An Apple security feature has caught the attention of information security specialists. As reported, the company checks the websites that each user visits to see if they are fraudulent or malware-infested sites.
This Safari feature, known as “Fraudulent Website Warning”, was implemented to improve the online security experience of users using URL cross-references using an external blacklist service. This blacklist was made up of secure browsing providers such as Tencent and Google.
However Matthew Green, an information security
specialist, says that because this feature is enabled by default in Safari
for iOS, which means that millions of users could suffer the consequences.
“For this feature to work as expected by
the company, browser manufacturers must send information calculated from the
website address to providers of this blacklisted service to verify if the
website is fraudulent”, mentions the expert. In addition, this feature
could also facilitate the collection of data about users’ IP for undetermined
porposes.
Both Tencent and Google are two of the most
important safe browsing service providers, so they are applied in most modern
browsers. Microsoft also has similar services, specializing in preventing
phishing and malware infections from the cloud. This tool, called SmartScreen,
is integrated into most of its products, including Windows system, Internet
Explorer and Outlook, added the information security experts.
Although experts point out that there is no
evidence to show that these companies, especially Tencent, are collecting IP
addresses, it is unclear how Apple allowed this company, together with Google,
to provide this blacklisting service.
Google provides two different secure browsing
APIs: a search API and an update API, the first of which allows browsers to
send plain text URLs to Google’s secure browsing server to verify their status.
The company has already recognized this privacy issue: “URLs are not
encrypted, so the server knows what URL each user searches for”, assures
the expert.
The latest mechanism, used by Apple, allows
browsers to download encrypted versions of secure browsing lists for
client-side verification. In other words, the browser never knows the URL
queried by Safari, recently mentioned the company.
In case users do not feel confident to leave
this feature enabled, information security specialists of the International
Cyber Security Institute (IICS) mention that it is possible to disable it in
the browser settings for iOS.
