Beware: iOS 6 Javascript Bug Could Lead to Privacy Vulnerability

Safari SettingsYou may not have even realized the minor, yet significant changes to your Safari mobile browser, but iOS 6 brought with it a useful, but invasive Smart App Banner feature. App developers can offer Internet surfers the ability to download a native app or even launch the app right from Safari. The Smart App Banner makes it easy for websites to connect you to their apps. It is also an accidental invasion of privacy for users that prefer to turn off JavaScript on their iPhone or iPad.

JavaScript is basically a coding language that makes websites more dynamic. It can also be used to track and provide a “digital fingerprint” of a user’s Web browser, including how much time a user spends on a page, what part of the page they look at, and what letters they type into entry fields. For that reason, Apple included a function to allow users the ability to turn off JavaScript in the settings section..

Yelp with Smart App BannerThe addition of Smart App Banners has affected users ability to keep JavaScript off. When you visit a website that features a Smart App Banner, it will flip the JavaScript switch back on and keep it on, without notifying the user. For example, if you turn off JavaScript in your Settings app and then visit Yelp from your iPad’s Safari Mobile browser, you’ll see the Smart App Banner with a link to either launch or download the app. If you go back to your settings section, you’ll note that the JavaScript switch is flipped back on. There is no pop up message to let you know that this has happened.

Peter Eckersley, technology products director with digital rights advocacy group the Electronic Frontier Foundation told AppleInsider that this bug in iOS 6 is a serious privacy and security vulnerability that should be addressed right away. “It is a security issue, it is a privacy issue, and it is a trust issue,” said Eckersley. “Can you trust the UI to do what you told it to do? It’s certainly a bug that needs to be fixed urgently.”

Security firm Intego associate Lysa Myers told AppleInsider that the bug isn’t really a major concern for the vast majority of iOS device owners.

“While this issue is certainly not an ideal situation, by itself it actually isn’t that large a problem,” said Myers. “At the moment it doesn’t pose a threat, but we’ll continue to monitor it to make sure it doesn’t become more exploitable. There’s also the fact that few people actually disable JavaScript completely as it can partially, or totally, disable the majority of websites.”

However, Eckersley strongly believes that users should have the right to keep their Web browsing information private. Everything we do on the Internet can help advertisers learn how to market to us. “The only way you can really reduce that in practice is to disable JavaScript.”

Eckersley also pointed out that Apple doesn’t allow third party plug-ins for the mobile Safari browser that might help with private browsing, so there is no good way to protect your privacy when using a mobile device.

“At this point, our advice for browsing the mobile web in private is: Don’t do it,” he said. “If you need privacy while you browse, use a desktop browser.”

email

About Lory: Writer of all things app related, traveler of the space-time continuum, baker of really great cookies. Follow me @appaholik