iOS 10’s Safari Doesn’t Keep Private Browsing Private

The Safari browser in iOS 10 no longer offers the same level of privacy as before when it comes to Private Browsing, a researcher has discovered.

Unlike in the previous operating system versions, Safari now saves the URLs accessed while in Private Browsing in a database, meaning that they are retrievable even after the session has been closed, Stacey Jury, IntaForensics, Digital Forensic Analyst, explains. Commercially available tools can be used to retrieve the accessed pages even after they have been deleted, she says.

It all comes down to the ability to recover “Suspend State” from iOS 10 devices, within both private browser and normal browser. Suspend State was designed to create a list within the web browser to allow easy switching back and forward between the recently accessed pages in the currently opened tabs. The feature would make web browsing much faster when the user decides to go backwards or forwards to recently accessed pages.

Previously, Suspend State was stored in a manner that would prevent information recovery, but iOS 10 changes that, making it possible to recover deleted records. Until now, Safari would store the information in a PList, meaning that the web page entry would be removed from the PList as soon as the tab was closed, which prevented the recovery of closed on deleted tabs.

In iOS 10, Suspend State is stored in a database, thus allowing for the recovery of deleted records, the researcher explains. Jury carried out an experiment on an iPhone 5S running iOS 10.0.1, where she successfully managed to extract web pages from a private browsing session, using a commercially available tool.

Then, she tried to extract web pages that were accessed in Private Mode and then closed, and which were no longer present in the BrowserState.db database on the phone. The attempt was successful, proving that the new approach for storing Suspend State is no longer keeping user’s browsing private.

“So what could Apple do to ensure that the data is more ‘private’? There is a setting called Pragma Secure Delete within the database which overwrites any deleted content with zeros. If Apple enabled this setting on the database, the deleted data would be irretrievable,” Jury explains.

However, she also notes that some would argue that this feature could make Safari slower than before, thus hurting the browsing experience. “So I guess Apple chose user experience over user privacy,” she notes.

Over the past few weeks, researchers have discovered other issues that lower the overall security offered by iOS 10 when compared to previous releases. Local backups on a PC or Mac made with the help of iTunes are easier to brute-force than before, allowing an attacker to try a total of 6,000,000 passwords per second compared to only 2,400 passwords per second for iOS 9 backups.

Last week, Apple’s iMessage service was revealed to send home information on who a user messages with or attempts to message, along with date and time and their IP, and Apple confirmed that it sometimes shares such information with law enforcement agencies when required. Earlier this week, the URL preview feature in iMessage was found to leak information about the user with the linked website.