April 30, 2024 at 03:35AM
Apple’s compliance with European antitrust rules by allowing third-party app stores on iPhones has exposed Safari users to potential web tracking. Security researchers found issues in Apple’s implementation, highlighting flaws in the installation process and concerns regarding privacy and security. The researchers recommend using the Brave browser over Safari for better protection.
Based on the meeting notes, it’s clear that there are significant security and privacy flaws in the way Apple has implemented the installation process for third-party software marketplaces on iOS with Safari. These flaws have the potential to expose European Union Safari users to web activity tracking by approved third-party app stores.
Developers Talal Haj Bakry and Tommy Mysk have identified several failings in Apple’s URI scheme, particularly the lack of checking the origin of the website and the failure to validate JSON Web Tokens (JWT). They also point out that Apple isn’t using certificate pinning, leaving room for intermediary meddling during the MarketplaceKit communication exchange. This raises concerns about the potential for rogue app stores to be allowed through Apple’s review process, as well as privacy issues stemming from Apple’s desire to track third-party store usage.
The researchers recommend using the Brave browser over Safari in Europe, as it includes measures to prevent cross-site tracking. They argue that Apple’s failure to implement third-party app stores securely has turned its security and privacy concerns into a self-fulfilling prophecy.
Apple’s response to the Digital Markets Act (DMA) raises questions about the company’s commitment to protecting users and whether it is capable and interested in doing so.
Overall, the meeting notes highlight the urgent need for Apple to address the security and privacy flaws in its implementation of third-party software marketplaces on iOS with Safari. This information is crucial for further discussions and action points related to this issue.