
Apple Is Sending URLs to Tencent? - mathieutd
https://twitter.com/matthew_d_green/status/1183391221861027841
======
amanzi
The author of the tweet goes into more depth in a blog post:
[https://blog.cryptographyengineering.com/2019/10/13/dear-
app...](https://blog.cryptographyengineering.com/2019/10/13/dear-apple-safe-
browsing-might-not-be-that-safe/)

------
saagarjha
Took a quick look, and this appears to be enabled if
[NSLocale.currentLocale.countryCode isEqualToString:@"CN"]:

    
    
      char ____ZN7Backend6Google12SSBUtilities24shouldConsultWithTencentEv_block_invoke_2(void * _block) {
          rax = [NSLocale currentLocale];
          rax = [rax retain];
          r14 = [[rax countryCode] retain];
          [rax release];
          rbx = [r14 isEqualToString:@"CN"] != 0x0 ? 0x1 : 0x0;
          [r14 release];
          rax = rbx;
          return rax;
      }
    

Update: the code for Tencent Safe Browsing seems to be _very_ similar to that
which talks to Google, down to it being under a "Google" namespace, the API
endpoints being named the same, and performing hashing which seems to match
the "Update API" here: [https://developers.google.com/safe-browsing/v4/update-
api](https://developers.google.com/safe-browsing/v4/update-api). I think this
is just "whatever Google could see before, Tencent can see now, if you're in
China". I'm no expert, so I have no idea if that's k-anonymous or whatever if
Tencent/Google decide they want to track you, but in either case it's just
shifting who's getting your hashes.

~~~
eastendguy
> if [NSLocale.currentLocale.countryCode isEqualToString:@"CN"]:

So even for US and EU based users the data is send to Tencent just because
they enabled Chinese language support? Who programmed that?

~~~
Gaelan
iOS has separate region and language settings. Quick look at Apple docs
suggests that this is the former.

~~~
gowld
No, it's the latter.

In NSLocale, "region" is a subtype of language, as in a regional dialect, not
an independent dimension.

[https://developer.apple.com/documentation/foundation/nslocal...](https://developer.apple.com/documentation/foundation/nslocale/1643060-countrycode?language=objc)

[https://developer.apple.com/library/archive/documentation/Ma...](https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPInternational/LanguageandLocaleIDs/LanguageandLocaleIDs.html#//apple_ref/doc/uid/10000171i-CH15-SW9)

~~~
dchest
Nope, [[NSLocale currentLocale] countryCode] returns Region country code from
settings. The same code is also used for language region, so you can end up
with something like zh_US.

------
yorwba
This is really a "damned if you do, damned if you don't" kind of situation.

They can either use Tencent's Safe Browsing API as a drop-in replacement for
Google's API, relying on k-anonymity to leak as little information as
possible. That leaves them open to accusations that they allow Tencent (or,
for that matter, Google) to track the browsing history of Safari users.

Or they can essentially turn off Safe Browsing in China. (Google's API is
collateral damage of the Great Firewall.) That leaves their users unprotected
against all kinds of malware and scams.

I think they made the right call here by protecting users against the most
common threat (most people are not dissidents), while giving advanced users
with a different threat model the opportunity to opt out.

~~~
rsync
"Or they can essentially turn off Safe Browsing in China."

The OP as well as the associated blog post[1] as well as the Apple-provided
fine-print language do not make it clear to me that this "feature" is
exclusively enabled for Chinese users (or, perhaps Chinese IPs).

Could someone point to a source that confirms a US person, in the US, with a
US-purchased iphone, would not have their browsing history transformed and
sent away for analysis to tencent ?

[1] [https://blog.cryptographyengineering.com/2019/10/13/dear-
app...](https://blog.cryptographyengineering.com/2019/10/13/dear-apple-safe-
browsing-might-not-be-that-safe/)

~~~
kevinday
If this source is to be believed, it's either going to Google or Tencent, but
never both:

[https://twitter.com/eromang/status/1183422784082530304/photo...](https://twitter.com/eromang/status/1183422784082530304/photo/1)

You can try yourself by going to one of the IOS Safe Browsing test pages on
your phone, and when the warning pops up click "Show Details". It'll either
say Google or Tencent on the warning message, which should let you know which
one got chosen for you.

[https://testsafebrowsing.appspot.com](https://testsafebrowsing.appspot.com)

I just tried it, and it says Google for me in the US.

~~~
jstsch
Great. I disabled safe browsing probably back when it first appeared on my
iPhone 3G or 4 and this test confirms I’m still not sending urls to anyone
whilst surfing on my iPhone 11. Nice job preserving these settings over
countless device upgrades.

~~~
mrgalaxy
For anyone else wanting to disable it (or at least learn more about it), the
feature is labeled in iOS settings under Safari > Fraudlent Website Warning.

------
larkeith
I'm curious if, as @thefalken brought up [0], this is illegal under the GDPR,
given that it's a hidden opt out and should apply to EU citizenry with browser
language set to Chinese.

