Apple’s third-party Safari integrations rolled out with “catastrophic security and privacy flaws”

Installing third-party apps in the EU could come with unwanted baggage

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

To comply with the laws of the European Union (EU),Applehas allowed EU users to download and install apps from other marketplaces and websites. However, the implementation of this feature was made “with catastrophic security and privacy flaws”, allowing malicious marketplaces to track Apple users across different websites.

This is according to cybersecurity researchers Talal Haj Bakry and Tommy Mysk, who released their technical analysis in a blog published last weekend.

By now, everyone is fully aware of Apple’s “walled garden” approach to its ecosystem. It generally doesn’t allow third-party app stores, claiming they are a major security risk. However, in the EU, under the Digital Markets Act (DMA), the American smartphone giant was deemed a “gatekeeper” for iOS, the App Store,Safari, and iPadOS, and was forced to allow third-party app stores and websites offering apps for download (albeit, vetted).

Replacing the browser

Hence, with iOS 17.4, Apple introduced a new URI scheme, allowing EU users to download and install alternative marketplace apps from websites, the blog reads. “Once an authorizedbrowserinvokes the special URI scheme marketplace-kit, it hands off the installation request to a MarketplaceKit process that starts communicating with the marketplace back-end servers to finally install the app,” the researchers explained.

“As part of the installation flow, the MarketplaceKit process sends a unique client_id identifier to the marketplace back-end. Both Safari and the MarketplaceKit process allow any website to make a call to the marketplace-kit URI scheme of a particular marketplace. As a result, multiple websites can trigger the MarketplaceKit process to send the same unique identifier client_id to the same marketplace back-end. This way a malicious marketplace can track users across different websites.”

So the problem lies in Apple’s browser, Safari, the researchers concluded, saying that the way Apple’s engineers handled the implementation was “very puzzling.”

“Safari should protect users against cross-site tracking,” they conclude, before suggesting alternative solutions. You can read more about their suggestionshere.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

Your next smartwatch could be battery-free – and powered by your skin