Apple’s third-party Safari integrations rolled out with “catastrophic security and privacy flaws”
To comply with European Union (EU) laws, Apple has allowed EU users to download and install apps from other marketplaces and websites. However, the implementation of this feature was done “with catastrophic security and privacy flaws,” allowing malicious marketplaces to track Apple users across websites.
This is what cybersecurity researchers Talal Haj Bakry and Tommy Mysk say, who published their technical analysis in a blog published last weekend.
By now, everyone is fully aware of Apple’s ‘walled garden’ approach to its ecosystem. Third-party app stores are generally not allowed, claiming they pose a major security risk. However, in the EU, the US smartphone giant was deemed a ‘gatekeeper’ for iOS, the App Store, Safari and iPadOS under the Digital Markets Act (DMA), and was forced to allow third-party app stores and websites to switch apps download (albeit vetted).
Replace the browser
That’s why Apple introduced a new URI scheme with iOS 17.4, allowing EU users to download and install alternative marketplace apps from websites, the blog said. “Once an authorized browser calls the special URI Marketplace Kit, it passes the installation request to a MarketplaceKit process that begins communicating with the Marketplace’s back-end servers to ultimately install the app,” the researchers explain.
“As part of the installation flow, the MarketplaceKit process sends a unique client_id identifier to the marketplace backend. Both Safari and the MarketplaceKit process allow any website to call upon a given marketplace’s MarketplaceKit URI scheme. As a result, multiple websites can trigger the MarketplaceKit process to send the same unique identifier client_id to the same marketplace backend. In this way, a malicious marketplace can track users across websites.”
So the problem lies in Apple’s browser, Safari, the researchers concluded, saying that the way Apple engineers handled the implementation was “very confusing.”
“Safari should protect users from cross-site tracking,” they conclude, before proposing alternative solutions. You can read more about their suggestions here.