Safari Browser Flaw Poses Serious Risks for iPhone Users in the EU

Why Trust Techopedia
Key Takeaways

  • Experts believe European Digital Market Act has led to significant flaws exposing the user.
  • Bakry and Mysk have outlined how third-place marketplace apps can exploit the design flaw.
  • Apple has been urged to immediately rectify the problem, in line with new DPA procedures.

A fault in the latest version of Apple’s Safari browser could leave iPhone users in the EU vulnerable to attack. 

Talal Haj Bakry and Tommy Mysk from Mysk Inc. have raised the alarm on “catastrophic security and privacy flaws” due to the EU antitrust rules compelling Apple to introduce alternative app stores.

Developers have urged caution from iPhone users until the issue is made safe, recommending no use of any alternate app providers and to proceed with caution when browsing the internet.

Mysk experts have flagged previous major flaws, including a finding that the iPhone X app could be sending personal data without your consent and in 2022. They detailed a data leak when using VPN services on iOS 16.

Third-party marketplace apps can take advantage of the design flaw, putting posing a serious risk to the privacy and security of the user.

The source of the problem can be directly linked to the requirements of the European Digital Market Act (DMA) which required users to be able to download apps from developers’ websites and not solely from the Apple App Store.

To make DMA work, Apple has had to roll out a URI Scheme within the iOS 17.4 update.

Marketplace developers are then required to install an HTML button. When activated in the Safari app, it will green-light the launch of the alternative app installation link (Marketplace Kit).

Apple claims this procedure is a security safeguard to prevent app installations without user consent. Still, the Mysk researchers have stated it is a clear flaw, which introduces significant risk to all iPhone users in the EU who want to use the new method.

The problem is compounded when Safari calls on the URI scheme, as it doesn’t check whether the website containing the alternate distribution link is genuine to match an actually registered marketplace.

Worse than that, the browser will accept any instruction given at this stage leaving an open door to any bad actors who seek to compromise third-party requests.