The Truth About Safari’s Privacy: Tracked even in Incognito Mode


While Safari is generally considered a secure browser for iOS users, a recent discovery by iOS developer Mysk raises concerns about potential user tracking. This article delves into the technical aspects of the vulnerability, its implications for user privacy, and potential mitigation strategies.

A Vulnerability in Safari: Tracking iOS Devices Even in Incognito Mode

Safari iPhone

Source: Slashgear

The URI Scheme Vulnerability

The core of the issue lies in a specific URI scheme used by Safari. URI (Uniform Resource Identifier) schemes define how a resource should be accessed. In this case, the scheme allows alternative app stores to be installed directly from a website. However, the vulnerability lies in Safari’s behavior.

Even when a website is not a legitimate app store, Safari attempts to process the URI scheme. This unintended behavior creates an opportunity for malicious websites to exploit the vulnerability for tracking purposes.

Client ID Exposure and Tracking Mechanisms

Mysk’s demonstration, captured in a video, showcases how a website with just ten lines of code can trigger this vulnerability. When a user visits such a website, Safari initiates a download attempt to install a non-existent app store.

While this download fails due to an authorization error, the process exposes a unique identifier associated with the user’s device – the Client-ID. This identifier can potentially be in use to track the user’s device across different websites.

The concern intensifies when additional website features like “adpURL” and “storeAccountName” are taking place. If these features are compatible, they can potentially facilitate the sharing of the Client-ID between websites, further consolidating a user’s online footprint.

Bypassing Incognito Mode: A Broken Security Guarantee

One of the most concerning aspects of this vulnerability is that it circumvents the privacy protections offered by Safari’s incognito mode. Typically, incognito mode prevents the browser from storing browsing history, theoretically hindering user tracking.

However, this vulnerability can still expose the Client-ID and allow it to be in use for tracking, even when browsing in incognito mode. This effectively breaks the security guarantee associated with incognito browsing.

Geographical Scope and Mitigation Strategies

There is a geographical limitation to this vulnerability. It currently affects only iOS devices in the European Union (EU) region. This is because Apple is obligated to allow alternative app stores within the EU, necessitating the implementation of the specific URI scheme in Safari for that region. Users in other regions currently do not experience any impact.

The most straightforward mitigation strategy for EU users is to consider using a different browser besides Safari. Many alternative browsers for iOS, such as Firefox or Chrome, are known for implementing stronger tracking prevention mechanisms. These browsers can block attempts to access the vulnerable URI scheme and prevent the exposure of the Client-ID.

While switching browsers offers immediate protection, it’s equally important to raise awareness about this vulnerability and encourage Apple to address it with a software update. A patch that modifies Safari’s behavior to only process the URI scheme for legitimate app store installations would effectively close this vulnerability.

Beyond Mitigation: Considerations for User Privacy

The discovery of this vulnerability highlights the ongoing struggle for user privacy in the digital age. Even with established security measures like incognito mode, vulnerabilities can exist.

Gizchina News of the week

Users should be aware of these potential shortcomings and exercise caution when browsing the internet. Here are some additional considerations for user privacy:

  • Being Selective About Visited Websites: It’s crucial to be cautious about the websites you visit, especially those with unfamiliar or untrustworthy content. Refrain from clicking on suspicious links or downloading content from unknown sources.
  • Utilizing Privacy Extensions: Several privacy extensions are available for iOS browsers that offer additional tracking prevention features. These extensions can further bolster user privacy by blocking tracking scripts and cookies.
  • Staying Informed About Updates: Regularly updating your iOS device and installed browsers allows you to benefit from the latest security patches and vulnerability fixes released by Apple and browser developers.


Technical Deep Dive: Understanding the URI Scheme Vulnerability

  • URI Scheme Mechanics: A URI (Uniform Resource Identifier) acts like an address that tells your device how to access a specific resource. It consists of various components, including the scheme (e.g., http, https), domain name, and path. In this case, the vulnerable scheme enables the installation of app stores directly through a website.

  • Safari’s Overzealous Processing: The vulnerability arises because Safari attempts to process the app store installation scheme even when the website itself is not a legitimate app store. Malicious actors can exploit this behavior to trigger the download attempt and expose the Client-ID.

  • Client-ID Demystified: The Client-ID is a unique identifier assigned to each device by Apple. While it can serve legitimate purposes within the Apple ecosystem, its exposure in this context allows for potential cross-site tracking.

  • “adpURL” and “storeAccountName”: These additional website features, if compatible, can potentially facilitate the sharing of the Client-ID between websites. “adpURL” might be used to pass information related to advertisements displayed on the website, while “storeAccountName” could be linked to a specific app store account. When combined with the Client-ID, this information could be used to build a more comprehensive profile of a user’s online activity.

  • Incognito Mode Bypass: The Technical Explanation: Incognito mode typically achieves privacy by preventing the storage of browsing history and cookies. However, in this case, the Client-ID exposure occurs at the network layer, before traditional browser history is even created. This bypasses the intended privacy protections of incognito mode.


The exposed vulnerability in Safari underscores the importance of continuous vigilance in protecting user privacy. While mitigation strategies exist, a permanent solution requires Apple to address the vulnerability with a software update.

By understanding the technical aspects of the vulnerability and adopting a comprehensive approach to online privacy, users can minimize the risks associated with online tracking and protect their devices.

This incident also serves as a reminder for developers and technology companies to prioritize robust security measures and implement them with meticulous attention to detail. By working together, users, developers, and tech companies can strive towards a more secure and privacy-conscious digital environment.

Disclaimer: We may be compensated by some of the companies whose products we talk about, but our articles and reviews are always our honest opinions. For more details, you can check out our editorial guidelines and learn about how we use affiliate links.

Source/VIA :
Previous How to Make Your TV Sound Louder Without Adding A Soundbar or Speakers
Next Master Your Notifications with Android 15's Granular Control Feature