Apple iOS 14.5 will hide Safari users' IP addresses from Google's Safe Browsing

Another privacy improvement from Cupertino, just a small one

Apple's forthcoming iOS 14.5 release, currently in beta, will conceal the IP address of Safari web surfers from Google's Safe Browsing service, integrated into Safari to spot fraudulent websites.

On Wednesday, Maciej Stachowiak, head of WebKit engineering at Apple, confirmed the change via Twitter, stating that "in the new iOS beta, Safari does indeed proxy the service via Apple servers to limit the risk of information leak."

That means when Safari users visit a website with Safe Browsing active, their IP addresses will be associated with an Apple domain rather than their internet service provider or corporate network. Google would normally have access to this information from those using Safe Browsing-enabled applications, depending on the specific API used, but now won't for mobile Safari users.

That's something of a privacy improvement – another notch in the privacy belt for iOS 14, alongside previously disclosed App Tracking Transparency and app privacy labels.

But don't get too excited. Google still has access to plenty of online data via ads, web tracking widgets, scripts, authentication tokens, searches, applications, and the like. It's not as if Apple made Bing the default search engine for all its software and hardware.

This is not the same sort of privacy broadside against the digital ad industry that App Tracking Transparency has been. The Register understands Google and Apple coordinated this change and it isn't expected to alter the effectiveness of the service.

Nor is it obvious whether IP privacy is enough to justify activating Safe Browsing, which mobile Safari users can do via the Fraudulent Website Warning button in the browser's Settings menu.

Safe for most things

Google's Safe Browsing service provides a way for applications to check whether websites in Google's Search Index have been previously identified as malicious. In its early form, it was "kind of a privacy nightmare," as Matthew Green, associate professor of computer science at Johns Hopkins University, described it in a 2019 blog post. The service initially transmitted browser users' IP addresses, the full URL visited, and set a tracking cookie.

The Safe Browsing API has improved since then in that there's now an alternative to the URL-exposing Lookup API: The Update API allows client software (like Safari) to download an encrypted Safe Browsing list of 32-bit prefixes of SHA256 hashes (256-bits) derived from bad URLs to match against a 32-bit hash prefix of the URL the user aims to visit.

Photo of the Google page

We've got some really bad news about Apple's privacy measures, Google tells iOS app devs: It'll hurt your Google ad revenue


Then, if there's a match – which may correspond with multiple full hashes – the browser transmits the matched prefix to Google's servers, which return a list of SHA256 hashes that contain the matched prefix to test against a full hash of the requested URL.

"The problem is that Safe Browsing 'Update API' has never been exactly 'safe,'" said Green in his blog post. "Its purpose was never to provide total privacy to users, but rather to degrade the quality of browsing data that providers collect."

Other security researchers have expressed similar reservations, noting that the API's approach – a technique called k-anonymitycan be defeated.

Green said the privacy community had reconciled itself to the tradeoffs, allowing that Google might glean more information from those implementing and using Safe Browsing in exchange for reducing potential exposure to fraudulent or malicious websites.

But he was less sanguine about Apple's disclosure in 2019 that the company was sending the same information to Tencent in China, where privacy risks are magnified due to limits on political speech.

As Apple explains in its macOS Safari help documentation, "Before you visit a website, Safari may send information calculated from the website address to Google Safe Browsing to check if the website is fraudulent. If you have China mainland set as your region in the Language & Region pane of System Preferences, Safari may also use Tencent Safe Browsing to do this check."

In an email to The Register, Green expressed cautious optimism about the iOS 14.5 change, even if it doesn't address his past criticism of Apple's mercurial disclosure and communication habits.

"Proxying is definitely an improvement because it hides IP addresses from the services in China that resolve these queries," Green said.

"I’m not sure it entirely solves the problem, and I’d need to think about it. But it’s a good start. Also, it shows that Apple sees this information as valuable, which is an important takeaway given that they’ve been revealing it for over a year now." ®

Other stories you might like

  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading
  • Big Tech loves talking up privacy – while trying to kill privacy legislation
    Study claims Amazon, Apple, Google, Meta, Microsoft work to derail data rules

    Amazon, Apple, Google, Meta, and Microsoft often support privacy in public statements, but behind the scenes they've been working through some common organizations to weaken or kill privacy legislation in US states.

    That's according to a report this week from news non-profit The Markup, which said the corporations hire lobbyists from the same few groups and law firms to defang or drown state privacy bills.

    The report examined 31 states when state legislatures were considering privacy legislation and identified 445 lobbyists and lobbying firms working on behalf of Amazon, Apple, Google, Meta, and Microsoft, along with industry groups like TechNet and the State Privacy and Security Coalition.

    Continue reading
  • SEC probes Musk for not properly disclosing Twitter stake
    Meanwhile, social network's board rejects resignation of one its directors

    America's financial watchdog is investigating whether Elon Musk adequately disclosed his purchase of Twitter shares last month, just as his bid to take over the social media company hangs in the balance. 

    A letter [PDF] from the SEC addressed to the tech billionaire said he "[did] not appear" to have filed the proper form detailing his 9.2 percent stake in Twitter "required 10 days from the date of acquisition," and asked him to provide more information. Musk's shares made him one of Twitter's largest shareholders. The letter is dated April 4, and was shared this week by the regulator.

    Musk quickly moved to try and buy the whole company outright in a deal initially worth over $44 billion. Musk sold a chunk of his shares in Tesla worth $8.4 billion and bagged another $7.14 billion from investors to help finance the $21 billion he promised to put forward for the deal. The remaining $25.5 billion bill was secured via debt financing by Morgan Stanley, Bank of America, Barclays, and others. But the takeover is not going smoothly.

    Continue reading

Biting the hand that feeds IT © 1998–2022