To comply with the laws of the European Union (EU), Apple has allowed EU users to download and install apps from other marketplaces and websites. However, the implementation of this feature was made “with catastrophic security and privacy flaws”, allowing malicious marketplaces to track Apple users across different websites.
This is according to cybersecurity researchers Talal Haj Bakry and Tommy Mysk, who released their technical analysis in a blog published last weekend.
By now, everyone is fully aware of Apple’s “walled garden” approach to its ecosystem. It generally doesn’t allow third-party app stores, claiming they are a major security risk. However, in the EU, under the Digital Markets Act (DMA), the American smartphone giant was deemed a “gatekeeper” for iOS, the App Store, Safari, and iPadOS, and was forced to allow third-party app stores and websites offering apps for download (albeit, vetted).
Replacing the browser
Hence, with iOS 17.4, Apple introduced a new URI scheme, allowing EU users to download and install alternative marketplace apps from websites, the blog reads. “Once an authorized browser invokes the special URI scheme marketplace-kit, it hands off the installation request to a MarketplaceKit process that starts communicating with the marketplace back-end servers to finally install the app,” the researchers explained.
“As part of the installation flow, the MarketplaceKit process sends a unique client_id identifier to the marketplace back-end. Both Safari and the MarketplaceKit process allow any website to make a call to the marketplace-kit URI scheme of a particular marketplace. As a result, multiple websites can trigger the MarketplaceKit process to send the same unique identifier client_id to the same marketplace back-end. This way a malicious marketplace can track users across different websites.”
So the problem lies in Apple’s browser, Safari, the researchers concluded, saying that the way Apple’s engineers handled the implementation was “very puzzling.”
“Safari should protect users against cross-site tracking,” they conclude, before suggesting alternative solutions. You can read more about their suggestions here.
More from TechRadar Pro
- Here’s what alternative iPhone app stores will look like – and how they’ll work
- Here’s a list of the best firewalls around today
- These are the best endpoint security tools right now