[0]
[https://mobile.twitter.com/thefalken/status/1183445477645312...](https://mobile.twitter.com/thefalken/status/1183445477645312002?p=v)

~~~
33degrees
The code is checking the region part of the locale, which is CN for china. The
language code for chinese is zh.

~~~
jakear
“en_US” is “American English”, not “English on a Phone in america”. The
alternative “zh-*” codes are SG, TW, or HK. It’s checking if the user has
their region set to “Mainland Chinese”, not That their phone is “Chinese on a
phone in China”.

~~~
33degrees
Actually, american english is "en-US", "en_US" means english with the region
set to the US, at least on iOS. But yes, it is checking that their region is
set to mainland china.

[https://developer.apple.com/library/archive/documentation/Ma...](https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPInternational/LanguageandLocaleIDs/LanguageandLocaleIDs.html#//apple_ref/doc/uid/10000171i-CH15-SW9)

------
leoh
Link to code in question
[https://github.com/Igalia/webkit/blob/9777baa3db09cad7ed5b2c...](https://github.com/Igalia/webkit/blob/9777baa3db09cad7ed5b2ca8ddf5188e7a841aa8/Source/WebKit/UIProcess/Cocoa/SafeBrowsingWarningCocoa.mm#L39)

~~~
saagarjha
Would you mind linking to the upstream repository instead? GitHub doesn’t let
you search in forks.

~~~
fireattack
[https://github.com/WebKit/webkit/blob/master/Source/WebKit/U...](https://github.com/WebKit/webkit/blob/master/Source/WebKit/UIProcess/Cocoa/SafeBrowsingWarningCocoa.mm#L40)

(For some reason "search in this repo" doesn't work for keyword
`malwareDetailsBase` [1], but it's there)

[1]
[https://github.com/WebKit/webkit/search?q=malwareDetailsBase...](https://github.com/WebKit/webkit/search?q=malwareDetailsBase&unscoped_q=malwareDetailsBase)

~~~
sqs
URL to same code search on Sourcegraph (which works):
[https://sourcegraph.com/search?q=repo%3Awebkit%2Fwebkit+malw...](https://sourcegraph.com/search?q=repo%3Awebkit%2Fwebkit+malwareDetailsBase)

(Disclaimer: I am the Sourcegraph CEO.)

~~~
fireattack
It shows

Search timed out Try narrowing your query, or specifying a longer "timeout:"
in your query.

right now.

~~~
sqs
Sorry about that. There must’ve been a brief blip during a moment of intense
load or a redeploy. Is it working for you now?

------
dhdhebsb
It literally says it’s going to send links to Google Safe Browsing and Tencent
Safe Browsing in the Safari setting page under “Safari and Privacy”

~~~
saagarjha
That’s not what it says.

~~~
newshorts
Which one of these comments is right? You both can’t be.

~~~
saagarjha
> Before visiting a website, Safari may send information calculated from the
> website address to Google Safe Browsing and Tencent Safe Browsing to check
> if the website is fraudulent. These safe browsing providers may also log
> your IP address.

This is quite different from sending links.

------
awinter-py
every form of software phone-home is sleazy

we should be linting code to say whether it phones home or not, and what it
uploads when it does. plain language privacy policies and ever-changing
browser settings are leaving huge gaps.

when the US government bought chinese drones they hired a consultant to prove
that the drones never call home.

~~~
OJFord
> we should be linting code to say whether it phones home or not

Is that possible? How do you diffentiate it from expected API calls?

(Not convinced black/white-listing strings is any different from code review
in this case - it'll just be changed on demand if if prevents adding what was
tried to be added.)

~~~
awinter-py
it's theoretically possible. I don't know of any tools that do it (which could
be a comment on my research skills rather than the state of the art).

in theory you can do dataflow analysis on all external inputs to the program
(geo, filesystem, text) and monitor where that goes in the program. For
something more complicated like a browser, you might want to do the analysis
per component (URL bar in this case).

wouldn't be perfect, but it's a starting point.

linting is tougher on closed-source software than open-source, but if a
company certified a linter output and was found to be lying I'm comfortable
with using the law to resolve that.

~~~
UncleMeat
Except you'd never have a good enough dataflow analysis to work on arbitrary
code without burying people with false positives. _Especially_ in C++ code,
where things like function pointers just destroy call graph precision (and
therefore taint analysis precision).

Linting doesn't even give you this much. All it'd be able to tell you is
"where in the program are calls to networking APIs being made" and maybe
determining parameters if they are defined in the same function as the call.

~~~
awinter-py
Trial use case: a small FOSS codebase in a pointer-less language. The goal
isn't perfect safety, it's to be safer than we are now.

