The Privacy BlogPrivacy, Security, Cryptography, and Anonymity

Feb/12

17

Google tricks iOS Safari into tracking you

Google and other online advertising companies like Vibrant Media, Media Innovation Group, and PointRoll, are using a flaw in Safari on iOS to track you despite your privacy settings.

iOS Safari is set by default to reject tracking cookies from 3rd party websites. That means that unless you are directly and intentionally interacting with a site it should not be able to cookie and track you. Specifically that is intended to prevent tracking by advertisers displaying banner ads on websites.

The hack is that these advertisers use a script within the website to cause submit an invisible web form to the advertising website, which looks to Safari like you directly interacted with that site and so allows the site to send a cookie. Another flaw in Safari causes those cookies to be returned to the 3rd party sites once they have been set.

Apple is saying that they will address the issue. Google is blaming Apple for breaking with web standards (even though almost all browsers support blocking 3rd party cookies iOS Safari is unusual in making this the default).

My suggestion:

  1. On your iOS device (iPhone, iPad, iPod Touch) go to “Settings”, select “Safari”, scroll down and “Clear Cookies and Data”. Do this frequently.
  2. Don’t log into Google or other social media sites through the browser, only use the dedicated apps.
  3. Use those social media apps to “like” or “+1″ content, rather than doing so in the browser.
  4. Protect your IP address with a tool like Anonymizer Universal so these sites can’t just use your IP address in place of cookies to track you when you are at home or work on a WiFi connection with a long term IP address.

The WSJ had the first article I saw on this, but it is paywalled.

9 to 5 Mac has a nice article on it.

John Battelle’s searchblog tries to look at this issue from both sides.

· · ·

3 comments

  • FJ · February 17, 2012 at 11:16 am

    hi Lance – considering purchasing Anonymizer but curious about a few things, and there’s no obvious way to contact the company on the site, so I’m asking here.

    We have an Android 4.0 phone, an iOS 5 iPhone 4, and a Dell laptop running Windows 7 Pro. Will the one time fee of $80 plus the ongoing renewals cover *all* of these devices? If not what is the cost of adding the iPhone and Galaxy Nexus mobile phones? How do the mobile products work?

  • Author comment by lance · February 23, 2012 at 10:00 am

    You can always reach us at support@anonymizer.com.
    The iPhone and laptop would both be covered. We are not supporting Android at this time.

  • Diablo · March 24, 2012 at 6:48 pm

    * If you wish to surf the net on your iPhone, with a higher degree of privacy, you may then want to use, instead of Mobile Safari, other web browser available for the iPhone, such as the Atomic Web Browser (which is capable to clear all your browsing history and cookies on every start) and there is also the new Ghostery web browser – which handles all those nasty advertising and tracking cookies – including Double Click and the mother of all bitches – Google Analytics.

    * If you still want to use Mobile Safari, but want to make sure it doesn’t accept third party cookies or no cookies at all, then you better use the iPhone Configuration Utility, just to make sure nothing nasty, or accidentally, turns back on cookies on Safari. Once you are there, you may also wish to disable Siri (because you never know where your voice tone may actually end up) as well as “Send Diagnostic and Usage Data to Apple” which is in my opinion the same thing as the “Carrier IQ Factory Installed Spyware” found on Android devices.

Leave a Reply

<<

>>