Connect with us

Hi, what are you looking for?


Mobile & Wireless

iOS 10’s Safari Doesn’t Keep Private Browsing Private

The Safari browser in iOS 10 no longer offers the same level of privacy as before when it comes to Private Browsing, a researcher has discovered.

The Safari browser in iOS 10 no longer offers the same level of privacy as before when it comes to Private Browsing, a researcher has discovered.

Unlike in the previous operating system versions, Safari now saves the URLs accessed while in Private Browsing in a database, meaning that they are retrievable even after the session has been closed, Stacey Jury, IntaForensics, Digital Forensic Analyst, explains. Commercially available tools can be used to retrieve the accessed pages even after they have been deleted, she says.

It all comes down to the ability to recover “Suspend State” from iOS 10 devices, within both private browser and normal browser. Suspend State was designed to create a list within the web browser to allow easy switching back and forward between the recently accessed pages in the currently opened tabs. The feature would make web browsing much faster when the user decides to go backwards or forwards to recently accessed pages.

Previously, Suspend State was stored in a manner that would prevent information recovery, but iOS 10 changes that, making it possible to recover deleted records. Until now, Safari would store the information in a PList, meaning that the web page entry would be removed from the PList as soon as the tab was closed, which prevented the recovery of closed on deleted tabs.

In iOS 10, Suspend State is stored in a database, thus allowing for the recovery of deleted records, the researcher explains. Jury carried out an experiment on an iPhone 5S running iOS 10.0.1, where she successfully managed to extract web pages from a private browsing session, using a commercially available tool.

Then, she tried to extract web pages that were accessed in Private Mode and then closed, and which were no longer present in the BrowserState.db database on the phone. The attempt was successful, proving that the new approach for storing Suspend State is no longer keeping user’s browsing private.

“So what could Apple do to ensure that the data is more ‘private’? There is a setting called Pragma Secure Delete within the database which overwrites any deleted content with zeros. If Apple enabled this setting on the database, the deleted data would be irretrievable,” Jury explains.

Advertisement. Scroll to continue reading.

However, she also notes that some would argue that this feature could make Safari slower than before, thus hurting the browsing experience. “So I guess Apple chose user experience over user privacy,” she notes.

Over the past few weeks, researchers have discovered other issues that lower the overall security offered by iOS 10 when compared to previous releases. Local backups on a PC or Mac made with the help of iTunes are easier to brute-force than before, allowing an attacker to try a total of 6,000,000 passwords per second compared to only 2,400 passwords per second for iOS 9 backups.

Last week, Apple’s iMessage service was revealed to send home information on who a user messages with or attempts to message, along with date and time and their IP, and Apple confirmed that it sometimes shares such information with law enforcement agencies when required. Earlier this week, the URL preview feature in iMessage was found to leak information about the user with the linked website.

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...


Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.