While Safari is generally considered a secure browser for iOS users, a recent discovery by iOS developer Mysk has raised concerns about potential user tracking. This article examines the technical aspects of the vulnerability, its implications for user privacy, and potential mitigation strategies.

Vulnerability in Safari: Track iOS devices even in incognito mode

Source: Slashgear

URI Scheme Vulnerability

The core of the problem lies in a specific URI scheme used by Safari. URI (Uniform Resource Identifier) ​​schemes define how a resource should be accessed. In this case, the scheme allows alternative app stores to be installed directly from a website. However, the vulnerability lies in Safari’s behavior.

Even when the website is not a legitimate app store, Safari tries to handle the URI scheme. This unwanted behavior creates an opportunity for malicious websites to exploit the vulnerability for tracking purposes.

Mechanisms for disclosure and tracking of customer ID

Mysk’s video demonstration demonstrates how a website with just ten lines of code can trigger this vulnerability. When a user visits such a website, Safari initiates a download attempt to install a non-existent app store.

Although this download failed due to an authorization error, the process reveals a unique identifier associated with the user’s device – the Client-ID. This identifier can potentially be used to track the user’s device across websites.

The concern is heightened when additional website features such as “adpURL” and “storeAccountName” are used. If these features are compatible, they can potentially facilitate the sharing of Client-IDs between websites, further consolidating a user’s online footprint.

Bypassing Incognito Mode: Breached Security Guarantee

One of the most concerning aspects of this vulnerability is that it bypasses the privacy protections offered by Safari’s incognito mode. Typically, incognito mode does not allow the browser to store browsing history, which theoretically prevents user tracking.

However, this vulnerability can still reveal the Client-ID and allow it to be used for tracking even when browsing in incognito mode. This effectively violates the security guarantee associated with incognito browsing.

Geographic scope and mitigation strategies

There is a geographic restriction for this vulnerability. Currently only affects iOS devices in the European Union (EU) region. This is because Apple is required to allow alternative app stores within the EU, which requires the implementation of the specific URI scheme in Safari for that region. Users in other regions are currently experiencing no impact.

The simplest mitigation strategy for EU users is to consider using a browser other than Safari. Many alternative browsers for iOS, such as Firefox or Chrome, are known to implement stronger anti-tracking mechanisms. These browsers can block attempts to access the vulnerable URI scheme and prevent the disclosure of the Client-ID.

While switching browsers offers immediate protection, it is equally important to raise awareness of this vulnerability and encourage Apple to address it through a software update. A patch that changes Safari’s behavior to only handle the URI scheme for legitimate app store installations will effectively close this vulnerability.

Beyond mitigation: Consumer privacy considerations

The discovery of this vulnerability highlights the ongoing struggle for consumer privacy in the digital age. Even with established security measures, such as incognito mode, vulnerabilities can exist.

Gizchina News of the week

Users should be aware of these potential drawbacks and exercise caution when surfing the Internet. Here are some additional user privacy considerations:

  • Be selective about the websites you visit: It is crucial to be careful about the websites you visit, especially those with unknown or untrustworthy content. Refrain from clicking on suspicious links or downloading content from unknown sources.
  • Using privacy extensions: Several privacy extensions are available for iOS browsers that offer additional anti-tracking features. These extensions can further improve user privacy by blocking tracking scripts and cookies.
  • Notify about updates: Regularly updating your iOS device and installed browsers allows you to take advantage of the latest security patches and vulnerability fixes released by Apple and browser developers.


Deep Technical Dive: Understanding the URI Scheme Vulnerability

  • URI Scheme Mechanics: A URI (Uniform Resource Identifier) ​​acts as an address that tells your device how to access a particular resource. It consists of various components, including a scheme (eg http, https), a domain name, and a path. In this case, the vulnerable scheme allows the installation of app stores directly through a website.

  • Safari overprocessing: The vulnerability occurs because Safari attempts to process the app store installation scheme even when the website itself is not a legitimate app store. Malicious actors can take advantage of this behavior to trigger the download attempt and reveal the Client-ID.

  • Demystified Customer ID: Client-ID is a unique identifier assigned to each device by Apple. While it may serve legitimate purposes within the Apple ecosystem, its exposure in this context allows for potential cross-site tracking.

  • “adpURL” and “storeAccountName”: These additional website features, if compatible, could potentially facilitate the sharing of Client-ID between websites. “adpURL” can be used to pass information related to ads displayed on the website, while “storeAccountName” can be associated with a specific app store account. When combined with the Client-ID, this information can be used to build a more comprehensive profile of the user’s online activity.

  • Incognito Bypass: Technical Explanation: Incognito mode generally achieves privacy by preventing browsing history and cookies from being stored. In this case, however, Client-ID exposure occurs at the network layer before the traditional browser history is even created. This bypasses the intended privacy protection of incognito mode.


The disclosed vulnerability in Safari underscores the importance of constant vigilance in protecting user privacy. Although mitigation strategies exist, a permanent solution is needed An apple to fix the vulnerability with a software update.

By understanding the technical aspects of the vulnerability and taking a holistic approach to online privacy, users can minimize the risks associated with online tracking and protect their devices.

This incident also serves as a reminder for developers and technology companies to prioritize robust security measures and implement them with meticulous attention to detail. By working together, users, developers and technology companies can strive for a more secure and privacy-friendly digital environment.

The Truth About Safari’s Privacy: Tracked even in Incognito Mode