A bug that lets users circumvent Apple's Screen Time parental controls, and corporate web blacklists, was discovered in 2020, but Apple has refused to fix it -- until now.
Screen Time's website blocking can be circumvented
This is not the same Screen Time bug that meant children could use their iPhone or iPad for longer than their parents set. Apple acknowledged that problem in 2023, and it's mostly been fixed.
What definitely has not been fixed -- but reportedly will be in the next update to iOS -- is a way to circumvent restrictions on what websites children can access through Safari. According to The Wall Street Journal, researchers spotted in 2020 that it was possible to prefix the address of a blocked site with a certain sequence of characters, and gain access.
That sequence of characters has not been revealed. The original researchers say the same sequence also defeats corporate web blacklisting on phones, plus device management apps on computers.
Vienna-based security researcher Andreas Jagersberger and colleague Ro Achterberg, tested their discovery and then reported it to Apple's security team in March 2021. Apple reportedly claimed that it wasn't a security issue per se, and asked them to file a general report via the company's feedback tool.
That feedback was ignored, so in August 2021, the two again reported it as a security issue. This time Apple specifically stated that "we do not see any actual security implications."
"They rejected without knowing implications or severity or anything," said Achterberg, "which is frustrating to us."
Overall, the two spent three years filing reports with Apple, and at one point including a suggested fix. After failing to get Apple to respond, they contacted Joanna Stern of the Wall Street Journal.
She confirmed the bug, contacted Apple, and received a more promising response.
"[Apple is] aware of an issue with an underlying web technology protocol for developers, which allows for a user to bypass web content restrictions," said a spokesperson for the company. "[A] fix has been planned for the next software update."
A separate Apple spokesperson repeated the earlier claim that this does not constitute a security vulnerability, but rather was a software issue. The distinction is important to Apple -- only people discovering security vulnerabilities are eligible for a reward from Apple's controversial bounty program.
Not Screen Time's only failing
Alongside this bug, Stern took the opportunity to ask Apple about multiple other issues she's found with Screen Time. They include how she may or may not get the request to approve more YouTube time for her son, and she may or may not be asked to approve an app download.
Apple says that problems regarding usage tracking and app limits were addressed over the last several software updates, and in particular iOS 17.5.
"We take reports of issues regarding Screen Time very seriously and have been consistently making improvements to ensure users have the best experience," said the Apple spokeswoman. "Our work is not done and we will continue to make updates in upcoming software releases."
Apple is expected to announce iOS 18 at WWDC on June 10, 2024.