Apple is attracting scrutiny for its practice of checking if the websites you’re visiting visiting are fraudulent and malware-infested after Chinese internet conglomerate Tencent was found listed as a safe browsing provider.
The Safari feature — dubbed “Fraudulent Website Warning” in iOS and macOS — is meant to enhance online security by cross-referencing URLs against an external blacklist service provided by safe browsing providers such as Google and Tencent.
“This feature appears to be ‘on’ by default in iOS Safari, meaning that millions of users could potentially be affected,” said John Hopkins cryptography professor Matthew Green.
But for this to work, browser makers, including Apple and Mozilla, “send information calculated from the website address to Safe Browsing providers to check if the website is fraudulent,” aside from potentially logging your your IP address.
Google and Tencent are some of the major safe browsing providers, and Google’s offering has been embraced by most modern browsers. Microsoft, likewise, has a similar cloud-based anti-phishing and anti-malware tool called SmartScreen built into most of its products such as Windows, Internet Explorer, Microsoft Edge, and Outlook.
So far, there’s no evidence to suggest that Tencent is actually collecting IP addresses from users residing outside of China. Apple originally incorporated Google Safe Browsing in 2008, with Tencent getting added to the list for people who have their device region code set to mainland China in 2017.
The open-source WebKit browser rendering engine, which is the basis for Safari, also powers third-party browsers available on iOS due to restrictions imposed by Apple’s App Store Review Guidelines (Section 2.5.6).
Google, for instance, provides two different Safe Browsing APIs — a Lookup and an Update API, the former of which allows browsers to send URLs in plaintext to the Google Safe Browsing server to check their status. The search giant, in its documentation, acknowledges the privacy drawback: “URLs are not hashed, so the server knows which URLs you look up.”
The latter mechanism, which is used by Apple, allows browsers to download encrypted versions of the Safe Browsing lists for local, client-side checks of URLs, meaning the safe browsing server never knows the actual URLs queried by Safari.
Regardless of whether the safe browsing provider is Google or Tencent, if you’re not comfortable with this setting being on by default, you can turn it off by following the steps listed below:
- iOS: Settings > Safari > Turn off Fraudulent Website Warning
- macOS: Safari > Preferences > Security > Uncheck Warn when visiting a fraudulent website
But it’s worth noting here that the tweak also increases the likelihood of accidentally visiting a phishing website that might make a “fraudulent attempt to steal your personal information, such as usernames, passwords, and other account information.”
It’s very much possible Tencent’s blacklist is localized to China, where Google’s services are blocked, and not elsewhere. But the development has come to the fore again at a particularly fraught time for the iPhone maker, which is caught between a rock and a hard place with regards to its practices in the country.
“While they [Tencent] may be just as trustworthy, we deserve to be informed about this kind of change and to make choices about it,” said Green. “At very least, users should learn about these changes before Apple pushes the feature into production, and thus asks millions of their customers to trust them.”
Update on Oct. 15 9:00 AM IST: In a statement to TNW, Apple confirmed our reporting above, stating it doesn’t share users’ browsing histories with Google or Tencent:
Apple protects user privacy and safeguards your data with Safari Fraudulent Website Warning, a security feature that flags websites known to be malicious in nature. When the feature is enabled, Safari checks the website URL against lists of known websites and displays a warning if the URL the user is visiting is suspected of fraudulent conduct like phishing. To accomplish this task, Safari receives a list of websites known to be malicious from Google, and for devices with their region code set to mainland China, it receives a list from Tencent. The actual URL of a website you visit is never shared with a safe browsing provider and the feature can be turned off.
Simply put, Safari hashes the URL of the website you’re visiting before loading it, and compares its hash prefix against a local database of hash prefixes of malicious websites provided by Google and Tencent.
In the event of a match, Safari uses the Update API to fetch all the URLs matching that prefix, then compares the exact URL with the list received, and then show an alert if it does turn out to be fraudulent. This can be turned off in settings using the steps outlined above.