Apple's grudging accommodation of European antitrust rules by allowing third-party app stores on iPhones has left users of its Safari browser exposed to potential web activity tracking.

Developers Talal Haj Bakry and Tommy Mysk looked into the way Apple implemented the installation process for third-party software marketplaces on iOS with Safari, and concluded Cupertino's approach is particularly shoddy.

"Our testing shows that Apple delivered this feature with catastrophic security and privacy flaws," wrote Bakry and Mysk in an advisory published over the weekend.

Apple - which advertises Safari as "incredibly private" - evidently has undermined privacy among European Union Safari users through a marketplace-kit: URI scheme that potentially allows approved third-party app stores to follow those users around the web.

A URI scheme is a way of determining how a particular network request gets handled. A website offering an alternative software marketplace can include a button that, when tapped in Safari, launches a marketplace-kit: request that is handled by a MarketplaceKit process on the EU user's iPhone. This process, built into iOS 17.4 by Apple, then reaches out to the back-end servers of the approved marketplace to complete the installation of that store's app on the phone.

The trouble is, any site can trigger a marketplace-kit: request. On EU iOS 17.4 devices, that will cause a unique per-user identifier to be fired off by Safari to an approved marketplace's servers, leaking the fact that the user was just visiting that site. This happens even if Safari is in private browsing mode. The marketplace's servers can reject the request, which can also include a custom payload, passing more info about the user to the alternative store. This is all illustrated in the video below.

In addition to Apple's Safari, two other iOS browsers currently support third-party app stores in Europe: Brave and Ecosia.

Apple doesn't allow third-party app stores in most parts of the world, citing purported privacy and security concerns - and presumably interest in sustaining its ability to collect commissions for software sales.

But Apple has been designated as a "gatekeeper" under Europe's Digital Markets Act (DMA) for iOS, the App Store, Safari, and just recently iPadOS.

That designation means the iBiz has been ordered to open its gated community so that European customers can choose third-party app stores and web-based app distribution - also known as side-loading.

But wait, there's more

According to Bakry and Mysk, Apple's URI scheme has three significant failings. First, they say, it fails to check the origin of the website, meaning the aforementioned cross-site tracking is possible.

Second, Apple's MarketplaceKit - its API for third-party stores - doesn't validate the JSON Web Tokens (JWT) passed as input parameters via incoming requests. "Worse, it blindly relayed the invalid JWT token when calling the /oauth/token endpoint," observed Bakry and Mysk. "This opens the door to various injection attacks to target either the MarketplaceKit process or the marketplace back-end."

And third, Apple isn't using certificate pinning, which leaves the door open for meddling by an intermediary (MITM) during the MarketplaceKit communication exchange. Bakry and Mysk claim they were able to overwrite the servers involved in this process with their own endpoints.

The limiting factor of this attack is that a marketplace must first be approved by Apple before it can undertake this sort of tracking. At present, not many marketplaces have won approval. We're aware of the B2B Mobivention App marketplace, AltStore, and Setapp. Epic Games has also planned an iOS store. A few other marketplaces will work after an iThing jailbreak, but they’re unlikely to attract many consumers.

The two security researchers argue that scam apps regularly find their way through Apple's review process, meaning rogue app stores could be allowed through. And they claim the privacy problems arise from Apple wanting to track third-party store usage.

"The flaw of exposing users in the EU to tracking is the result of Apple insisting on inserting itself between marketplaces and their users," asserted Bakry and Mysk. "This is why Apple needs to pass an identifier to the marketplaces so they can identify installs and perhaps better calculate the due Core Technology Fee (CTF)."

They urge iOS users in Europe to use Brave rather than Safari because Brave's implementation checks the origin of the website against the URL to prevent cross-site tracking.

Back when Apple planned not to support Home Screen web apps in Europe - a gambit later abandoned after developer complaints and regulatory pressure - the iGiant justified its position by arguing the amount of work required "was not practical to undertake given the other demands of the DMA." By not making the extra effort to implement third-party app stores securely, Apple has arguably turned its security and privacy concerns into a self-fulfilling prophecy.

In its remarks [PDF] on complying with the DMA, Apple declared, "In the EU, every user's security, privacy, and safety will depend in part on two questions. First, are alternative marketplaces and payment processors capable of protecting users? And, second, are they interested in doing so?"

There's also the question of whether Apple is capable of protecting users - and whether it's interested in doing so.

Apple did not respond to a request for comment. ®

https://www.theregister.com//2024/04/30/apple_safari_europe_tracking/