A safe browsing feature, intended to increase online security within Apple’s Safari app, has instead raised privacy concerns as it has been recently discovered that the app is sending user browsing data to a company headquartered in China.
According to The Next Web, the feature in question is known as “Fraudulent Website Warning” and it’s used to review the websites a user visits to see if the websites are “fraudulent and malware-infested.” The feature works by checking a website’s URL against “a blacklist service provided by safe browsing providers such as Google and Tencent.” (If the feature detects that a given website is fraudulent or contains malware, Safari will display a warning about the website to notify the user.) This particular feature is available in both the iOS and Mac versions of Safari.
The privacy issue surrounding this feature and Tencent’s involvement with it was first spotted by Reclaim The Net. In a post published on Thursday, October 10, Reclaim The Net cited screenshots of the iOS version of Safari which show that Apple had admitted to sending user IP addresses to safe browsing providers, including Google and Tencent. The screenshots themselves show Apple’s “About Safari & Privacy” section of the app’s settings. In this section’s screenshot, an explanation is provided about the use of the “Fraudulent Website Warning” feature:
“Before visiting a website, Safari may send information calculated from the website address to Google Safe Browsing and Tencent Safe Browsing to check if the website is fraudulent. These safe browsing providers may also log your IP address.”
Reclaim The Net also went on to note that the “Fraudulent Website Warning” feature is apparently turned on by default in iOS devices, which means iOS device users who also use the Safari app may have already had their IP addresses logged by either Tencent or Google. While iOS users can turn the feature off, doing so leaves them “vulnerable to accessing fraudulent websites.”
It is worth mentioning that as The Next Web notes, it’s still unclear if Tencent is in fact logging IP addresses from Safari users who don’t live in China, especially since it is also possible that Tencent’s related services are limited to just China (because the other safe browsing provider of record, Google, is blocked in China).
But the logging of IP addresses is still worrying since, as Reclaim The Net notes, such information can be used to “reveal user locations” and even identify iOS device owners by “searching for instances of the IP address across Tencent’s other services.”