~~~
UncleMeat
Feel free to use any of the dozens or hundreds of such tools developed by the
academic community and experience the imprecision yourself.

~~~
awinter-py
examples pls

------
aussieguy1234
This is where they need to sacrifice some computer security for physical
security. By turning this off, a few people who don't follow good security
practices might get malware. But no one will be sent to prison or
"disappeared".

------
wtmt
Apple has done a lot for privacy in its products and its public statements.
But I believe that if it has to have a better impact and be trusted, it needs
someone dedicated to privacy who will (ensure that it will) publish details of
its products, apps and activities in an honest form in an accessible place
(and updated more often than a once-a-year OS upgrade cycle). This kind of
commitment to more transparency will help the company be trusted and also held
up to questions. Said trust is already eroding with recent events. Apple
shouldn’t be complacent and stick to its old ways.

Sadly, Apple also has a history of brushing things away or ignoring
uncomfortable questions.

------
sgz
Are those Google/Tencent API requests done only when browsing with Safari, or
are they done for any SFSafariViewController? That would imply it’s also
inside Brave/Firefox/Chrome...

------
sekasi
Again I feel like I'm reaching out to be educated here.. but if Safari is
attempting to validate URLs for safe browsing using the Google API (which it
states it will do, quite openly), and Google products is quite clearly blocked
in China so it resorts to Tencents API (which it states it will do, quite
openly).. why does this seem to provoke anger?

I mean this in the most equitable way possible, I'm more trying to understand
where Apple has done anything wrong here?

~~~
brians
We can’t tell whether non-China data goes to Tencent—intentionally or by some
bug or adversarial problem.

~~~
woutr_be
The code [1] along, with this explanation [2] does seem to show that it only
happens for devices with the country code set to CN.

[1]:
[https://github.com/Igalia/webkit/blob/9777baa3db09cad7ed5b2c...](https://github.com/Igalia/webkit/blob/9777baa3db09cad7ed5b2ca8ddf5188e7a841aa8/Source/WebKit/UIProcess/Cocoa/SafeBrowsingWarningCocoa.mm#L39)
[2]:
[https://news.ycombinator.com/item?id=21242628](https://news.ycombinator.com/item?id=21242628)

------
taobility
I think the audience in HN are crazy now. Why would you prefer Google than
Tencent for same purpose of API? Should all Chinese scare that iPhone would
send back all logs to California? Should they scare Tesla sent back all their
driving data to US? If you don't trust anything from China, would you destroy
any electronics Made In China, including your smartphones, laptop, TV etc, or
even some food?

------
Jyaif
It should be noted that Apple could very well proxy those requests to Google
and Tencent to protect their customers' ip address, or even implement safe
browsing on their own all together. The fact that they don't means that either
they trust Google and Tencent, or that they don't care about privacy.

------
mulle_nat
Wait, Apple is Sending URLs to Google ?

~~~
slenk
I think a lot of browsers do for the "Safe Browsing" checks

~~~
teraflop
The Safe Browsing API is deliberately designed to avoid leaking the contents
of URLs to Google. You can read about how it works here:
[https://developers.google.com/safe-browsing/v4/update-
api](https://developers.google.com/safe-browsing/v4/update-api)

~~~
xenophonf
It's designed to avoid leaking URLs, but I'd be a lot more comfortable if Safe
Browsing worked by downloading a list of hashes to my computer and checking
locally. That way, data never leaves my device.

~~~
tialaramex
That means giving you all the hashes, which is a lot of data, and you'd need
to constantly update it because the whole point of Safe Browsing is the
dynamism.

Whereas today your browser only needs the prefix list, which is much shorter
and so can feasibly be updated more often without awful bandwidth costs. The
full hashes in a prefix are only fetched (which is where we get "Apple is
sending URLs" by squinting really hard at the facts) if you visit a URL with a
hash with a known-bad prefix.

------
chenzhekl
Probably this is the page of Tencent safe browsing:
[https://urlsec.qq.com/](https://urlsec.qq.com/) I don’t understand why you
trust Google so much. It’s as untrustworthy as Tencent for me.

------
zaphirplane
The safe browsing seems to work in private mode or am I missing something

------
thawaway1837
Why is this more controversial than Apple sending URLs to Google?

------
ycombonator
Tim Apple better have an explanation for this one.

------
ripley12
(edit: the source in question has removed the tweet, so I have too)

~~~
marcinzm
> China only.

Based on the twitter conversation, it's NOT China only. It's Chinese
localization only. Big difference. That means anyone anywhere in the world who
set their computer to Chinese has their data sent. Including Europe which is
likely a GDPR violation.

~~~
innagadadavida
The google servers apparently takes url hash prefix. Does tencent do the same?
If so is it still considered a gdpr violation? There is not much info in a url
hash prefix.

~~~
rocqua
Suppose peeps going to HN are suspect. Then anyone who often produces hash
prefixes that match HN is suspect. When you start getting sequences, you could
possible start matching how people navigate a website.

Essentially, a hash-prefix allows you to rule out / semi confirm guesses about
browsing behavior.

------
bighi
It's better than sending URLs to Google, in my view.

------
pearjuice
Remarkable when people become upset when it is explicitly stated your mobile
tracking device sends information to third party servers, but deep down we all
know the dangers are in what is not explicitly stated.

