Apple sends Safari browsing data to companies in China

An Apple security feature has caught the attention of information security specialists. As reported, the company checks the websites that each user visits to see if they are fraudulent or malware-infested sites.

This Safari feature, known as “Fraudulent Website Warning”, was implemented to improve the online security experience of users using URL cross-references using an external blacklist service. This blacklist was made up of secure browsing providers such as Tencent and Google.

However Matthew Green, an information security specialist, says that because this feature is enabled by default in Safari for iOS, which means that millions of users could suffer the consequences.

“For this feature to work as expected by the company, browser manufacturers must send information calculated from the website address to providers of this blacklisted service to verify if the website is fraudulent”, mentions the expert. In addition, this feature could also facilitate the collection of data about users’ IP for undetermined porposes.

Both Tencent and Google are two of the most important safe browsing service providers, so they are applied in most modern browsers. Microsoft also has similar services, specializing in preventing phishing and malware infections from the cloud. This tool, called SmartScreen, is integrated into most of its products, including Windows system, Internet Explorer and Outlook, added the information security experts.

Although experts point out that there is no evidence to show that these companies, especially Tencent, are collecting IP addresses, it is unclear how Apple allowed this company, together with Google, to provide this blacklisting service. 

Google provides two different secure browsing APIs: a search API and an update API, the first of which allows browsers to send plain text URLs to Google’s secure browsing server to verify their status. The company has already recognized this privacy issue: “URLs are not encrypted, so the server knows what URL each user searches for”, assures the expert.

The latest mechanism, used by Apple, allows browsers to download encrypted versions of secure browsing lists for client-side verification. In other words, the browser never knows the URL queried by Safari, recently mentioned the company. 

In case users do not feel confident to leave this feature enabled, information security specialists of the International Cyber Security Institute (IICS) mention that it is possible to disable it in the browser settings for iOS.