Apple’s ‘incredibly private’ Safari users could still be tracked in Europe

Apple’s latest clash with the EU has left European Safari users potentially vulnerable to web activity tracking.

Apple has a history of attempting to dodge EU regulations, even getting slapped with a €1.8 billion fine for streaming violations in March. Now, the company’s final cave-in to European antitrust rules by allowing third-party apps on iPhones has left users potentially vulnerable to web activity tracking.

Previously, Apple’s Safari has been touted as a private, safe way to browse. Now, however, as reported by The Register, developers Talal Haj Bakry and Tommy Mysk have uncovered that the way Apple has allowed third-party apps access leaves potential privacy gaps.

Essentially, when visited by Safari by iOS, any website can pin a chosen approved software marketplace with a unique identifier for every user. As users move from site to site, that information can be quietly disclosed to a third-party (aka non-Apple) app store. This tracking data can be user for targeted ads and other data-driven personalization.

Is there a real risk to Apple Safari users?

As it stands, this risk appears to only apply to iOS 17.4 users in the EU and there aren’t yet any reports of the privacy gap being exploited. However, the potential appears to be there.

“Our testing shows that Apple delivered this feature with catastrophic security and privacy flaws,” wrote Bakry and Mysk in an advisory published on April 28.

The major failings of Apple, according to the developer duo, is that: it fails to check the origin of the website, allowing for unsupervised tracking; it doesn’t validate the JSON Web Tokens, ‘opening the door’ for malicious targeting; and it lacks certificate pinning, offering room for an intermediary to access the communication.

iOS users in Europe are urged to use a different privacy-driven browser, such as Brave or DuckDuckGo, which both plug the gaps that Safari has left open in Europe.

Featured image: Unsplash