I am sure many of you are not aware of this, neither was I, and believe me, none of us could expect this from a tech company that promotes itself as a champion of consumer privacy.
Late last week, it was widely revealed that starting from at least iOS 12.2, Apple silently integrated the "Tencent Safe Browsing" service to power its "Fraudulent Website Warning" feature in the Safari web browser for both iOS and macOS.
Just like the Safe Browsing feature in Chrome and Mozilla Firefox, Safari's fraudulent website warning feature has also been designed to protect users from various online threats by simply checking every website they visit against a regularly updated list of malicious websites.
Until iOS 12.2, Apple primarily relied on the database of "blacklisted websites" provided by Google's Safe Browsing service, which obviously had a privacy drawback, i.e., Google could know what websites you visit and may also log your IP address to maintain your browsing history.
"Before visiting a website, Safari may send information calculated from the website address to Google Safe Browsing and Tencent Safe Browsing to check if the website is fraudulent. These safe browsing providers may also log your IP address," Apple notes.
Now having Tencent on the same list, Apple is also giving the same privileges to the Chinese company as of Google.
Though the latest implementation of this feature by Apple now restricts both services from directly viewing exact URLs you visit, it still allows Tencent and Google to log your IP address and learn a set of sites that mathematically resembles with your URLs.
To be honest, it's not that Tencent is evil, people are actually not comfortable in sharing their data with Tencent because the company has close ties with the Beijing government with questionable history in aiding censorship in the country.
Also, it's more concerning because on iOS, every third-party app and browser, even Google Chrome, are restricted by Apple to use its own WebKit rendering engine that contains the questionable feature, which indirectly makes it hard for iOS users to skip using it.
Does Apple Share Non-Chinese Users Browsing Data with Tencent?
However, it's very much likely that Tencent's list of blacklisted websites is used only in China, where Google services are banned, as an alternative to providing fraudulent website warning feature in the country.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!Join the Session
Apple users and privacy advocates are negatively reacting about the news, and that's because people expect "full disclosure" of such a major change in its security feature from the company that has a long history of announcing every small detail—including the addition of a few new emojis or some changes in menu options—on the stage in front of hundreds of journalists.
Anyway, if this feature worries you, you have the choice to turn the Fraudulent Website Warning feature OFF in Safari, but if want to be vigilance against sketchy and phishing pages, I would not recommend you to play with it as disabling the feature makes you lose access to Google's service as well.
Since this feature comes enabled by default on all iPhones and iPads running iOS 13, users have to disable it by following these steps manually:
On iPhones: Go to Settings → Safari → Turn off Fraudulent Website Warning
On macOS: Head on to Safari → Preferences → Security → Uncheck Warn when visiting a fraudulent website