Apple has primarily always relied on Google’s Safe Browsing technology for Safari’s ‘Fraudulent Website Warning’ feature. However, it seems that starting with iOS 13, Apple is using Tencent’s Safe Browsing technology as well to check and prevent users from visiting fraudulent websites.
The problem here is that for the fraudulent website warning to work, Apple needs to share your browsing history with Google. And Tencent. While the URLs shared are generally hashed, Google and Tencent will also log a user’s IP address during the process. Many people might be fine sharing their browsing history with Google, but sharing anything with a Chinese company might make many users uncomfortable.
Below is how Google’s Update API for the Safe Browsing tech works in the background:
To address these concerns, Google quickly came up with a safer approach to, um, “safe browsing”. The new approach was called the “Update API”, and it works like this:
- Google first computes the SHA256 hash of each unsafe URL in its database, and truncates each hash down to a 32-bit prefix to save space.
- Google sends the database of truncated hashes down to your browser.
- Each time you visit a URL, your browser hashes it and checks if its 32-bit prefix is contained in your local database.
- If the prefix is found in the browser’s local copy, your browser now sends the prefix to Google’s servers, which ship back a list of all full 256-bit hashes of the matching URLs, so your browser can check for an exact match.
At each of these requests, Google’s servers see your IP address, as well as other identifying information such as database state. It’s also possible that Google may drop a cookie into your browser during some of these requests.
Another major issue here is that Apple has made this change without informing users about it. One has to go through the fine print to discover it. There is a possibility that Apple is using Tencent’s Safe Browsing tech only for Mainland China users since Google is not available in the region, but if that’s the case, the warning should not show up for iPhone users in the United States. Additionally, if Apple has made this change recently with iOS 13, it should have explicitly informed users about it. The company has also not detailed if it is doing anything to protect the privacy of its users in this scenario which has always been one of its priorities.
Apple has bent a lot of its own rules just to please the Chinese government. While that is not the case here, many iOS users are simply not going to be comfortable knowing that a Chinese company is possibly logging their IP.
[Via Crytpgraphy Engineering]