EU iPhone users—avoid alternative app stores until Apple fixes this
[[{“value”:”
If you’re using the newest version of Safari on your smartphone, you may be at risk of tracking. This is the worrying finding of two iOS developers and security researchers.
With the latest iOS update to its web browser, Apple finally accommodated EU antitrust rules by introducing a new way for people in the EU to download alternative app stores. However, the feature comes with “catastrophic security and privacy flaws,” Talal Haj Bakry and Tommy Mysk can reveal.
This isn’t the first time the duo unveiled security flaws linked to Apple devices and their applications. In January, they discovered the iPhone X app may be sending unwanted personal data without your knowledge. In 2022, they also reported a data leak occurring when using VPN services on iOS 16.
A flawed Safari URI scheme
Under the Digital Market Act (DMA), Big Tech companies falling in the category of gatekeepers have to follow strict requirements intended to reduce anticompetitive behavior. Apple, for example, must allow alternative app stores on iOS.
That’s exactly why the Big Tech giant introduced what’s known as URI scheme in the iOS 17.4 update. This mechanism enables iPhone and iPad users in the EU to install alternative marketplace apps directly from the developers’ websites.
To make it work, marketplace developers are required to include a HTML button that, when tapped in the Safari app, will launch the alternative distribution app installation link (MarketplaceKit). This is a security safeguard, Apple says, to prevent the marketplace from installing apps without a person’s consent. However, according to researchers, Apple’s implementation rather endangers the privacy and security of all iPhone users in the EU looking to use this feature.
“Apple must have forgotten that this is the web, and developers can actually style HTML buttons to virtually look like anything,” wrote Bakry and Mysk in a blog post.
That’s a big issue because, as the duo discovered, when Safari invokes the URI scheme, it doesn’t check whether the website containing the alternative distribution link actually matches a registered marketplace. Worse still, they found the browser would accept any parameters once invoked—even when the information doesn’t match. Other flaws within this system may enable bad actors to intercept and manipulate third-party requests, too.
“This makes the perfect recipe for a malicious marketplace to be able to track users across different websites. All the malicious marketplace has to do is get approved by Apple,” explained Bakry and Mysk, adding that Apple’s review process is notoriously flawed as many scam apps continue to find their way into the provider’s official App Store.
According to security researchers, all this makes people using an iPhone in the EU vulnerable to cross-site tracking while opening the door to various injection attacks. See the video below for more technical information on how the URI process and security bugs work in practice.
While flaws in software are not uncommon, Bakry and Mysk argue that the severity of these flaws in both the design and implementation raises concerns about Apple’s entire approach to app sideloading. They believe, in fact, that such a security bug is on Apple to keep insisting on inserting itself between the alternative marketplaces and their users.
For example, they explained, under the system that the Brave app implemented, the secure browser successfully checks the website’s origin and fails to invoke the URI scheme if the URLs don’t match.
“Surprisingly, Apple finds it more important to check if the scheme call came from an HTML button event than checking for cross-site invocation,” said the researchers. They now urge all iPhone users in the EU to use Brave to avoid being tracked.
In the meantime, as the European Commission just added the iPadOS system to its gatekeeper list, Bakry and Mysk are now planning to evaluate the security of Apple’s approach also to app sideloading on iPad devices.
I have contacted Apple about this privacy issue, and I’m still waiting for a comment at the time of writing.
“}]]