{"id":279842,"date":"2024-05-01T00:19:25","date_gmt":"2024-05-01T07:19:25","guid":{"rendered":"https:\/\/sftarticles.wpenginepowered.com\/es\/?p=331382"},"modified":"2025-07-01T16:36:19","modified_gmt":"2025-07-01T23:36:19","slug":"apples-incredibly-private-safari-is-not-so-private-in-europe","status":"publish","type":"post","link":"https:\/\/cms-articles.softonic.io\/en\/apples-incredibly-private-safari-is-not-so-private-in-europe\/","title":{"rendered":"Apple&#8217;s &#8220;incredibly private&#8221; Safari is not so private in Europe"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">The European antitrust rules that Apple has had to accept (for the benefit of users and to its own economic detriment) <strong>have left Safari browser users exposed to possible web tracking.<\/strong><\/p>\n\n\n<div class=\"sc-card-program\">\r\n  <div class=\"sc-card-program__body\">\r\n    <div class=\"sc-card-program__row clearfix\">\r\n      <div class=\"sc-card-program__col-logo\">\r\n        <img decoding=\"async\" class=\"sc-card-program__img\" alt=\"AppleTV+\" src=\"https:\/\/images.sftcdn.net\/images\/t_app-icon-s\/p\/8f7cb2d7-74e2-4492-af0c-06a1761742a1\/457874704\/apple-tv-plus-2019-03-28_12-07-17.png\" width=\"100px\" height=\"100px\">\r\n      <\/div>\r\n      <div class=\"sc-card-program__col-title\">\r\n        <span class=\"sc-card-program__title\">AppleTV+<\/span>\r\n        <a class=\"sc-card-program__button sc-card-program-internal\" href=\"https:\/\/apple-tv-plus.en.softonic.com\/mac\" target=\"_self\" rel=\"noopener noreferrer\">DOWNLOAD<\/a>\r\n      <\/div>\r\n      <div class=\"sc-card-program__col-rating\">\r\n        <svg class=\"rating-score__content\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" version=\"1.1\" x=\"0\" y=\"0\" viewbox=\"0 0 50 50\" enable-background=\"new 0 0 50 50\" xml:space=\"preserve\"><path class=\"rating-score__background rating-score--good\" fill=\"none\" stroke-width=\"6\" stroke-miterlimit=\"10\" d=\"M40 40c8.3-8.3 8.3-21.7 0-30s-21.7-8.3-30 0 -8.3 21.7 0 30\"><\/path><path class=\"rating-score__value rating-score__value--0\" fill=\"none\" stroke-width=\"6\" stroke-dashoffset=\"0\" stroke-miterlimit=\"10\" d=\"M40 40c8.3-8.3 8.3-21.7 0-30s-21.7-8.3-30 0 -8.3 21.7 0 30\"><\/path><text class=\"rating-score__number\" content=\"\" text-anchor=\"middle\" transform=\"matrix(1 0 0 1 25 31.0837)\" data-auto=\"app-user-score\"><\/text><\/svg>\r\n      <\/div>\r\n    <\/div>\r\n    <div class=\"sc-card-program__row\">\r\n      <span class=\"sc-card-program__description\"><\/span>\r\n    <\/div>\r\n    <div class=\"sc-card-program__row\">\r\n      <img decoding=\"async\" class=\"sc-card-program__bigpic\" src=\"\" onerror=\"this.style.display='none'\">\r\n    <\/div>\r\n    <a class=\"sc-card-program__link track-link sc-card-program-internal\" href=\"https:\/\/apple-tv-plus.en.softonic.com\/mac\" target=\"_self\" rel=\"noopener noreferrer\"><\/a>\r\n  <\/div>\r\n<\/div>\n\n\n\n<p class=\"wp-block-paragraph\">Developers Talal Haj Bakry and Tommy Mysk investigated how Apple implemented the process of installing third-party software markets on iOS <strong>with Safari, and concluded that Cupertino&#8217;s approach is particularly deficient.<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&#8220;Our tests show that Apple provided this feature with catastrophic security and privacy flaws,&#8221; wrote Bakry and Mysk <a href=\"https:\/\/www.mysk.blog\/2024\/04\/28\/safari-tracking\/\" target=\"_blank\" rel=\"noopener nofollow\" title=\"in a notice published over the weekend\">in a notice published over the weekend<\/a>.<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\"><div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\"><p lang=\"en\" dir=\"ltr\">Apple&#39;s implementation of installing marketplace apps from <a href=\"https:\/\/twitter.com\/hashtag\/Safari?src=hash&amp;ref_src=twsrc%5Etfw\">#Safari<\/a> is heavily flawed and can allow a malicious marketplace to track <a href=\"https:\/\/twitter.com\/hashtag\/EU?src=hash&amp;ref_src=twsrc%5Etfw\">#EU<\/a> users across websites, even in private browsing mode. This blog details our findings:<a href=\"https:\/\/t.co\/xzCAzdYI1E\">https:\/\/t.co\/xzCAzdYI1E<\/a><a href=\"https:\/\/twitter.com\/hashtag\/privacy?src=hash&amp;ref_src=twsrc%5Etfw\">#privacy<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/security?src=hash&amp;ref_src=twsrc%5Etfw\">#security<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/iOS?src=hash&amp;ref_src=twsrc%5Etfw\">#iOS<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/iPhone?src=hash&amp;ref_src=twsrc%5Etfw\">#iPhone<\/a><\/p>&mdash; Mysk ???? (@mysk_co) <a href=\"https:\/\/twitter.com\/mysk_co\/status\/1784679599449702878?ref_src=twsrc%5Etfw\">April 28, 2024<\/a><\/blockquote><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>\n<\/div><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Where does the Safari security flaw come from?