silversurfer

Level 53
Verified
Trusted
Content Creator
Malware Hunter
Apple is sending some browsing history of iOS 13 Safari users to Tencent Holdings Limited, a Chinese multinational conglomerate. The data shared is tied to the Safari Safe Browsing technology. Revelations of the relationship have drawn criticism from security and privacy experts.

Apple’s Safari Browser on iOS has a “Fraudulent Website Warning” feature set as a default that has used Google Safe Browsing technology as a back-end. But Safari users noticed recently information provided by Apple about this feature on iOS that acknowledges the company sends “information calculated from a website address” not only to Google Safe Browsing, but also to “safe browsing” technology from Tencent.

Moreover, Apple—”as is standard for this sort of news”—has divulged very little about the privacy implications of shifting Safe Browsing to use Tencent’s servers, which is troubling at best, and could be a privacy disaster, at worst, said Matthew Green, a cryptographer and professor at Johns Hopkins University, an analysis posted on Sunday.

“The changes probably affect only Chinese-localized users … although it’s difficult to know for certain,” he wrote. “However, it’s notable that Apple’s warning appears on U.S.-registered iPhones.”

There are a slew of problems with this scenario, not the least of which is that Tencent has close ties to the Chinese government, observed Tom Parker from Reclaim the Net in a blog post.
 

Threadripper

Level 8
Apple responds to reports that it sends user traffic to China's Tencent
Nowadays, most safe browsing mechanisms, such as those managed by Google and Tencent, work by sending a copy of the database to a user's browser and letting the browser check the URL against this local database.

According to Apple, this is also how Apple developers have implemented Safari's safe browsing mechanism -- to never send the user's internet browsing traffic to safe browsing providers.
Furthermore, as several developers have also pointed out over the weekend, Tencent is not the default safe browsing provider. Tencent is only used on devices where the Chinese locale is enabled.

The reasoning behind supporting Tencent is quite simple -- the Chinese government bans Google domains inside China; hence, Safari users in China wouldn't be able to receive Google's database of malicious links and subsequent updates.

Apple added support for Tencent as an alternative safe browsing provider specifically for Chinese users. It did so in order to keep its Chinese userbase safe, similar to everyone else, and show alerts whenever one of them might end up wandering off and landing on a bad site.