safari security flaw

Safari browser on iOS can be sending your browsing data to China’s Tencent – Here is why you should be worried and How to stop it!

By William Gallagher

Apple’s protection against malicious websites has long sent data to Google Safe Browsing, but now it appears some can also be sent to Chinese firm Tencent.

Apple uses Safe Browsing systems from Google and now also China’s Tencent firm to protect against phishing

Apple has been sending browsing data to Chinese technology firm Tencent as part of its anti-phishing systems, and now may be expanding how much it uses the firm. From iOS 11 in 2017, Apple has stated on devices bought in China that it uses Tencent, but at some point that same privacy notice has appeared on US iPhones and iPads too.

The information is contained with a privacy notice that is reached via Settings, Safari, About Safari Search & Privacy. It’s not clear when this detail was added, but users on Twitter claim to have seen it from iOS 12.2. It is now on all iOS 13 devices.

Apple uses the service as part of its anti-phishing features, and specifically the iOS Fraudulent Website Warning. This is the service that detects when a site may be masquerading as another one, or may contain malware.

Previously, Apple was solely sending this data to Google to leverage that firm’s Safe Browsing facility. Now it’s also using Tencent’s similar system.

It’s not known what data is sent to Tencent, nor under what conditions a user’s data will be sent to that firm instead or, or in addition to, Google. It’s still most likely that it is Safari on China-bought iOS devices whose data is sent to Tencent.

The Safari privacy notice that now includes mention of Tencent

The Safari privacy notice that now includes mention of Tencent

Apple’s privacy notice does describe the overall process for both firms.

“Before visiting a website, Safari may send information calculated from the website address to Google Safe Browsing and Tencent Safe Browsing to check if the website is fraudulent,” it says.

Significantly, it also cautions that the website address may not be the only data that these companies receive.

“These safe browsing providers may also log your IP address,” it adds.

The presence of Tencent in the privacy information does not mean that data is being sent to the firm, only that Apple may use it for this feature when needed. The possible logging of IP addresses by either Google or Tencent may be necessary for their phishing prevention systems.

However, Apple did not announce the use of this second company in what is a significant area of its privacy work. And the Fraudulent Website Warning feature is turned on by default.

To turn it off, go to Settings, Safari and toggle Fraudulent Website Warning. Note, however, that you will then lose the protection against malicious sites.

Spread the love

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: