What did Apple's thirst for control lead to?
Researchers Talal Haj Bakri and Tommy Misk studied how Apple integrates third-party app stores on its devices. During the audit, vulnerabilities were found that put the security and confidentiality of user data at risk.
An innovation in the iOS 17.4 operating system allows users in the European Union to install applications via alternative platforms using a special URI scheme-marketplace-kit:. This scheme allows websites to embed a button that, when activated in the Safari browser, starts the MarketplaceKit process on the device. The process initiates communication with the selected store's servers to complete the app installation.
Absolutely any site can initiate a marketplace-kit: request. After that, on devices running iOS 17.4, the universal ID is sent to the servers of the approved store. Thus, a potential attacker can get information about the sites visited by the user, even if the browser is in private browsing mode.
So, Bakri and Misk identified three key flaws in the implementation of Apple's URI scheme:
It is obvious that the vulnerabilities arose due to Apple's desire to control the interaction process between stores and customers. Apparently, this is necessary for statistics and calculating commission fees.
Bakri and Misk recommend that Europeans use the Brave browser, which includes verification of the source of websites, thus minimizing the risks of unwanted cross-site tracking.
It's important to note that these issues call into question Apple's ability to protect our privacy. After all, security depends not only on how well third-party stores provide protection, but also on how much they are interested in it.
Researchers Talal Haj Bakri and Tommy Misk studied how Apple integrates third-party app stores on its devices. During the audit, vulnerabilities were found that put the security and confidentiality of user data at risk.
An innovation in the iOS 17.4 operating system allows users in the European Union to install applications via alternative platforms using a special URI scheme-marketplace-kit:. This scheme allows websites to embed a button that, when activated in the Safari browser, starts the MarketplaceKit process on the device. The process initiates communication with the selected store's servers to complete the app installation.
Absolutely any site can initiate a marketplace-kit: request. After that, on devices running iOS 17.4, the universal ID is sent to the servers of the approved store. Thus, a potential attacker can get information about the sites visited by the user, even if the browser is in private browsing mode.
So, Bakri and Misk identified three key flaws in the implementation of Apple's URI scheme:
- Lack of verification of the request source, which opens up opportunities for tracking user activity across different sites.
- Insufficient validation of the JSON Web Token (JWT) used in requests, which increases the risk of attacks by injecting malicious code.
- Lack of certificate binding, which increases the likelihood of man-in-the-middle attacks.
It is obvious that the vulnerabilities arose due to Apple's desire to control the interaction process between stores and customers. Apparently, this is necessary for statistics and calculating commission fees.
Bakri and Misk recommend that Europeans use the Brave browser, which includes verification of the source of websites, thus minimizing the risks of unwanted cross-site tracking.
It's important to note that these issues call into question Apple's ability to protect our privacy. After all, security depends not only on how well third-party stores provide protection, but also on how much they are interested in it.
