iOS 14.5 routes Safari traffic through Apple proxies before sending to Google's 'Safe...

Cal Jeffrey

Posts: 3,268   +894
Staff member
TL;DR: As we already know, Apple is upping security in iOS 14 with a new feature that requires apps to ask for permission before collecting data from users. Testers using the iOS 14.5 beta have discovered another security measure that Apple never mentioned. It seems that Safari will now use Apple servers as a proxy while accessing Google's "Safe Browsing" feature.

If you have used the Safari web browser enough, you have likely encountered its "Fraudulent Website Warning" at least once. It is a security measure employed to help keep users from accidentally stumbling on phishing websites. It is powered by Google Safe Browsing, which is also used for the same purpose in Chrome and Firefox.

The mechanics are relatively straightforward. Google has an API that Apple and others use to run traffic through a database of websites Google believes are suspicious. If it gets a hit, the warning is triggered. The URLs are fully encrypted using a 32-bit hash prefix when using this API, so Google's servers cannot see what sites users are visiting. However, the servers can snag their IP address or other information.

To prevent this, Safari will route traffic through Apple proxy servers before accessing the Safe Browsing database. Apple's Head of WebKit confirmed the measure via Twitter, saying it was "to limit the risk of information leak."

The feature is one of several we have seen since Apple unleashed the iOS14.5 beta to the public. It brings with it the ability to unlock your iPhone when wearing a mask, provided you have a paired Apple Watch running the latest version of watchOS. Users will also be allowed to set their favorite music app to the default instead of using Apple Music.

Image credit: Wachiwit

Permalink to story.

 

Adorerai

Posts: 95   +57
I’m confused, the server can snag your IP address and other information along with a 32 bit hash. How is it determined if the site/url is malicious or not if google has no idea what the site is? Wouldn’t the hash at some point reference a site or url?
 

trparky

Posts: 988   +1,083
I’m confused, the server can snag your IP address and other information along with a 32 bit hash. How is it determined if the site/url is malicious or not if google has no idea what the site is? Wouldn’t the hash at some point reference a site or url?
Google would get the URL, except it would be like as if Apple requested the lookup on the URL thus, they are acting like a go-between. Google thrives on data mining, if all of the URL Safe Browsing URL lookups come from one place, their data mining is useless.

Remember, we're trying to show Google that their business model is not compatible with those of us who want our privacy and don't want our private data mined for everything that it's worth.
 

0dium

Posts: 301   +349
Google would get the URL, except it would be like as if Apple requested the lookup on the URL thus, they are acting like a go-between. Google thrives on data mining, if all of the URL Safe Browsing URL lookups come from one place, their data mining is useless.

Remember, we're trying to show Google that their business model is not compatible with those of us who want our privacy and don't want our private data mined for everything that it's worth.
I think you misunderstood what he said. Question is why can't google see the url you are requesting.