Researchers Talal Hajg Bakri and Misk studied how Apple integrates third-party app stores on their devices. They discovered vulnerabilities during the audit that pose risks to the safety and confidentiality of user data.
An innovation in the iOS 17.4 operating system allows users in the European Union to install applications through alternative platforms using a special URI – MarketPlace-Kit:. This scheme enables websites to include a button that, when clicked in the Safari browser, initiates the MarketPlace process on the device. This process establishes a connection with the servers of the selected store to complete the installation of the application.
Any site can initiate MarketPlace-Kit:. Upon activation, a universal identifier is sent to the servers of the approved store on devices with iOS 17.4, potentially allowing an attacker to access information on sites visited by the user even when the browser is in private browsing mode.
Bakri and Misk uncovered three pivotal shortcomings in Apple’s implementation of the URI scheme:
Lack of verification of the query source, creating opportunities for tracking user activity across different sites.
Insufficient validation of Json Web Token (JWT) in requests, raising the risk of attacks through the introduction of malicious code.
Lack of certificate binding, increasing the possibility of a man-in-the-middle type of attack.
The vulnerabilities appear to stem from Apple’s effort to control the interaction process between stores and customers, likely for statistical purposes and computation of commission fees.
Bakri and Misk suggest that Europeans utilize the Brave browser, which includes source verification for websites, thereby reducing the risks of unwanted cross-site tracking.
These findings raise concerns about Apple’s ability to safeguard user privacy, as security relies not only on the strength of protection in third-party stores but also on the level of interest in doing so.