In response to European antimonopoly legislation, Apple has made changes to allow the installation of third-party apps on the iPhone. However, this decision has led to vulnerabilities in the Safari browser, putting users at risk of being tracked on the Internet.
Developers Talal Hajbi Bakri and Misk revealed the disadvantages and confidentiality issues associated with implementing this function on iOS. They found that the URI mechanism in Safari allows third-party app stores to track users’ online activity through a special request, which is activated even in incognito mode. This lack of checking the source of the website and unverified JSON Web Tokens exposes users to potential attacks.
The URI scheme determines how a specific network request is processed. Websites offering alternative app stores may include a button that, when clicked in Safari, triggers a request processed by MarketplaceKit on the iPhone user in the EU. This establishes a connection with the approved store’s servers to complete the installation of the app on the smartphone.
However, any site can trigger MarketPlace-Kit on iOS 17.4 devices in the EU, causing Safari to send a unique identifier of each user to the approved store’s servers. This reveals that the user has visited the site and allows the store’s servers to potentially reject a request and gather additional information about the user.
Bakri and Misk recommend European users to switch to the Brave browser instead of Safari, as it checks website origins and prevents tracking. They highlight that Apple’s failure to properly implement the secure usage of third-party app stores has compromised user privacy.
Apple has not yet responded to these allegations. The situation is further complicated by the uncertainty surrounding the ability of various apps in Europe, including those obtained through jailbreaking, to protect user confidentiality.