The European antitrust rules that Apple has had to accept (for the benefit of users and to its own economic detriment) have left Safari browser users exposed to possible web tracking.
Developers Talal Haj Bakry and Tommy Mysk investigated how Apple implemented the process of installing third-party software markets on iOS with Safari, and concluded that Cupertino’s approach is particularly deficient.
“Our tests show that Apple provided this feature with catastrophic security and privacy flaws,” wrote Bakry and Mysk in a notice published over the weekend.
Where does the Safari security flaw come from?
Apple, which advertises its Safari browser as incredibly private, has evidently undermined the privacy of Safari users in the European Union through a marketplace-kit: URI scheme that allows third-party app stores to track those users across the web.
A URI scheme is a way to determine how a specific network request is handled. A website that offers an alternative software marketplace may include a button that, when clicked in Safari, launches a marketplace-kit request: managed by a MarketplaceKit process on the user’s iPhone in the EU.
This process, integrated in iOS 17.4 by Apple, contacts the authorized market’s back-end servers to complete the installation of the application from that store on the phone.
The problem is that any site can activate a marketplace-kit: request. On iOS 17.4 devices in the EU, Safari will send a unique user identifier to approved marketplace servers, filtering the fact that the user was visiting that site.
This happens even if Safari is in private browsing mode. Market servers may reject the request, which may also include a custom payload, passing more information about the user to the alternative store. All of this is illustrated in the following video.
According to Bakry and Mysk, Apple’s URI system has three major flaws. First, it does not check the origin of the website, which means that the aforementioned cross-site tracking is possible.
Secondly, Apple’s MarketplaceKit – their API for third-party stores – does not validate JSON web tokens (JWT) passed as input parameters through incoming requests. “Even worse, it blindly transmits the invalid JWT token when calling the /oauth/token endpoint,” Bakry and Mysk noted. “This opens the door to various injection attacks targeting the MarketplaceKit process or the marketplace backend.”
And thirdly, Apple is not using certificate pinning, which leaves the door open to a man-in-the-middle (MITM) attack during the exchange of MarketplaceKit communications. Bakry and Mysk claim they were able to overwrite the servers involved in this process with their own endpoints.
Is Apple interested in fixing the bug?
The limiting factor of this attack is that a marketplace must be approved by Apple first before being able to carry out this type of tracking. At the moment, there are not many marketplaces that have obtained the approval.
The two security researchers argue that fraudulent applications regularly make their way through Apple’s review process, meaning that fraudulent app stores could be authorized. And they claim that privacy issues are due to Apple wanting to track the use of third-party stores.
Users of iOS in Europe are encouraged to use Brave instead of Safari because Brave’s implementation checks the website’s origin with the URL to prevent cross-site tracking.
By not making the extra effort to securely implement third-party app stores, Apple has possibly turned their concerns about security and privacy into a self-fulfilling prophecy.
In its observations [PDF] on DMA compliance, Apple stated: “In the EU, the security, privacy, and protection of each user will depend in part on two questions. First, are alternative markets and payment processors capable of protecting users? And second, are they interested in doing so?”.
There is also the question of whether Apple is capable of protecting users, and if it is interested in doing so.
