I'm not seeing what the "catastrophic" issue is. A site can include a link to install an app from a third-party marketplace and, when the user affirmatively acts to proceed with the install, that marketplace can see which site the install request came from.
It looks like they basically created an immutable identifier that gets exposed. Sort of like a persistent third party cookie, but with fewer access controls as it isn’t domain bound.
That’s just my read of the article, I haven’t reviewed the code myself.
However, I will say that the way SV companies tend to operate is they refuse to do any compliance work until forced by circumstance, then they have to do a rush job and a bunch of stuff gets fucked up that would have been fine if they planned ahead based on statutory requirement.
So from a human/corporate behavior perspective this is exactly what I’d expect.
Likewise, Apple in particular has a holier than thou attitude, especially in regards to privacy, so I think there’s a bit of them being blinded by their own arrogance in this case.
Sweet, UE can now legitimately take 4% of Apple’s global income for uniquely identifying all users on Earth, having undeletable cookies and not having the cookie banter and thus, breaking GDPR.
Having worked in this sector for a very long time I just don’t think GDPR is an effective regulatory tool. Primarily because Ireland is a regulatory/tax haven for American companies and they have to enforce GDPR…and they refuse to.
Whereas DMA was written to totally avoid that problem; so I think a DMA action is WAY more likely as the Irish can’t block it.
Where do you get "affirmatively acts to proceed with the install"? The original advisory suggests that any website can fire off these marketplace requests in response to any user action.
According to the advisory the user can click on a button and the event handler issues the request. There isn't a link. The user has no indication of what's going to happen beyond whatever the page chooses to tell them.
Apple claims allowing users to install software from 3rd parties is a security problem, and then when forced to allow it they introduce security problems. Hmmm..
Why not choose a browser that doesn't have those things built-in in the first place, rather than choosing a browser full of things you don't want and then turning them off.
Especially as Brave, the company, has a history of being less than honest about its browser decisions.
For those who don't share that opinion the inclusion of features like the built-in wallet, the native(-ish) support for IPFS, and domain name resolution for cryptocurrency-based TLDs is valuable functionality.
The article is talking about iOS. Apple doesn't let you run Chromium on iOS. Are there any iOS Safari wrappers that can match Brave's ad-blocking abilities?
Default Firefox installs also show you random websites on the new tab page that basically amount to ads. We can quibble over whether or not the quality of the content is worse or better in one browser but it’s not fundamentally different. And in both browsers you can disable it permanently in a few clicks. I really don’t see how anyone can complain about one and not the other
* The limiting factor of this attack is that a marketplace must first be approved by Apple before it can undertake this sort of tracking. *
Seems like a Catch-22 that Apple is required to support these other marketplaces out of their control but simultaneously expected to prevent them from behaving badly.
29 comments
[ 4.8 ms ] story [ 72.3 ms ] threadThat's it?
That’s just my read of the article, I haven’t reviewed the code myself.
However, I will say that the way SV companies tend to operate is they refuse to do any compliance work until forced by circumstance, then they have to do a rush job and a bunch of stuff gets fucked up that would have been fine if they planned ahead based on statutory requirement.
So from a human/corporate behavior perspective this is exactly what I’d expect.
Likewise, Apple in particular has a holier than thou attitude, especially in regards to privacy, so I think there’s a bit of them being blinded by their own arrogance in this case.
brilliant
Whereas DMA was written to totally avoid that problem; so I think a DMA action is WAY more likely as the Irish can’t block it.
https://news.ycombinator.com/item?id=40208696
https://www.mysk.blog/2024/04/28/safari-tracking/
Brave is a crypto wallet and advertising platform that happens to come with a web browser.
- Yes crypto bad, so what? Don't use the wallet?
- Aren't ads disabled by default?
Especially as Brave, the company, has a history of being less than honest about its browser decisions.
For those who don't share that opinion the inclusion of features like the built-in wallet, the native(-ish) support for IPFS, and domain name resolution for cryptocurrency-based TLDs is valuable functionality.
I see my coworker use Brave every day and each time they open a new tab it’s some crypto ad. Why would anyone want that?
[1]: https://kagi.com/orion/
Seems like a Catch-22 that Apple is required to support these other marketplaces out of their control but simultaneously expected to prevent them from behaving badly.