The Safari browser in Apple's iOS 6 platform has a potentially serious JavaScript bug that could have major security and privacy implications.
The new "Smart App Banner" feature in iOS 6 is designed to allow developers the ability to promote App Store software within Safari. The Smart App Banner detects whether a user has a specific application installed, and invites them to view the software on the App Store or open it on their iOS device.
But for users who choose to turn off JavaScript in the Safari Web browser, the appearance of a Smart App Banner on a website will automatically and permanently turn JavaScript back on without notifying the user.
iOS device owners can test this issue, first discovered by AppleInsider reader James, by opening the Settings application and choosing Safari, then turning off JavaScript. Then simply launch the Safari browser and visit a website with a Smart App Banner, such as the test page we've set up at appleinsider.com/smart-banner.html (this will turn on JavaScript to demonstrate the issue).
Users can then go back into the Settings application to verify that the JavaScript setting switch has been flipped back to the "on" position without warning. Accordingly, JavaScript features on websites will begin working again.
The issue has reportedly existed since the release of iOS 6 months ago, though it has not been widely reported. Michael Stockwell, founder of FizzPow Games, helped confirm for AppleInsider that the issue applies to all builds of iOS 6 on all devices â iPhone, iPad and iPod touch. In addition, people familiar with the latest beta of iOS 6.1 said the problem also remains in Apple's pre-release test software on the iPhone.
A potentially 'serious' issue?
Peter Eckersley, technology products director with digital rights advocacy group the Electronic Frontier Foundation, said he would characterize such an issue as a "serious privacy and security vulnerability."
Neither Eckersley nor the EFF had heard of the bug in iOS 6, nor had they independently tested to confirm that they were able to replicate the issue. But Eckersley said that if the problem is in fact real, it's something that Apple should work to address as quickly as possible.
"It is a security issue, it is a privacy issue, and it is a trust issue," Eckersley said. "Can you trust the UI to do what you told it to do? It's certainly a bug that needs to be fixed urgently."
But Lysa Myers, a virus hunter at security firm Intego, said she doesn't see the bug as a major concern for the vast majority of iOS device owners.
âWhile this issue is certainly not an ideal situation, by itself it actually isnât that large a problem," Myers told AppleInsider. "At the moment it doesnât pose a threat, but weâll continue to monitor it to make sure it doesnât become more exploitable. Thereâs also the fact that few people actually disable JavaScript completely as it can partially, or totally, disable the majority of websites.â
Eckersley acknowledged that most users would not feel compelled to dive into a browser's settings and turn off JavaScript. But for those who view security as a paramount concern, disabling JavaScript in a browser is one of the first actions typically taken.
"It's not necessarily directly and immediately a security vulnerability, but it's the kind of thing that would enable some other vulnerability to be exploited," he said.
Why disable JavaScript?
While JavaScript enables developers to create rich Web experiences and is required by most websites, it can also be used to help track and provide a "digital fingerprint" of a user's Web browser. With JavaScript, a website can potentially track information such as how much time a user spends on a page, what parts of the page they look at, what characters they type into entry fields on the page, and what link they click to leave.
The EFF's Panopticlick project showcases how personal and trackable a user's browser can be. The foundation recommends that users disable JavaScript to defend against browser fingerprinting.
Thanks to JavaScript, each browser is a "beautiful and unique snowflake," Eckersley said. Our one-of-a-kind browsing history can tell advertisers and others information about ourselves that is potentially personal and valuable.
"The only way you can really reduce that in practice is to disable JavaScript," Eckersley said.
Highlighting less flexibility with mobile browsers
For Eckersley, any issue with JavaScript in iOS 6 would only further establish his view that current mobile browsers are woefully underpowered when compared to their desktop counterparts. He noted that with more full-featured browsers on platforms like OS X and Windows, users can install custom plugins or add-ons that can enhance features and improve security if users choose.
For example, a popular choice among the privacy conscious is "NoScript," an open source plugin that blocks JavaScript, Java and Flash for Firefox users. Because Apple's mobile version of Safari does not support third-party plugins, there are no such enhancements available for iOS.
Eckersley feels the design ideology of modern smartphone platforms is to make everything as simple as possible, a strategy that he called "hostile to privacy."
"At this point, our advice for browsing the mobile web in private is: Don't do it," he said. "If you need privacy while you browse, use a desktop browser."
26 Comments
That must be why Android users never show up in web usage stats, they're worried about the privacy issue.
1. Some dude from the EFF screaming about a 'bug' he hasn't verified. Classy 2. Are we sure it is a bug and not a part of the feature. JavaScript could be required for the banner to actually function. Yes it would be nice if folks were told it was being switched on. Or even that it needs to be and force them to go do it themselves but does the lack really make it a full court press issue 3. Is not 'permenant' when I can switch it back just fine. Permenant implies the switch is grayed out for life or some such
[quote name="AppleInsider" url="/t/155146/ios-6-bug-reenables-javascript-in-safari-without-user-consent#post_2249854"] The EFF's Panopticlick project showcases how personal and trackable a user's browser can be. The foundation recommends that users disable JavaScript to defend against browser fingerprinting. [/quote] I've been on that site before. They can't prove that any actual private information is taken without anyone's consent with their 'test' and I found it amusing that it doesn't really work with you have JavaScript off. Which might provoke many folks into turning in JavaScript to see actual results
Can't most of this tracking info, search field logging etc be done by the web server logging IP info?
Just tested my ip5 running 6.0.2 and this reported bug is pure bs. I have JS turned off and when I attempt to launch anything that needs JS I get a message the JS is off and must be turned on to view. There is NO automatic JS turnon, at least not in 6.0.2.