Apple's New Security Flaw May Put 1 Billion Users at Risk

Source: Forbes

Apple has found itself in the middle of another storm in a China teacup, this one relating to the companys inclusion of a Chinese companys safe browsing service within its Safari web browser.

The issue came to the fore when Reclaim The Net published an article on October 10 which warned that its been discovered that Apple, which often positions itself as a champion of privacy and human rights, is sending some IP addresses from users of its Safari browser on iOS to Tencent.

Apple also uses Googles equivalent safe browsing service, and lets face it thats a company with its own questionable track record on data privacy. The safe browsing setting is switched on by default, so by default it could impact all iOS Safari browsing.

Theres little technical substance herethe inclusion of Tencents Safe Browsing is old news, and has been in the public domain since 2017. There is also ambiguity as to whether this impacts Chinese iOS users or has spread further afield. Apple clearly can use this more widely, but it doesnt mean that it does.

And to be honest, if there is a privacy breach here it would be of much more concern for users inside China.

Its unclear when Apple started allowing Tencent and Google to log some user IP addresses, Reclaim The Net says, but one Twitter user reported seeing this change to Safari as early as the iOS 12.2 beta in February 2019. Safari is the default browser on iOS devices... Even if people install a third-party browser on their iOS device, viewing web pages inside apps still opens them in an integrated form of Safari called Safari View Controller... forcing people back into Safari make it difficult for people to avoid the Safari browser completely when using an iPhone or iPad.

But, unsurprisingly, this prompted the usual Apple China backlash, with users taking to the internet to share their intent to turn off safe browsing, such was their concern about the invasion of personal privacy Beijing was about to inflict on them. Others sensibly dismissed the dangersalmost all of which are ambiguous. 

Ultimately, though, the very real risk is that a theoretical issue of data being shared with third-party companies could see users turn off defences against the very real issue of phishing scams.

\n