iPhone users in the European Union (EU) have been warned of a fault in the latest version of Apple’s Safari browser that could leave the device vulnerable to attack.
Talal Haj Bakry and Tommy Mysk have raised the alarm on “catastrophic security and privacy flaws” due to the EU antitrust rules compelling Apple to introduce alternative app stores.
The duo, specialist developers and researchers, have urged caution from iPhone users until the issue is made safe, recommending no use of any alternate app providers and to proceed with caution when browsing the internet.
Mysk experts have flagged previous flaws including a finding that the iPhone X app could be sending personal data without your consent. Inn 2022, they detailed a data leak when using VPN services on iOS 16.
Third-party marketplace apps can take advantage of the design flaw, putting posing a serious risk to the privacy and security of the user.
The source of the problem can be directly linked to the requirements of the EU’s Digital Market Act (DMA), which let iPhone owners download apps from developers’ websites and third-party stores.
To make DMA work, Apple has had to roll out a URI Scheme within the iOS 17.4 update.
Marketplace developers are then required to install an HTML button, that, when activated in the Safari app, will green-light the launch of the alternative app installation link (Marketplace Kit).
Apple claimed this procedure is a security safeguard to prevent app installations without user consent, but the Mysk researchers have said it’s clear flaw that introduces significant risk to all iPhone users in the EU.
The problem is compounded when Safari calls on the URI scheme, as it doesn’t check whether the website containing the alternate distribution link is genuine to match an actually registered marketplace.
Worse than that, the browser will accept any instruction given at this stage, leaving an open door to any bad actors who seek to compromise third-party requests.