Apple leaks Safari history fingerprints to China

Richi Jennings Your humble blogwatcher, dba RJA

At first, people were worried that China recorded Safari users’ IP addresses. But as the dust settles, things seem much worse than that.

For Apple Safari users in China, the only barrier between privacy and leaking browser histories to Tencent is a list of short hashes. To be fair, people can switch it off, but the cure might be worse than the disease.

At best, it’s another Cupertino-style failure to communicate. In this week’s Security Blogwatch, we browse safe.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: honeysim.

AAPL PR FAIL

What’s the craic? Tim Hardwick rumors a rumor, ruminating thuswise—Apple Sending User Data to Chinese Company:

Safari for iOS and Mac has come under scrutiny for using Chinese internet giant Tencent as one of its Safe Browsing providers. [It] has long sent data to Google Safe Browsing to … protect users against phishing [and] malware. However, it's unclear when Apple started sending user data to Tencent as well.

Apple notes … it sends some user IP addresses to Tencent, but most users are probably unaware of the fact. … The privacy implications of shifting Safe Browsing to Tencent's servers are unknown, because Apple hasn't said much about it.

Apple's relationship with the Chinese government has come in for increasing criticism lately. And that could make customers uneasy about Apple's links to Tencent.

Uh, yeah, you could say that. Alan Martin says that—Safari on iPhone shares IP addresses with Chinese tech giant:

Apple is a big fan of privacy. Like, a really big fan. … Taking out 150-foot ads shouting about it … shows just how mad keen Cook & Co is about keeping things private.

And yet … by default, Safari shares some user IP addresses with Chinese conglomerate Tencent. … Tencent is, after all, a company that's so buddy-buddy with the ruling … party that it literally made a game where you applaud a Xi Jinping speech.

Has Apple been transparent about this? … Only if you know where to look. And … it's not really what you'd call "informed consent."

Who lit the flame under this fire? Tom Parker, with Safari browser sends some user IP addresses to Chinese conglomerate:

During the last week, the reality that US companies often bend the knee to China has been thrown into the spotlight. … Given the recent examples of … Apple taking punitive actions against apps … seemingly in an effort to appease China, the revelation that Apple may send user IP addresses to Chinese conglomerate Tencent is worrying.

Tencent works closely with the Chinese Communist Party. It facilitates government censorship in China.

Safari is the default browser on iOS devices. … Even if people install a third-party browser on their iOS device, viewing web pages … still opens them in an integrated form of Safari.

IP addresses can reveal user locations and be used to profile users across devices. If Tencent logs the IP address of an iPhone or iPad user through its Safe Browsing service, this information could potentially be used to identify the owner of the device by searching for instances of the IP address across Tencent’s other services.

Prepare the flaming pitchforks! But Rene Ritchie toes the party line (no, the other party)—Here's Apple's statement:

Apple and China have a complicated relationship. … It's led to some incredibly informative reporting, but also some ride-along FUD.

Here's Apple's statement: “Apple protects user privacy and safeguards your data with Safari Fraudulent Website Warning, [which] flags websites known to be malicious. [It] displays a warning if the URL the user is visiting is suspected of fraudulent conduct. … Safari receives a list of websites known to be malicious from Google, and for devices with their region code set to mainland China, it receives a list from Tencent.”

[So] if your device is region-set to most places, you get Google's. If it's region set to mainland China, you get Tencent's. … Safari then checks the site against the list on device to determine if there's an exact match. So, the specific URL is never sent to Google or Tencent.

In theory. But in practice? Stijn de Vries—@StijnDV—checks it out:

It makes sense: … Google Safe Browsing doesn’t work in China. I checked my DNS logs and I don’t have any traffic send to Tencent over the last 3 months, so it is very likely only active for Chinese users.

But is it safe? Matthew Green asks, How safe is Apple’s Safe Browsing?:

The weakness in this approach is that it only provides some privacy. The typical user won’t just visit a single URL, they’ll browse thousands of URLs over time. … A user who browses many related websites … will gradually leak details about their browsing history to the provider. … (There has been some academic research on such threats.)

The problem is that Safe Browsing … has never been exactly “safe”. Its purpose was never to provide total privacy to users, but rather to degrade the quality of browsing data that providers collect. … While Google certainly has the brainpower to extract a signal from the noisy Safe Browsing results, it seemed unlikely that they would bother.

But Tencent isn’t Google. … At very least, users should learn about these changes before Apple pushes the feature into production.

We shouldn’t have to read the fine print. When Apple wants to advertise a major privacy feature, they’re damned good at it. … But lately there’s been a troubling silence out of Cupertino … related to the company’s interactions with China.

Maybe Apple feels it can navigate this split personality … and still maintain its integrity. I very much doubt it will work.

But, c’mon, did Apple really have a choice? kbg concludes that it did:

If China blocks [Google] then obviously you either disable safe browsing in China completely or just don't support China for your browser. Chinese censorship is not something you should support.

And then there’s the matter of the terrible PR. John Gruber rolls his eyes:

My assumption was that Apple was only using Tencent in mainland China. … Apple’s statement today makes it clear that that is true.

But Apple brought this mini-controversy upon itself, because Apple’s own description of the feature doesn’t specify when the Fraudulent Website Warning feature uses Google and when it uses Tencent.

So let’s all move to Google’s Android? Powercntrl wishes a plague on both their houses:

Apple literally still bans apps which violate their developer guidelines. This would be fine if there was an option to enable apps from untrusted sources, but Apple doesn't trust you, either.

Apparently, the government doesn't see this as any sort of anti-competitive behavior, because there’s still one major competitor in the mobile OS market (which happens to also be an ad company, oh joy).

Meanwhile, Fraud Guarantee—@IDtheMIKE—concludes with this colorful metaphor:

Apple is bending over for China in ways I didn’t know you could.

The moral of the story?

Your Apple users in China are either leaking browser history, or are more vulnerable to malicious sites. Choose wisely.

And finally

Károly Zsolnai-Fehér answers the question literally nobody is asking


Previously in “And finally”


You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Kurious (Pixabay)

Read more articles about: SecurityData Security

More from Data Security