Apple’s third-party Safari integrations rolled out with “catastrophic security and privacy flaws”

Safari app icon on smartphone
(Image credit: Photo Illustration by Rafael Henrique/SOPA Images/LightRocket via Getty Images)

To comply with the laws of the European Union (EU), Apple has allowed EU users to download and install apps from other marketplaces and websites. However, the implementation of this feature was made “with catastrophic security and privacy flaws”, allowing malicious marketplaces to track Apple users across different websites.

This is according to cybersecurity researchers Talal Haj Bakry and Tommy Mysk, who released their technical analysis in a blog published last weekend.

By now, everyone is fully aware of Apple’s “walled garden” approach to its ecosystem. It generally doesn’t allow third-party app stores, claiming they are a major security risk. However, in the EU, under the Digital Markets Act (DMA), the American smartphone giant was deemed a “gatekeeper” for iOS, the App Store, Safari, and iPadOS, and was forced to allow third-party app stores and websites offering apps for download (albeit, vetted). 

Replacing the browser

Hence, with iOS 17.4, Apple introduced a new URI scheme, allowing EU users to download and install alternative marketplace apps from websites, the blog reads. “Once an authorized browser invokes the special URI scheme marketplace-kit, it hands off the installation request to a MarketplaceKit process that starts communicating with the marketplace back-end servers to finally install the app,” the researchers explained. 

“As part of the installation flow, the MarketplaceKit process sends a unique client_id identifier to the marketplace back-end. Both Safari and the MarketplaceKit process allow any website to make a call to the marketplace-kit URI scheme of a particular marketplace. As a result, multiple websites can trigger the MarketplaceKit process to send the same unique identifier client_id to the same marketplace back-end. This way a malicious marketplace can track users across different websites.”

So the problem lies in Apple’s browser, Safari, the researchers concluded, saying that the way Apple’s engineers handled the implementation was “very puzzling.”

“Safari should protect users against cross-site tracking,” they conclude, before suggesting alternative solutions. You can read more about their suggestions here

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

TOPICS