Security researcher Stacey Jury at IntaForesincs has shared some concerns in terms of iOS 10’s privacy, in particular Apple Safari’s private browsing mode. Apparently, Apple has changed some things in the private mode in Safari and it is now less private compared to previous ones.
The issue the researcher stumbled upon stems from the way Safari stores data about Private Browsing sessions, and more precisely it’s about “suspended state” URLs.
These are URLs for tabs that are already closed are still kept in the browser. This is done in case the user wants to navigate back and forth in either a public or a private browsing session.
What Exactly Is the Issue with iOS 10’s Private Browsing?
Up until now, forensics analysts have been able to recover ‘Suspend State’ from IOS devices within the private browser and normal browser. Suspend State is a ‘back-forward’ list within the handset web browser ‘Safari’. These are links to web pages recently visited within currently open tabs, allowing for the user to easily go backwards or forwards to a specific web page.
Suspend State
The researcher also explains that Suspend State has previously been stored in a PList which means that when the user closes a tab the web page entry would be removed from the PList. Storing the data in a PList means the user can’t recover deleted or closed tabs. This way the user can be certain that when he closes the web page, it won’t be retrieved.
In iOS 10, released last month, Safari started using a database to store data on the Private Browsing Suspend State URLs. Here we get to the heart of the issue.
Even though Apple removed the suspended state URLs from the databases, it doesn’t overwrite the database entries with random data. This should be done as a precautionary measure.
The researcher did an experiment which proved the nature of the issue:
I carried out an experiment with an iPhone 5S running IOS 10.0.1. I populated the iPhone by opening new tabs within the Safari browser in private mode. Extracting the iPhone using XRY version 7.1, the web pages were present within the extraction. XRY also extracted the entries as ‘hidden’. Opening the new database ‘BrowserState.db’, it shows a column within the database which tracks if the web pages were opened in private mode.
Of course, the experiment didn’t stop there, as the web pages within private mode were closed and the phone was extracted again. At this point, the entries were gone within the database. Unfortunately, XRY, an example of data recovery software, recovered those closed web pages, the researcher says. It won’t matter whether the user is browsing the web in private mode or not, Safari web history can be easily recovered with the help of the latest forensics tools.
This discovery just adds up to other complaints in regards of iOS 10.