Apple has issued a statement to confirm that it is not sending details of websites visited by Safari users to China’s Tencent as part of its fraudulent website warning mechanism but instead, cross-references URLs with a list of known bad sites shared by Tencent.
Recently, when introducing iOS 13, Apple notified users about its safe browsing mechanism that involved cross-referencing the URLs users visit with Google Safe Browsing and Tencent Safe Browsing in order to ensure that websites visited by iOS users were safe and not fraudulent.
“Before visiting a website, Safari may send information calculated from the website address to Google Safe Browsing and Tencent Safe Browsing to check if the website is fraudulent. These safe browsing providers may also log your IP address,” the company said.
Apple’s choice of words gave rise to concerns that Apple may be sharing users’ browsing data and their IP addresses with China’s Tencent and given the recent fiasco involving Huawei and ZTE, that the Chinese government could use such data to carry out surveillance on iOS users located in the United States and other countries.
Matthew Green, a professor at John Hopkins University, recently wrote in a blog post that considering that Apple’s “Fraudulent Website Warning” feature is enabled by default in iOS Safari, browsing data of millions of iOS users could be at risk of getting leaked.
He said that just like how Google’s Safe Browsing API works, Tencent’s API could allow the company to view IP addresses and the list of URLs visited by an iOS user. Even if Apple tries to deanonymise such data, someone at Tencent could extract information from available data to unmask the identities of individual users and this could result in a privacy disaster.
“Google certainly has the brainpower to extract a signal from the noisy Safe Browsing results, it seemed unlikely that they would bother. (Or at least, we hoped that someone would blow the whistle if they tried.)
“But Tencent isn’t Google. While they may be just as trustworthy, we deserve to be informed about this kind of change and to make choices about it. At very least, users should learn about these changes before Apple pushes the feature into production, and thus asks millions of their customers to trust them,” he wrote.
Apple denies sharing user data or IP addresses with Tencent
After Green’s blog received significant coverage across the world, Apple issued a statement, confirming that no browsing data is being made available to Tencent and that users can turn off the Safari Fraudulent Website Warning feature if they are uncomfortable with it.
“Apple protects user privacy and safeguards your data with Safari Fraudulent Website Warning, a security feature that flags websites known to be malicious in nature. When the feature is enabled, Safari checks the website URL against lists of known websites and displays a warning if the URL the user is visiting is suspected of fraudulent conduct like phishing.
“To accomplish this task, Safari receives a list of websites known to be malicious from Google, and for devices with their region code set to mainland China, it receives a list from Tencent. The actual URL of a website you visit is never shared with a safe browsing provider and the feature can be turned off,” the company said.
What is means is that instead of asking Google or Tencent (only when iOS users are located in China) to verify if a URL is malicious or fraudulent, Apple obtains a list of known bad sites from the two companies and cross-references URLs visited by iOS users to verify if the sites being visited by them are genuine.
The mechanism of the Safari Fraudulent Website Warning feature has also been explained by 9to5Mac as below:
“The process to check whether a website matches a list of known malicious sites happens before Safari loads a URL and the matching process starts by checking just hashed prefixes.
“If Safari does see a match of the hashed prefix, it will send the hash to the safe browsing provider, Google or Tencent, to request the full list of URLs that have matched the prefix.
“Since Safari talks directly with Google or Tencent for the request, they do receive the device’s IP address. After Safari gets the full list of malicious URLs matching the prefix, it checks if there is a full match on-device so the actual URL is never shared with the safe browsing provider.