the security and privacy of its users."

      And, as usual, when you're addicted, you don't think straight. The EU is addicted to control, and it has now undermined the security and privacy of its users.

      Fixed it for you. This would never have happened if the EU hadn't tried to 'fix' something that wasn't broken.

      1. sgp

        Re: Ah Apple

        The problem is the implementation, not the ruling.

        1. Lord Elpuss Silver badge

          Re: Ah Apple

          "The problem is the implementation, not the ruling."

          The problem is both. Implementation - however shoddy - wouldn't have been necessary had the EU not meddled.

          1. ExpatZ

            Re: Ah Apple

            Right, because privacy is a nothing burger for Americans so why would anyone else on the planet want it?

            Muppet.

            1. Lord Elpuss Silver badge

              Re: Ah Apple

              The EU didn't meddle because of privacy concerns. Your comment makes no sense.

              Muppet.

  2. Androgynous Cupboard Silver badge

    Meh

    This is a smaller than average storm in a teacup. I don't know what the barrier to getting an alternative App store is, but considering that - unlke Apps - Apple actively don't want them to exist, I would expect the barrier is very, very high. Certificate pinning? Well, OK, but if your DNS has been hacked then you've got bigger issues. As for validation of JWT tokens, please, that's just silly. It's a public webserver, it's already getting thousands of malformed queries a day.

    They say you have to click, so even if we imagine the worst case - you're in an environment where the DNS redirects an app-store URL to a malicious IP - you still need users to a) visit a site with this malicious app store link designed to track you, b) interact with it by clicking a button, and c) visit some other malicious site later and do the same so they can correlate. Could a rogue state do much with this? I don't think they could. I also don't understand the claim that Apple are able to track anything with this - there's no network connection to any Apple server in this chain. The only party that could track anything is the one hosting the App store.

    Quite Interesting score: 3/10, because it's a new area to research for attacks. Threat score: 1/100.

    1. John Robson Silver badge

      Re: Meh

      More importantly is there a "disable this scheme" option for those who don't care about a third party store?

      1. DS999 Silver badge

        Re: Meh

        Ideally if you didn't enable third party app stores or you disabled them (not sure what the default is there) it would ignore a marketplace-kit: URI

        Glad I'm in the US so I don't have to worry about this brain damage!

        1. anonymous boring coward Silver badge

          Re: Meh

          I think you can rest assured that the default will be "off" for third party app stores.

        2. ExpatZ

          Re: Meh

          Yeah, best to just go without privacy huh.

      2. MyffyW Silver badge

        Re: Meh

        I mean if I cared about third-party app stores, I'd probably not have bought an iDevice.

        I speak as a sometime-user of of both Apple and Android products. I have literally never felt the need to use a third-party app store. Your mileage will - of course - vary.

        1. Lord Elpuss Silver badge

          Re: Meh

          ^ This. The majority of people who bought Apple did so knowing exactly what they could expect; and made their buying decisions accordingly. The all-Apple ecosystem was a key benefit for many; including me.

          For the EU to step in and retroactively harm or weaken this experience (assuming that is the case; the article doesn’t make it clear) is hubris of the first order and I hope it backfires on them.

    2. Androgynous Cupboard Silver badge

      Re: Meh

      I would like to amend my original post.

      After watching the presentation, noting the network traffic it displayed and recklessly concluding the research was almost completely impractical as a method of tracking individuals, I realise this analysis forgot to add any pointed observations about the evils of large tech firms in general and Apple in particular. My knee made no jerking movements during this process, and I also neglected to use the phrase "holding it wrong". I now realise this was unacceptable and I promise to do better on any future comments.

  3. ReikiShangle
    Trollface

    To save typing, I refer you to a related yet relevant comment...

    Oracle Fusion rollout...

    You're welcome.

    Shangle... Reiki Shangle...

  4. Crypto Monad Silver badge

    Video says "Stop using Safari, use Brave instead"

    In the interests of balance, here's the opposing point of view: https://www.spacebar.news/p/stop-using-brave-browser

    Note: I don't have any skin in this game. I simply have no interest in trying out any minority browser with a user base smaller than Firefox's 3%.

    1. Detective Emil
      Meh

      Re: Video says "Stop using Safari, use Brave instead"

      Quite. I'd be running Brave if it wasn't for that hokey Basic Attention Token cryptocurrency.

      1. Anonymous Coward
        Anonymous Coward

        Re: Video says "Stop using Safari, use Brave instead"

        I did use Brave for a while, but ultimately the combination of Safari with Purify and the customization options of AdGuard works a lot better for me. Brave is good, but needs a lot more in the ad block logic.

  5. tiggity Silver badge

    Anyone surprised?

    When your whole approach has been based on Apple approved apps via Apple store only then adding support for alternative marketplaces was always going to have a high chance of introducing bugs / security issues (especially when it was done in a bit of a rush).

    I would have been far more surprised if there were no issues.

  6. Orv Silver badge

    Couple this with the EU forcing Google to allow third-party tokens, and their privacy regulations start to look a bit thin.

  7. jlturriff

    The English language is so much fun...

