As is well known, iPhones in the EU can do more than devices in other regions of the world – thanks to regulation by the Digital Markets Act (DMA), Apple has to release alternative app stores. However, Apple apparently made mistakes when implementing it in the Safari browser, which resulted in… possible leakage of data being able to lead. This is reported by a group of security researchers led by Tommy Mysk. Together with developer Talal Haj Bakry, Mysk has implemented the new one in Safari for the EU “marketplace-kit” URI scheme viewed.
Advertisement
Web tracking without consent
The new procedure is actually intended to enable websites in Safari to allow the download of such an app offer via a button. However, Mysk and Bakry noted that the function, available from iOS 17.4, can currently be used freely by any website. This would make it possible for alternative app store providers to track users even in incognito mode if they cooperate with website operators. A unique per-user identifier is transmitted, which does not change.
The problem does not occur with competing browsers such as Ecosia or Brave, which also support the installation of alternative app stores. However, this is currently only a hypothetical form of attack, as there are currently only three different providers of such app stores who are not known to exploit the problem described by Mysk and Bakry. The researchers therefore emphasize that only “malicious alternative marketplaces” could act in this way. It is unclear whether Apple would determine this during approval.
Hypothetical so far, but Apple could do something
However, the question arises as to why the URI scheme was designed to be so leak-friendly. Safari therefore always calls MarketplaceKit as long as the URI scheme is in a page – “blindly,” as security researchers say. With each call, the alternative app store is triggered along with a unique ID and a “custom payload” is even sent along.
In order to carry out the attack, operators of alternative app stores would have to coordinate with website providers. Safari privacy functions that are actually intended to prevent cross-site tracking are undermined. The problem could probably be solved easily: Safari should only trigger the MarketplaceKit if it is the official website of an alternative app store – but not for any arbitrary app store. Apple has not yet responded to the gap.
(bsc)