EU feature to download apps from websites leaves users vulnerable to being tracked... even in Incognito Mode

Search in Safari on an iPhone
(Image credit: Future)

One of the many changes Apple implemented to follow EU legislation allows users to download third-party apps directly from websites. It lets users skirt using the App Store and paying the fees related to the store. But (rather ironically), the tech that powers this feature has left EU Safari users vulnerable to being tracked across the web – even if they use Incognito mode.

The recent discovery by iOS developer Mysk turns the spotlight on a rather pesky URL scheme vulnerability. Safari on the best iPhones allows users to be tracked across the web, regardless of their browsing settings. These schemes are basically the internet’s way of directing traffic, and in this case, they should be helping users install apps from alternative web stores. However, Safari seems a bit overzealous, trying to process these schemes even from dodgy websites.

How are EU Safari users vulnerable?

This Safari bungle leads to the exposure of a unique identifier for your device: the Client-ID. This little number can then be tracked across various websites. It's exactly what the "Ask Not to Track" feature blocks. Even worse, this tracking fiesta can continue unabated even when you're browsing in incognito mode, where you'd expect your privacy to be protected.

For users in the EU, this is particularly bothersome since EU regulations require Apple to allow these alternative app stores, making them susceptible to this issue. Outside the EU, users remain unaffected.

The fix? While waiting for Apple to pull up their socks and patch this issue, switching to another browser like Firefox or Chrome might just be your best bet. These browsers have a stronger track record of not letting sneaky tracking schemes slip through the net.

Also, remember basic tips to keep your device secure. Update your devices and browsers regularly, and maybe invest in some good privacy extensions. After all, it’s better to be safe than sorry.

More from iMore

Connor Jewiss

Connor is a technology writer and editor, with a byline on multiple platforms. He has been writing for around seven years now across the web and in print too. Connor has experience on most major platforms, though does hold a place in his heart for macOS, iOS/iPadOS, electric vehicles, and smartphone tech.