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Apple, which advertises its Safari browser as incredibly private, has evidently undermined the privacy of Safari users in the European Union through <strong>a marketplace-kit: URI scheme that allows third-party app stores to track those users across the web.<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>A URI scheme is a way to determine how a specific network request is handled.<\/strong> A website that offers an alternative software marketplace may include a button that, when clicked in Safari, launches a marketplace-kit request: managed by a MarketplaceKit process on the user&#8217;s iPhone in the EU.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This process, integrated in iOS 17.4 by Apple, contacts the authorized market&#8217;s back-end servers to complete the installation of the application from that store on the phone.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>The problem is that any site can activate a marketplace-kit: request.<\/strong> On iOS 17.4 devices in the EU, Safari will send a unique user identifier to approved marketplace servers, filtering the fact that the user was visiting that site.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This happens even if Safari is in private browsing mode. Market servers may reject the request, which may also include a custom payload, passing more information about the user to the alternative store. All of this is illustrated in the following video.<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"iPhone users in the EU: This is why you should stop using Safari, and why Brave is a better choice\" width=\"840\" height=\"473\" src=\"https:\/\/www.youtube.com\/embed\/aISz4ITI710?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>According to Bakry and Mysk, Apple&#8217;s URI system has three major flaws.<\/strong> First, it does not check the origin of the website, which means that the aforementioned cross-site tracking is possible.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Secondly, Apple&#8217;s MarketplaceKit<\/strong> &#8211; their API for third-party stores &#8211; does not validate JSON web tokens (JWT) passed as input parameters through incoming requests. &#8220;Even worse, it blindly transmits the invalid JWT token when calling the \/oauth\/token endpoint,&#8221; Bakry and Mysk noted. &#8220;This opens the door to various injection attacks targeting the MarketplaceKit process or the marketplace backend.&#8221;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>And thirdly, Apple is not using certificate pinning, which leaves the door open to a man-in-the-middle (MITM) attack<\/strong> during the exchange of MarketplaceKit communications. Bakry and Mysk claim they were able to overwrite the servers involved in this process with their own <em>endpoints.<\/em><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Is Apple interested in fixing the bug?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The limiting factor of this attack is that a marketplace must be approved by Apple first before being able to carry out this type of tracking. At the moment, there are not many marketplaces that have obtained the approval.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The two security researchers argue that fraudulent applications regularly make their way through Apple&#8217;s review process, meaning that fraudulent app stores could be authorized. <strong>And they claim that privacy issues are due to Apple wanting to track the use of third-party stores.<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Users of iOS in Europe are encouraged to use Brave instead of Safari because Brave&#8217;s implementation checks the website&#8217;s origin with the URL to prevent cross-site tracking.