New URI scheme due to EU regulation: Website tracking in Apple's Safari
To implement alternative app stores in the EU market, Apple has integrated a function that can reveal private information.
Safari-Icon.
(Bild: Apple)
As is well known, iPhones in the EU can do more than devices in other regions of the world - thanks to regulation by the Digital Markets Act (DMA), Apple has to approve alternative app stores, for example. However, Apple has apparently made mistakes in the implementation of the Safari browser, which could lead to a potential data leak. This was reported by a group of security researchers led by Tommy Mysk. Together with developer Talal Haj Bakry, Mysk took a look at the new "marketplace-kit" URI scheme implemented in Safari for the EU.
Tracking through the web without consent
The new procedure is actually designed to enable websites in Safari to allow the download of such an app offer via a button. However, Mysk and Bakry found that the function, which is available from iOS 17.4, can currently be used freely by any website. This would make it possible for the provider of alternative app stores to track users even in incognito mode if they cooperate with website operators. A unique per-user identifier is transmitted that does not change.
The problem does not occur with competitor browsers such as Ecosia or Brave, which also support the installation of alternative app stores. However, this is currently only a hypothetical form of attack, as there are currently only three different providers of such app stores that are not known to exploit the problem described by Mysk and Bakry. The researchers therefore emphasize that only "malicious alternative marketplaces" could proceed in this way. It is unclear whether Apple would detect this during the approval process.
Only hypothetical so far, but Apple could do something
Nevertheless, the question arises as to why the URI scheme was designed to be so leak-friendly. Safari always calls up MarketplaceKit if the URI scheme is located on a page – "blindly", as the security researchers say. Each time it is called, the alternative app store including a unique ID is triggered and even a "custom payload" is sent along.
To carry out the attack, operators of alternative app stores would have to coordinate with website providers. Safari privacy functions, which are actually intended to prevent cross-site tracking, are thus undermined. The problem could presumably be solved easily: Safari should only trigger the MarketplaceKit if it is the official website of an alternative app store – but not for any website. Apple has not yet responded to the gap.
Empfohlener redaktioneller Inhalt
Mit Ihrer Zustimmmung wird hier ein externer Preisvergleich (heise Preisvergleich) geladen.
Ich bin damit einverstanden, dass mir externe Inhalte angezeigt werden. Damit können personenbezogene Daten an Drittplattformen (heise Preisvergleich) übermittelt werden. Mehr dazu in unserer Datenschutzerklärung.
(bsc)
