Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Apple: Safari Does Not Send User Browsing History to China’s Tencent

Safari does use Tencent to ensure that users in China do not navigate to malicious websites, but it never sends the actual URL of a visited site to the Chinese company, Apple says.

Safari does use Tencent to ensure that users in China do not navigate to malicious websites, but it never sends the actual URL of a visited site to the Chinese company, Apple says.

The explanation was given following a series of reports that Safari is sending user data to the Chinese conglomerate, thus spurring multiple privacy concerns among users.

The tech giant, however, says it only sends bits of browsing data to Tencent, and that the URL the user attempts to access is never shared with the company. However, the user’s IP address might be.

“Before visiting a website, Safari may send information calculated from the website address to Google Safe Browsing and Tencent Safe Browsing to check if the website is fraudulent. These safe browsing providers may also log your IP address,” Apple’s About Safari & Privacy page reads.

The sharing of bits of user data with a safe browsing provider isn’t new. In fact, in the first version of Google Safe Browsing, the entire visited URL was sent to Google and checked against a list of fraudulent sites. The user IP address was also sent to the Internet giant.

To address privacy concerns, Google changed the mechanism to a safer one, where a SHA256 hash of each unsafe URL in the database is computed and truncated down to a 32-bit prefix, and then the entire database of truncated hashes is sent to the browser.

Thus, when visiting a URL, the browser can check if the site is safe by hashing it and checking if the 32-bit prefix is contained in the local database. If it does, the browser sends the prefix to Google, which delivers the list of all full 256-bit hashes of matching URLs, for the browser to find an exact match.

Advertisement. Scroll to continue reading.

Matthew Green, associate professor of computer science at the Johns Hopkins Information Security Institute, explains that, during these exchanges, Google can see the user’s IP address and other identifying information.

The issue, however, isn’t the fact that such information is exchanged with Google, but that Tencent too can tap into the user data, which raises privacy concerns.

According to Apple, however, this is actually a non-issue, as the information is shared with Tencent only in the case of Chinese users.

“Safari receives a list of websites known to be malicious from Google, and for devices with their region code set to mainland China, it receives a list from Tencent. The actual URL of a website you visit is never shared with a safe browsing provider and the feature can be turned off,” Apple says.

Basically, the company claims that the user data is only shared with a safe browsing provider if Safari Fraudulent Website Warning is enabled, which is the basic premise of the feature. However, users can disable the feature, if they feel it invades their privacy.

What isn’t clear, however, is why Apple was rather silent on using Tencent for the safe browsing feature in China. Moreover, some researchers suggest it’s not clear if there is code to supposedly choose which provider is selected.

Related: Apple: Security Report on iPhone Hack Created ‘False Impression’

Related: Apple Apologizes for Listening to Siri Talk, Sets New Rules

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...