<\/p>\n\n\n<div class=\"sc-card-program\">\r\n  <div class=\"sc-card-program__body\">\r\n    <div class=\"sc-card-program__row clearfix\">\r\n      <div class=\"sc-card-program__col-logo\">\r\n        <img decoding=\"async\" class=\"sc-card-program__img\" alt=\"AppleTV+\" src=\"https:\/\/images.sftcdn.net\/images\/t_app-icon-s\/p\/8f7cb2d7-74e2-4492-af0c-06a1761742a1\/457874704\/apple-tv-plus-2019-03-28_12-07-17.png\" width=\"100px\" height=\"100px\">\r\n      <\/div>\r\n      <div class=\"sc-card-program__col-title\">\r\n        <span class=\"sc-card-program__title\">AppleTV+<\/span>\r\n        <a class=\"sc-card-program__button sc-card-program-internal\" href=\"https:\/\/apple-tv-plus.en.softonic.com\/mac\" target=\"_self\" rel=\"noopener noreferrer\">DOWNLOAD<\/a>\r\n      <\/div>\r\n      <div class=\"sc-card-program__col-rating\">\r\n        <svg class=\"rating-score__content\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" version=\"1.1\" x=\"0\" y=\"0\" viewbox=\"0 0 50 50\" enable-background=\"new 0 0 50 50\" xml:space=\"preserve\"><path class=\"rating-score__background rating-score--good\" fill=\"none\" stroke-width=\"6\" stroke-miterlimit=\"10\" d=\"M40 40c8.3-8.3 8.3-21.7 0-30s-21.7-8.3-30 0 -8.3 21.7 0 30\"><\/path><path class=\"rating-score__value rating-score__value--0\" fill=\"none\" stroke-width=\"6\" stroke-dashoffset=\"0\" stroke-miterlimit=\"10\" d=\"M40 40c8.3-8.3 8.3-21.7 0-30s-21.7-8.3-30 0 -8.3 21.7 0 30\"><\/path><text class=\"rating-score__number\" content=\"\" text-anchor=\"middle\" transform=\"matrix(1 0 0 1 25 31.0837)\" data-auto=\"app-user-score\"><\/text><\/svg>\r\n      <\/div>\r\n    <\/div>\r\n    <div class=\"sc-card-program__row\">\r\n      <span class=\"sc-card-program__description\"><\/span>\r\n    <\/div>\r\n    <div class=\"sc-card-program__row\">\r\n      <img decoding=\"async\" class=\"sc-card-program__bigpic\" src=\"\" onerror=\"this.style.display='none'\">\r\n    <\/div>\r\n    <a class=\"sc-card-program__link track-link sc-card-program-internal\" href=\"https:\/\/apple-tv-plus.en.softonic.com\/mac\" target=\"_self\" rel=\"noopener noreferrer\"><\/a>\r\n  <\/div>\r\n<\/div>\n\n\n\n<p class=\"wp-block-paragraph\">By not making the extra effort to securely implement third-party app stores, <strong>Apple has possibly turned their concerns about security and privacy into a self-fulfilling prophecy.<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In its observations <a href=\"https:\/\/developer.apple.com\/security\/complying-with-the-dma.pdf\" target=\"_blank\" rel=\"noopener nofollow\" title=\"[PDF]\">[PDF]<\/a> on DMA compliance, Apple stated: &#8220;In the EU, the security, privacy, and protection of each user will depend in part on two questions. First, are alternative markets and payment processors capable of protecting users? And second, are they interested in doing so?&#8221;.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">There is also the question of whether Apple is capable of protecting users, and if it is interested in doing so.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>According to Bakry and Mysk, Apple&#8217;s URI system has three major flaws. First, it doesn&#8217;t check the origin of the website; second, &#8230;<\/p>\n","protected":false},"author":9265,"featured_media":279843,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":"","wpcf-pageviews":1},"categories":[1015],"tags":[1066,2096],"usertag":[],"vertical":[],"content-category":[],"class_list":["post-279842","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news","tag-apple","tag-safari"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/posts\/279842","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/users\/9265"}],"replies":[{"embeddable":true,"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/comments?post=279842"}],"version-history":[{"count":1,"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/posts\/279842\/revisions"}],"predecessor-version":[{"id":313471,"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/posts\/279842\/revisions\/313471"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/media\/279843"}],"wp:attachment":[{"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/media?parent=279842"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/categories?post=279842"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/tags?post=279842"},{"taxonomy":"usertag","embeddable":true,"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/usertag?post=279842"},{"taxonomy":"vertical","embeddable":true,"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/vertical?post=279842"},{"taxonomy":"content-category","embeddable":true,"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/content-category?post=279842"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}