Safari Flaw Exposes iPhone Users in the EU to Potential Tracking

Researchers Talal Haj Bakry and Tommy Mysk have uncovered a significant privacy flaw in Safari that could allow tracking of iPhone users in the European Union (EU). Their investigation reveals vulnerabilities in Apple's implementation of a new URI scheme designed to comply with the European Digital Market Act.

Background and discovery

To meet the requirements of the European Digital Market Act, Apple introduced a new URI scheme in iOS 17.4, enabling EU users to download alternative marketplace apps directly from developers' websites. This scheme, identified as marketplace-kit://, requires activation through an HTML button to initiate app installations, a method Apple claimed would enhance security.

However, Haj Bakry and Mysk's research demonstrates that this security measure is insufficient. They discovered that the implementation allows any website to invoke the URI scheme, potentially enabling unauthorized tracking across websites.

The scheme sends a unique client_id to marketplace back-end servers each time it is activated, which, according to Apple's design, should remain consistent for each combination of device, Apple ID account, and marketplace. This consistency, however, turns into a tracking tool in the hands of malicious actors.

Technical analysis

The research revealed multiple critical issues:

• Cross-Site Tracking: Safari does not verify the origin of a website invoking the marketplace-kit URI scheme. This oversight allows the unique client_id to be sent across different sites, making it possible for a marketplace to track users across these platforms.
• Token Handling Vulnerabilities: MarketplaceKit, the process that handles the installation requests, does not validate JWT tokens passed in the installation parameters. This neglect could lead to injection attacks targeting either the MarketplaceKit process or the marketplace back-end.
• Lack of Certificate Pinning: The absence of certificate pinning in the communication process between MarketplaceKit and marketplace servers further exacerbates the security risks, allowing potential interception and manipulation of the data transmitted.

The researchers conducted tests using a sample script deployed on three different websites, proving that the same client_id was sent to the marketplace endpoint from each site, thus confirming the potential for cross-site tracking. Notably, these tests were carried out using Safari on iOS 17.4.1 in private browsing mode, highlighting the flaw's presence even in supposedly more secure browsing sessions.

Recommendations

This discovery raises serious concerns about Apple's approach to app sideloading and its implications for user privacy. Apple's reliance on minimal verification methods (like requiring a button click without further origin checks) is a critical oversight.

The researchers suggest that EU iPhone users concerned about privacy should consider using the Brave browser, which is currently the only authorized browser that actively blocks this type of cross-site tracking.

For developers and platform engineers, it is crucial to verify JWT tokens and ensure robust validation mechanisms are in place. Users should remain vigilant about the security of the platforms they use, particularly when installing apps from alternative marketplaces.