14, Oct, 2019
Apple under scrutiny for sending Safari browsing data to China-s Tencent
Apple is attracting scrutiny for its practice of checking if the websites you’re visiting visiting are fraudulent and malware-infested after Chinese internet conglomerate Tencent was found listed as a Safe Browsing provider.
The Safari feature — dubbed “Fraudulent Website Warning” in iOS and macOS — is meant to enhance online security by cross-referencing URLs against a blacklist service provided by safe browsing providers such as Google and Tencent.
“This feature appears to be ‘on’ by default in iOS Safari, meaning that millions of users could potentially be affected,” said John Hopkins cryptography professor Matthew Green.
But for this to work, browser makers, including Apple and Mozilla, “send information calculated from the website address to Safe Browsing providers to check if the website is fraudulent,” aside from potentially logging your your IP address.
Google and Tencent are some of the major safe browsing providers, and Google’s offering has been embraced by most modern browsers. Microsoft, likewise, has a similar cloud-based anti-phishing and anti-malware tool called SmartScreen built into most of its products such as Windows, Internet Explorer, Microsoft Edge, and Outlook.
It’s not immediately clear if Tencent is actually collecting IP addresses from users residing outside of China or when Apple added the company to the list along with Google, but some tweets point to versions starting from iOS 12.2.
The open-source WebKit browser rendering engine, which is the basis for Safari, also powers third-party browsers available on iOS due to restrictions imposed by Apple’s App Store Review Guidelines (Section 2.5.6).
Google, for instance, provides two different Safe Browsing APIs — a Lookup and an Update API, the former of which allows browsers to send URLs in plaintext to the Google Safe Browsing server to check their status. The search giant, in its documentation, acknowledges the privacy drawback: “URLs are not hashed, so the server knows which URLs you look up.”
The latter, in contrast, allows browsers to download encrypted versions of the Safe Browsing lists for local, client-side checks of URLs, meaning the safe browsing server never knows the actual URLs queried by Safari.
Regardless of whether the safe browsing provider is Google or Tencent, if you’re not comfortable with this setting being on by default, you can turn it off by following the steps listed below:
- iOS: Settings > Safari > Turn off Fraudulent Website Warning
- macOS: Safari > Preferences > Security > Uncheck Warn when visiting a fraudulent website
It’s very much possible Tencent’s blacklist is localized to China, where Google’s services are blocked, and not elsewhere. But the development has come to the fore again at a time the iPhone maker is caught between a rock and a hard place with regards to its practices in the country.
“While they [Tencent] may be just as trustworthy, we deserve to be informed about this kind of change and to make choices about it,” said Green. “At very least, users should learn about these changes before Apple pushes the feature into production, and thus asks millions of their customers to trust them.”