Apple’s third-party Safari integrations rolled out with “catastrophic security and privacy flaws”

News
By published

Installing third-party apps in the EU could come with unwanted baggage

Safari app icon on smartphone
(Image credit: Photo Illustration by Rafael Henrique/SOPA Images/LightRocket via Getty Images)

To comply with the laws of the European Union (EU), Apple has allowed EU users to download and install apps from other marketplaces and websites. However, the implementation of this feature was made “with catastrophic security and privacy flaws”, allowing malicious marketplaces to track Apple users across different websites.

This is according to cybersecurity researchers Talal Haj Bakry and Tommy Mysk, who released their technical analysis in a blog published last weekend.

By now, everyone is fully aware of Apple’s “walled garden” approach to its ecosystem. It generally doesn’t allow third-party app stores, claiming they are a major security risk. However, in the EU, under the Digital Markets Act (DMA), the American smartphone giant was deemed a “gatekeeper” for iOS, the App Store, Safari, and iPadOS, and was forced to allow third-party app stores and websites offering apps for download (albeit, vetted). 

Replacing the browser

Hence, with iOS 17.4, Apple introduced a new URI scheme, allowing EU users to download and install alternative marketplace apps from websites, the blog reads. “Once an authorized browser invokes the special URI scheme marketplace-kit, it hands off the installation request to a MarketplaceKit process that starts communicating with the marketplace back-end servers to finally install the app,” the researchers explained. 

“As part of the installation flow, the MarketplaceKit process sends a unique client_id identifier to the marketplace back-end. Both Safari and the MarketplaceKit process allow any website to make a call to the marketplace-kit URI scheme of a particular marketplace. As a result, multiple websites can trigger the MarketplaceKit process to send the same unique identifier client_id to the same marketplace back-end. This way a malicious marketplace can track users across different websites.”

So the problem lies in Apple’s browser, Safari, the researchers concluded, saying that the way Apple’s engineers handled the implementation was “very puzzling.”

“Safari should protect users against cross-site tracking,” they conclude, before suggesting alternative solutions. You can read more about their suggestions here

More from TechRadar Pro

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
A close-up photo of an iPhone, with the App Store icon prominent in the center of the image.
App stores are increasingly becoming a major security worry
Tim Cook
The EU wants Apple to open iOS to competitors and this is the mother of all bad ideas
A hand holding an iPhone showing the logo for the Hot Tub app
The iPhone’s first official porn app has just landed in the EU – and Apple really isn’t happy about it
An abstract image of a lock against a digital background, denoting cybersecurity.
Apple CPU security issue could let hackers steal user data from browsers
Actalis SSL encryption
Apple is right not to bow down to the UK government's encryption backdoor request - but users should still be angry
In this photo illustration a Google Play logo seen displayed on a smartphone.
Why is there so much spyware hidden in the Play Store?
Latest in Security
Isometric demonstrating multi-factor authentication using a mobile device.
NCSC gets influencers to sing the praises of 2FA
Sam Altman and OpenAI
OpenAI is upping its bug bounty rewards as security worries rise
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Dangerous new CoffeeLoader malware executes on your GPU to get past security tools
China
Notorious Chinese hackers FamousSparrow allegedly target US financial firms
A digital representation of a lock
NYU website defaced as hacker leaks info on a million students
NHS
NHS IT supplier hit with major fine following ransomware attack
Latest in News
Nintendo Switch 2 Joy-Con up-close from app store
Nintendo's new app gave us another look at the Switch 2, and there's something different with the Joy-Con
cheap Nintendo Switch game deals sales
Nintendo didn't anticipate that Mario Kart 8 Deluxe was 'going to be the juggernaut' for the Nintendo Switch when it was ported to the console, according to former employees
Toni Collette in Hereditary
Everything leaving Netflix in April 2025 – from the scariest movie ever made to a beloved DreamWorks animation with 99% on Rotten Tomatoes
Three angles of the Apple MacBook Air 15-inch M4 laptop above a desk
Apple MacBook Air 15-inch (M4) review roundup – should you buy Apple's new lightweight laptop?
Witchbrook
Witchbrook, the life-sim I've been waiting years for, finally has a release window and it's sooner than you think
Close up of Leica M11-P viewfinder
I wince at the prospect of the rumored Leica M11-V – here's why
More about security
Sam Altman and OpenAI

OpenAI is upping its bug bounty rewards as security worries rise
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.

Dangerous new CoffeeLoader malware executes on your GPU to get past security tools
Toni Collette in Hereditary

Everything leaving Netflix in April 2025 – from the scariest movie ever made to a beloved DreamWorks animation with 99% on Rotten Tomatoes
See more latest
Most Popular
Toni Collette in Hereditary
Everything leaving Netflix in April 2025 – from the scariest movie ever made to a beloved DreamWorks animation with 99% on Rotten Tomatoes
Close up of Leica M11-P viewfinder
I wince at the prospect of the rumored Leica M11-V – here's why
Nintendo Switch 2 Joy-Con up-close from app store
Nintendo's new app gave us another look at the Switch 2, and there's something different with the Joy-Con
HP ZBook Ultra G1a
HP's ridiculously fast Ryzen AI Max+ Pro 395 laptop with 128GB RAM goes on sale everywhere in the US, but it won't be cheap
A mobile phone showing the Signal logo in front of a screen showing the app
Signalgate explained: what is Signal, and how secure is the messaging app?
Asus Ascent GX10 Rear
Asus's more affordable version of Nvidia's uber-popular Project Digits snapped at GTC 2025
iPhone 13 mini
The iPhone mini won't be returning, according to rumors – and you think that's a mistake
Sam Altman and OpenAI
OpenAI is upping its bug bounty rewards as security worries rise
cheap Nintendo Switch game deals sales
Nintendo didn't anticipate that Mario Kart 8 Deluxe was 'going to be the juggernaut' for the Nintendo Switch when it was ported to the console, according to former employees
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Dangerous new CoffeeLoader malware executes on your GPU to get past security tools