The Register's Jessica Lyons reports: Apple wants to shorten SSL/TLS security certificates' lifespans, down from 398 days now to just 45 days by 2027, and sysadmins have some very strong feelings about this "nightmarish" plan. As one of the hundreds that took to Reddit to lament the proposal said: "This will suck. My least favorite vendor manages something like 10 websites for us, and we have to provide the certs manually every time. Between live and test this is gonna suck."

The Apple proposal, a draft ballot measure that will likely go up for a vote among Certification Authority Browser Forum (CA/B Forum) members in the upcoming months, was unveiled by the iThings maker during the Forum's fall meeting. If approved, it will affect all Safari certificates, which follows a similar push by Google, that plans to reduce the max-validity period on Chrome for these digital trust files down to 90 days.

... [W]hile it's generally agreed that shorter lifespans improve internet security overall -- longer certificate terms mean criminals have more time to exploit vulnerabilities and old website certificates -- the burden of managing these expired certs will fall squarely on the shoulders of systems administrators. [...] Even certificate provider Sectigo, which sponsored the Apple proposal, admitted that the shortened lifespans "will no doubt prove a headache for busy IT security teams, juggling with lots of certificates expiring at different times." While automation is often touted as the solution to this problem, sysadmins were quick to point out that some SSL certs can't be automated. "This is somewhat nightmarish," said one sysadmin. "I have about 20 appliance like services that have no support for automation. Almost everything in my environment is automated to the extent that is practical. SSL renewal is the lone achilles heel that I have to deal with once every 365 days."

This week (MIT-licensed) WebAssembly runtime Wasmer announced "a major milestone in making any software run with WebAssembly."

The announcement's headline? Running Clang in the browser using WebAssembly... Thanks to the newest release of Wasmer (4.4) and the Wasmer JS SDK (0.8.0) you can now run [compiler front-end] clang anywhere Wasmer runs! This allows compiling C programs from virtually anywhere. Including Javascript and your preferred browser! (we tested Chrome, Safari and Firefox and everything is working like a charm)...

- You can compile C code to WebAssembly easily just using the Wasmer CLI: no toolchains or complex installations needed, install Wasmer and you are ready to go...!

- You can compile C projects directly from JavaScript...!

- We expect online IDEs to start adopting the SDK to allow their users compile and run C programs in the browser....

Do you want to use clang in your Javascript project? Thanks to our newly released Wasmer JS SDK you can do it easily, in both the browser and Node.js/Bun etc... Wasmer's clang can even optimize the file for you automatically using wasm-opt under the hood (Clang automatically detects if wasm-opt is used, and it will be automatically called when optimizing the file). Imagine using Emscripten without needing its toolchain installed — or even better, imagine running Emscripten in the browser.
The announcement looks to a future of compiling native Python libraries, when "any project depending on LLVM can now be easily compiled to WebAssembly..."

"This is the beginning of an awesome journey, we can't wait to see what you create next with this."

An anonymous reader quotes a report from Ars Technica: California Gov. Gavin Newsom vetoed a bill that would have required makers of web browsers and mobile operating systems to let consumers send opt-out preference signals that could limit businesses' use of personal information. The bill approved by the State Legislature last month would have required an opt-out signal "that communicates the consumer's choice to opt out of the sale and sharing of the consumer's personal information or to limit the use of the consumer's sensitive personal information." It would have made it illegal for a business to offer a web browser or mobile operating system without a setting that lets consumers "send an opt-out preference signal to businesses with which the consumer interacts."

In a veto message (PDF) sent to the Legislature Friday, Newsom said he would not sign the bill. Newsom wrote that he shares the "desire to enhance consumer privacy," noting that he previously signed a bill "requir[ing] the California Privacy Protection Agency to establish an accessible deletion mechanism allowing consumers to request that data brokers delete all of their personal information." But Newsom said he is opposed to the new bill's mandate on operating systems. "I am concerned, however, about placing a mandate on operating system (OS) developers at this time," the governor wrote. "No major mobile OS incorporates an option for an opt-out signal. By contrast, most Internet browsers either include such an option or, if users choose, they can download a plug-in with the same functionality. To ensure the ongoing usability of mobile devices, it's best if design questions are first addressed by developers, rather than by regulators. For this reason, I cannot sign this bill." Vetoes can be overridden with a two-thirds vote in each chamber. The bill was approved 59-12 in the Assembly and 31-7 in the Senate. But the State Legislature hasn't overridden a veto in decades. "It's troubling the power that companies such as Google appear to have over the governor's office," said Justin Kloczko, tech and privacy advocate for Consumer Watchdog, a nonprofit group in California. "What the governor didn't mention is that Google Chrome, Apple Safari and Microsoft Edge don't offer a global opt-out and they make up for nearly 90 percent of the browser market share. That's what matters. And people don't want to install plug-ins. Safari, which is the default browsers on iPhones, doesn't even accept a plug-in."

Google says it has evidence that Russian government hackers are using exploits that are "identical or strikingly similar" to those previously made by spyware makers Intellexa and NSO Group. From a report: In a blog post on Thursday, Google said it is not sure how the Russian government acquired the exploits, but said this is an example of how exploits developed by spyware makers can end up in the hands of "dangerous threat actors." In this case, Google says the threat actors are APT29, a group of hackers widely attributed to Russia's Foreign Intelligence Service, or the SVR. APT29 is a highly capable group of hackers, known for its long-running and persistent campaigns aimed at conducting espionage and data theft against a range of targets, including tech giants Microsoft and SolarWinds, as well as foreign governments.

