Published: Tue, October 15, 2019
Tech | By

Safari in iOS sends some Safe Browsing data to Tencent


"Before visiting a website, Safari may send information calculated from website address to Google Safe Browsing and Tencent Safe Browsing to check if the website is fraudulent", the fine print reads.

But recently it was discovered that in addition to Google, Apple is also sending similar information to Chinese company Tencent, one of the names also linked with censorship and questionable collaboration with the Beijing government.

Previously in the US, Apple relied on Google and it's Safe Browsing service for this objective.

While Safari has always sent safe browsing data to Google's servers for its Fraudulent Website Warning system which protects users from accidentally going to phishing websites, data being sent to Tencent is a much bigger deal to most users.

Apple said in a statement that the feature protects user privacy and safeguards people's data. And it will do so unless the on-by-default "Fraudulent Website Warning" is disabled using the appropriate iOS or macOS settings menu.

The Tencent disclosure is contained in the Safari settings for iOS 12 and 13 devices.


In the event of a match - and there may be several given that hash prefixes aren't necessarily unique, Safari asks the API provider - Google or Tencent - for all the URLs that match the hash prefix. "While they may be just as trustworthy, we deserve to be informed about this kind of change and to make choices about it". "Users should learn about these changes before Apple pushes the feature into production, and thus asks millions of their customers to trust them", cryptographer Mathew Green, who is also a professor at the John Hopkins University, wrote in a blog post.

Tencent is one of China's largest internet and gaming companies, but it also has a notorious reputation for helping the country's government censor the internet and even jail users for making controversial comments on its WeChat social messaging app.

Apple is pushing back. Quite the opposite, at least in intent-when an iOS user visits a website, the URL and, in some cases, their IP address is sent off to be cross checked against known fraudulent websites.

The latter, in contrast, allows browsers to download encrypted versions of the Safe Browsing lists for local, client-side checks of URLs, meaning the safe browsing server never knows the actual URLs queried by Safari. This may also explain why Apple is relying on a Chinese company's blacklist of malicious websites.

While it's not yet clear whose and what information is sent to Tencent, Appel does reveal in the privacy policy that Safari submits browsing data to the Chinese firm. Apple will likely clarify this in a future version of iOS.

Like this: