Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Apple’s third-party Safari integrations rolled out with “catastrophic security and privacy flaws”

Safari app icon on smartphone.

To comply with the laws of the European Union (EU), Apple has allowed EU users to download and install apps from other marketplaces and websites. However, the implementation of this feature was made “with catastrophic security and privacy flaws”, allowing malicious marketplaces to track Apple users across different websites.

This is according to cybersecurity researchers Talal Haj Bakry and Tommy Mysk, who released their technical analysis in a blog published last weekend.

By now, everyone is fully aware of Apple’s “walled garden” approach to its ecosystem. It generally doesn’t allow third-party app stores, claiming they are a major security risk. However, in the EU, under the Digital Markets Act (DMA), the American smartphone giant was deemed a “gatekeeper” for iOS, the App Store, Safari, and iPadOS, and was forced to allow third-party app stores and websites offering apps for download (albeit, vetted). 

Replacing the browser

Hence, with iOS 17.4, Apple introduced a new URI scheme, allowing EU users to download and install alternative marketplace apps from websites, the blog reads. “Once an authorized browser invokes the special URI scheme marketplace-kit, it hands off the installation request to a MarketplaceKit process that starts communicating with the marketplace back-end servers to finally install the app,” the researchers explained. 

“As part of the installation flow, the MarketplaceKit process sends a unique client_id identifier to the marketplace back-end. Both Safari and the MarketplaceKit process allow any website to make a call to the marketplace-kit URI scheme of a particular marketplace. As a result, multiple websites can trigger the MarketplaceKit process to send the same unique identifier client_id to the same marketplace back-end. This way a malicious marketplace can track users across different websites.”

So the problem lies in Apple’s browser, Safari, the researchers concluded, saying that the way Apple’s engineers handled the implementation was “very puzzling.”

“Safari should protect users against cross-site tracking,” they conclude, before suggesting alternative solutions. You can read more about their suggestions here

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.