Father
Professional
- Messages
- 2,602
- Reaction score
- 776
- Points
- 113
Compliance with EU laws has led to Apple's mistakes in user privacy.
In response to European antitrust laws, Apple allowed the installation of third-party app stores on iPhones, which led to vulnerabilities in the Safari browser that put users at risk of being tracked online.
Developers Talal Haj Bakri and Tommy Misk have identified security and privacy flaws when implementing the feature on iOS. It was discovered that the URI mechanism in Safari allows third-party app stores to track user activity on the Internet through a special request marketplace-kit:, which is activated even in incognito mode. This is due to the lack of verification of the website source and unverified JSON Web Tokens, which opens up opportunities for attacks.
A URI scheme is a way to determine how a particular network request is handled. A website that offers an alternative app store may include a button that, when clicked in Safari, triggers the marketplace-kit: request, which is processed by the MarketplaceKit process on the user's iPhone in the EU. Then a connection is established with the approved store's servers to complete the installation of the store's app on your smartphone.
The problem is that any site can call marketplace-kit:. On iOS 17.4 devices in the EU, this will cause Safari to send a unique identifier for each user to the servers of the approved marketplace, revealing the fact that the user has just visited the site. The store's servers may reject the request, which may also include a custom payload, by passing additional user information to an alternative store.
Moreover, the lack of certificate binding worsens the situation, allowing data to be intercepted during data exchange with MarketplaceKit. Researchers emphasize that such vulnerabilities are made possible by Apple's desire to control the use of third-party stores, which ultimately undermines user privacy.
Bakri and Misk recommend that users in Europe use the Brave browser instead of Safari, as it checks the origin of websites and prevents tracking. In their report, experts point out that privacy concerns arose due to Apple's unwillingness to properly implement the secure implementation of third-party app stores, which turned the company's concern for security into a self-fulfilling prophecy.
Apple has not yet commented on the allegations. The situation is complicated by the fact that many app stores that can now be used in Europe, including not only official sites, but also those that are available after jailbreaking devices, are questioned about their ability to protect user privacy.
In accordance with the European Digital Markets Act (DMA), Apple allowed the use of third-party app stores or the installation of applications bypassing the App Store.
According to the law:
In addition to the app stores, Apple has also made drastic changes to how web browsers work on iPhones for users in the EU. iOS 17.4 adds the ability to set your preferred default browser when you first launch Safari, and browser vendors will be able to use other browser engines.
In response to European antitrust laws, Apple allowed the installation of third-party app stores on iPhones, which led to vulnerabilities in the Safari browser that put users at risk of being tracked online.
Developers Talal Haj Bakri and Tommy Misk have identified security and privacy flaws when implementing the feature on iOS. It was discovered that the URI mechanism in Safari allows third-party app stores to track user activity on the Internet through a special request marketplace-kit:, which is activated even in incognito mode. This is due to the lack of verification of the website source and unverified JSON Web Tokens, which opens up opportunities for attacks.
A URI scheme is a way to determine how a particular network request is handled. A website that offers an alternative app store may include a button that, when clicked in Safari, triggers the marketplace-kit: request, which is processed by the MarketplaceKit process on the user's iPhone in the EU. Then a connection is established with the approved store's servers to complete the installation of the store's app on your smartphone.
The problem is that any site can call marketplace-kit:. On iOS 17.4 devices in the EU, this will cause Safari to send a unique identifier for each user to the servers of the approved marketplace, revealing the fact that the user has just visited the site. The store's servers may reject the request, which may also include a custom payload, by passing additional user information to an alternative store.
Moreover, the lack of certificate binding worsens the situation, allowing data to be intercepted during data exchange with MarketplaceKit. Researchers emphasize that such vulnerabilities are made possible by Apple's desire to control the use of third-party stores, which ultimately undermines user privacy.
Bakri and Misk recommend that users in Europe use the Brave browser instead of Safari, as it checks the origin of websites and prevents tracking. In their report, experts point out that privacy concerns arose due to Apple's unwillingness to properly implement the secure implementation of third-party app stores, which turned the company's concern for security into a self-fulfilling prophecy.
Apple has not yet commented on the allegations. The situation is complicated by the fact that many app stores that can now be used in Europe, including not only official sites, but also those that are available after jailbreaking devices, are questioned about their ability to protect user privacy.
In accordance with the European Digital Markets Act (DMA), Apple allowed the use of third-party app stores or the installation of applications bypassing the App Store.
According to the law:
- Apple should allow developers to use third-party payment platforms;
- Users should be able to install apps without using Apple's App Store.;
- iMessage must interact with other messengers.
In addition to the app stores, Apple has also made drastic changes to how web browsers work on iPhones for users in the EU. iOS 17.4 adds the ability to set your preferred default browser when you first launch Safari, and browser vendors will be able to use other browser engines.
