Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Apple: Safari Does Not Send User Browsing History to China’s Tencent

Safari does use Tencent to ensure that users in China do not navigate to malicious websites, but it never sends the actual URL of a visited site to the Chinese company, Apple says.

Safari does use Tencent to ensure that users in China do not navigate to malicious websites, but it never sends the actual URL of a visited site to the Chinese company, Apple says.

The explanation was given following a series of reports that Safari is sending user data to the Chinese conglomerate, thus spurring multiple privacy concerns among users.

The tech giant, however, says it only sends bits of browsing data to Tencent, and that the URL the user attempts to access is never shared with the company. However, the user’s IP address might be.

“Before visiting a website, Safari may send information calculated from the website address to Google Safe Browsing and Tencent Safe Browsing to check if the website is fraudulent. These safe browsing providers may also log your IP address,” Apple’s About Safari & Privacy page reads.

The sharing of bits of user data with a safe browsing provider isn’t new. In fact, in the first version of Google Safe Browsing, the entire visited URL was sent to Google and checked against a list of fraudulent sites. The user IP address was also sent to the Internet giant.

To address privacy concerns, Google changed the mechanism to a safer one, where a SHA256 hash of each unsafe URL in the database is computed and truncated down to a 32-bit prefix, and then the entire database of truncated hashes is sent to the browser.

Thus, when visiting a URL, the browser can check if the site is safe by hashing it and checking if the 32-bit prefix is contained in the local database. If it does, the browser sends the prefix to Google, which delivers the list of all full 256-bit hashes of matching URLs, for the browser to find an exact match.

Matthew Green, associate professor of computer science at the Johns Hopkins Information Security Institute, explains that, during these exchanges, Google can see the user’s IP address and other identifying information.

Advertisement. Scroll to continue reading.

The issue, however, isn’t the fact that such information is exchanged with Google, but that Tencent too can tap into the user data, which raises privacy concerns.

According to Apple, however, this is actually a non-issue, as the information is shared with Tencent only in the case of Chinese users.

“Safari receives a list of websites known to be malicious from Google, and for devices with their region code set to mainland China, it receives a list from Tencent. The actual URL of a website you visit is never shared with a safe browsing provider and the feature can be turned off,” Apple says.

Basically, the company claims that the user data is only shared with a safe browsing provider if Safari Fraudulent Website Warning is enabled, which is the basic premise of the feature. However, users can disable the feature, if they feel it invades their privacy.

What isn’t clear, however, is why Apple was rather silent on using Tencent for the safe browsing feature in China. Moreover, some researchers suggest it’s not clear if there is code to supposedly choose which provider is selected.

Related: Apple: Security Report on iPhone Hack Created ‘False Impression’

Related: Apple Apologizes for Listening to Siri Talk, Sets New Rules

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...