iOS 6 bug reenables JavaScript in Safari without user consent

The new "Smart App Banner" feature in iOS 6 is designed to allow developers the ability to promote App Store software within Safari. The Smart App Banner detects whether a user has a specific application installed, and invites them to view the software on the App Store or open it on their iOS device.

But for users who choose to turn off JavaScript in the Safari Web browser, the appearance of a Smart App Banner on a website will automatically and permanently turn JavaScript back on without notifying the user.

iOS device owners can test this issue, first discovered by AppleInsider reader James, by opening the Settings application and choosing Safari, then turning off JavaScript. Then simply launch the Safari browser and visit a website with a Smart App Banner, such as the test page we've set up at appleinsider.com/smart-banner.html (this will turn on JavaScript to demonstrate the issue).

Users can then go back into the Settings application to verify that the JavaScript setting switch has been flipped back to the "on" position without warning. Accordingly, JavaScript features on websites will begin working again.

The issue has reportedly existed since the release of iOS 6 months ago, though it has not been widely reported. Michael Stockwell, founder of FizzPow Games, helped confirm for AppleInsider that the issue applies to all builds of iOS 6 on all devices — iPhone, iPad and iPod touch. In addition, people familiar with the latest beta of iOS 6.1 said the problem also remains in Apple's pre-release test software on the iPhone.

A potentially 'serious' issue?

Peter Eckersley, technology products director with digital rights advocacy group the Electronic Frontier Foundation, said he would characterize such an issue as a "serious privacy and security vulnerability."

Neither Eckersley nor the EFF had heard of the bug in iOS 6, nor had they independently tested to confirm that they were able to replicate the issue. But Eckersley said that if the problem is in fact real, it's something that Apple should work to address as quickly as possible.

"It is a security issue, it is a privacy issue, and it is a trust issue," Eckersley said. "Can you trust the UI to do what you told it to do? It's certainly a bug that needs to be fixed urgently."

But Lysa Myers, a virus hunter at security firm Intego, said she doesn't see the bug as a major concern for the vast majority of iOS device owners.

“While this issue is certainly not an ideal situation, by itself it actually isn’t that large a problem," Myers told AppleInsider. "At the moment it doesn’t pose a threat, but we’ll continue to monitor it to make sure it doesn’t become more exploitable. There’s also the fact that few people actually disable JavaScript completely as it can partially, or totally, disable the majority of websites.”

Eckersley acknowledged that most users would not feel compelled to dive into a browser's settings and turn off JavaScript. But for those who view security as a paramount concern, disabling JavaScript in a browser is one of the first actions typically taken.

"It's not necessarily directly and immediately a security vulnerability, but it's the kind of thing that would enable some other vulnerability to be exploited," he said.

Why disable JavaScript?

While JavaScript enables developers to create rich Web experiences and is required by most websites, it can also be used to help track and provide a "digital fingerprint" of a user's Web browser. With JavaScript, a website can potentially track information such as how much time a user spends on a page, what parts of the page they look at, what characters they type into entry fields on the page, and what link they click to leave.

The EFF's Panopticlick project showcases how personal and trackable a user's browser can be. The foundation recommends that users disable JavaScript to defend against browser fingerprinting.

Thanks to JavaScript, each browser is a "beautiful and unique snowflake," Eckersley said. Our one-of-a-kind browsing history can tell advertisers and others information about ourselves that is potentially personal and valuable.

"The only way you can really reduce that in practice is to disable JavaScript," Eckersley said.

Highlighting less flexibility with mobile browsers

For Eckersley, any issue with JavaScript in iOS 6 would only further establish his view that current mobile browsers are woefully underpowered when compared to their desktop counterparts. He noted that with more full-featured browsers on platforms like OS X and Windows, users can install custom plugins or add-ons that can enhance features and improve security if users choose.

For example, a popular choice among the privacy conscious is "NoScript," an open source plugin that blocks JavaScript, Java and Flash for Firefox users. Because Apple's mobile version of Safari does not support third-party plugins, there are no such enhancements available for iOS.

Eckersley feels the design ideology of modern smartphone platforms is to make everything as simple as possible, a strategy that he called "hostile to privacy."

"At this point, our advice for browsing the mobile web in private is: Don't do it," he said. "If you need privacy while you browse, use a desktop browser."