    'Apple – which advertises Safari as "incredibly private" ' is, when one thinks of it, quite accurate: "incredible" says it all. We see this sort of misuse of words all the time; "incredible," commonly thought of as a good thing, really means "not credible;" "terrific" means "inducing terror" and so on. It's fascinating to see how such terms have been twisted so that their meaning has become positive instead of negative.

    1. jlturriff

      Re: The English language is so much fun...

      Hmmm... couldn't make the EDIT button work.

      I first noticed this phenomenon when I was exposed to IBM's virtual storage and virtual machine technology in college. "Virtual" has pretty much fallen by the wayside in advertising now, but before then there were lots of advertisements that used the word, whose meaning was quite fuzzy to people, e.g. dishwashing soap commercials that said their product made glassware "virtually spotless." :-)

  8. gnasher729 Silver badge

    The EU set the requirements. “Allow third party App Stores”. So what would they have said if Apple replied “that’s difficult to do, meeting the requirements we are told to meet, and observing privacy at the same time”.

    The App Store goes completely through Apple. So Apple can provide privacy very easily by not giving all the information it has to anyone. But it seems they have to make iPhones reply to alternative stores that Apple doesn’t know, and therefore to anyone claiming to be an alternative App Store.

  9. anonymous boring coward Silver badge

    If you "think different" it's probably "incredible private".

    1. Doctor Tarr

      That woosh parrot just missed the downvoters.

  10. anonymous boring coward Silver badge

    EU regulators usually want to do good things.

    Sometimes they don't understand the implications for security. But, then again, some stick on the big ones to think harder about security is no bad thing.

    Apple will probably come up with something.

  11. Lord Elpuss Silver badge

    I've read it twice but it's still not clear to me. Am I still at risk if I don't actively browse to or engage with 3rd party marketplaces? 3 scenarios that I can envisage:

    1. Browses and downloads from 3rd Party marketplaces AT RISK

    2. Navigates to a 3rd Party marketplace site, but doesn't download or install ???

    3. Browses an unrelated website that contains a link to a 3rd party marketplace e.g. an ad, but doesn't click on it ???

    Could I be tracked in scenarios 2 or 3?

    1. ArrZarr Silver badge
      Boffin

      The issue is that a site that claims to point to a third-party app store will send a unique user ID to that store, enabling you to be tracked around the web.

      Realistically, this is only a big problem if somebody big (Meta/Amazon/Alphabet/Microsoft or one of the big data brokers) figures out a way to add this code to the site through a tag (most people who particularly care about privacy online will have this blocked by default anyway) as changing source code directly on site is a much higher barrier to implementation than adding to a container tag.

      This will probably be fixed sometime relatively soon - as much as I don't like Apple, I think they're generally pretty good at sorting this kind of thing so it's unlikely that any of the big players will put a lot of resources into making this a cross-site tracking vector. That being said, this might a fundamental issue of how Apple are forced to act under EU law so will be forced to remain a vector long-term at which point it will be worth it for the big tracking providers to set up tracking here.

      To answer your questions, specifically about cross-site tracking:

      1. Potentially at risk if the 3rd party app store wants to monetize this cross-site tracking avenue.

      2. Potentially at risk if the 3rd party app store wants to monetize this cross-site tracking avenue.

      3. Potentially at risk if the 3rd party app store wants to monetize this cross-site tracking avenue.

      4. (Navigates to any website that points to a 3rd party app store that wants to monetize this cross-site tracking avenue) -> At risk

      Fundamentally, if Google add a call to a "third party marketplace" that they own in their Google Analytics tag, then they will have functionally full cross-site tracking on anybody not blocking Google Tags.

      1. v13

        Until taboola creates an app store

    2. tip pc Silver badge
      Pint

      I've read it twice but it's still not clear to me. Am I still at risk if I don't actively browse to or engage with 3rd party marketplaces? 3 scenarios that I can envisage:

      The good news is that if your in the UK then there is no alternative apple store

      https://support.apple.com/en-gb/118110#countries-and-regions

      1. Lord Elpuss Silver badge

        I'm not in the UK, so even if that's true it doesn't help. But thanks.

      2. gnasher729 Silver badge

        I think the risk is not _real_ alternative stores. The risk is scammers creating a fake alternative store. They can do that in the UK just as easily (if Apple has third party stores enabled in the UK, whether there are any or not doesn't matter).

    3. gnasher729 Silver badge

      If you go to a real 3rd party marketplace, you are safe. Or as safe as that stores security, and their willingness to preserve your privacy. Anyway, nothing that Apple can do.

      The risk (no matter how big or small) comes from fake marketplaces. Just like receiving a phone call has zero risk, except that scammers can call you.

      1. Lord Elpuss Silver badge

        I have no interest in visiting 3rd party stores, legit or not; I'm just trying to understand whether if I just carry on with life as I'm doing now, happy with just the Apple App Store, has my security and data privacy been weakened by this?

  12. ExpatZ

    Apple was never secure. By design.

    Apple's browser was never secure, nor is iOS.

    Take note of how easily the US military, intelligence services and police retreive data from it, they only cry about it when they want laws made to make everything as easy for them to walk in and get the data from.

    If it is from the US it is compromised. Flat out.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like