Google said it found the hidden exploit code embedded on Mongolian government websites between November 2023 and July 2024. During this time, anyone who visited these sites using an iPhone or Android device could have had their phone hacked and data stolen, including passwords, in what is known as a "watering hole" attack. The exploits took advantage of vulnerabilities in the iPhone's Safari browser and Google Chrome on Android that had already been fixed at the time of the suspected Russian campaign. Still, those exploits nevertheless could be effective in compromising unpatched devices.

Apple will change how users choose browser options in the European Union, add a dedicated section for changing default apps, and make more apps deletable, the company said on Thursday. From a report: The iPhone maker came under pressure from regulators to make changes after the EU's sweeping Digital Markets Act took effect on March 7, forcing it to offer mobile users the ability to select from a list of available web browsers on a "choice screen" the first time they open Safari. In an update later this year, Apple users will be able to select a default browser directly from the choice screen after going through a mandatory list of options.

A randomly ordered list of 12 browsers per EU country will be shown to the user with short descriptions, and the chosen one will be automatically downloaded, Apple said. The choice screen will also be available on iPads through an update later this year. Apple released a previous update in response to the new rules in March, but browser companies criticized the design of its choice screen, and the Commission opened an investigation on March 25 saying it suspected that the measures fell short of effective compliance. [...] Users will also be able to delete certain Apple-made apps such as App Store, Messages, Camera, Photos and Safari.

Mozilla's interim CEO Laura Chambers "says the company is reinvesting in Firefox after letting it languish in recent years," reports Fast Company, "hoping to reestablish the browser as independent alternative to the likes of Google's Chrome and Apple's Safari.

"But some of those investments, which also include forays into generative AI, may further upset the community that's been sticking with Firefox all these years..." Chambers acknowledges that Mozilla lost sight of Firefox in recent years as it chased opportunities outside the browser, such as VPN service and email masking. When she replaced Mitchell Baker as CEO in February, the company scaled back those other efforts and made Firefox a priority again. "Yes, Mozilla is refocusing on Firefox," she says. "Obviously, it's our core product, so it's an important piece of the business for us, but we think it's also really an important part of the internet."

Some of that focus involves adding features that have become table-stakes in other browsers. In June, Mozilla added vertical tab support in Firefox's experimental branch, echoing a feature that Microsoft's Edge browser helped popularize three years ago. It's also working on tab grouping features and an easier way to switch between user profiles. Mozilla is even revisiting the concept of web apps, in which users can install websites as freestanding desktop applications. Mozilla abandoned work on Progressive Web Apps in Firefox a few years ago to the dismay of many power users, but now it's talking with community members about a potential path forward.

"We haven't always prioritized those features as highly as we should have," Chambers says. "That's been a real shift that's been very felt in the community, that the things they're asking for . . . are really being prioritized and brought to life."
Firefox was criticized for testing a more private alternative to tracking cookies which could make summaries of aggregated data available to advertisers. (Though it was only tested on a few sites, "Privacy-Preserving Attribution" was enabled by default.) But EFF staff technologist Lena Cohen tells Fast Company that approach was "much more privacy-preserving" than Google's proposal for a "Privacy Sandbox." And according to the article, "Mozilla's system only measures the success rate of ads — it doesn't help companies target those ads in the first place — and it's less susceptible to abuse due to limits on how much data is stored and which parties are allowed to access it." In June, Mozilla also announced its acquisition of Anonym, a startup led by former Meta executives that has its own privacy-focused ad measurement system. While Mozilla has no plans to integrate Anonym's tech in Firefox, the move led to even more anxiety about the kind of company Mozilla was becoming. The tension around Firefox stems in part from Mozilla's precarious financial position, which is heavily dependent on royalty payments from Google. In 2022, nearly 86% of Mozilla's revenue came from Google, which paid $510 million to be Firefox's default search engine. Its attempts to diversify, through VPN service and other subscriptions, haven't gained much traction.

Chambers says that becoming less dependent on Google is "absolutely a priority," and acknowledges that building an ad-tech business is one way of doing that. Mozilla is hoping that emerging privacy regulations and wider adoption of anti-tracking tools in web browsers will increase demand for services like Anonym and for systems like Firefox's privacy-preserving ad measurements. Other revenue-generating ideas are forthcoming. Chambers says Mozilla plans to launch new products outside of Firefox under a "design sprint" model, aimed at quickly figuring out what works and what doesn't. It's also making forays into generative AI in Firefox, starting with a chatbot sidebar in the browser's experimental branch.
Chambers "says to expect a bigger marketing push for Firefox in the United States soon, echoing a 'Challenge the default' ad campaign that was successful in Germany last summer. Mozilla's nonprofit ownership structure, and the idea that it's not beholden to corporate interests, figures heavily into those plans."

U.S. Judge Amit Mehta released a 286-page ruling Monday in the Google search antitrust case, revealing key details of the tech giant's business practices. The document is packed with factual findings and legal conclusions and some amazing comments. Here's one, for instance: Google pays Apple billions of dollars a year to be the default search engine in Safari. But according to Eddy Cue, Apple's senior vice president of services, there's no other meaningful alternative. During the trial, he said that "there's no price that Microsoft could ever offer" to Apple to get the company to preload Bing in Safari. "I don't believe there's a price in the world that Microsoft could offer us," Cue said at another point. "They offered to give us Bing for free. They could give us the whole company."

For Google, this is a sign that they've earned their default status (which, incidentally, they pay Apple gobs of money to maintain). Judge Mehta says that this is an indication that the "market reality is that Google is the only real choice as the default GSE [general search engine]." (Of course, Cue's opinion doesn't mean Bing is objectively bad. Elsewhere, the opinion notes that Bing's search quality is comparable to Google's on desktop, though it falls behind on mobile.)

Mozilla, the non-profit behind the Firefox browser, faces an uncertain future following Monday's landmark antitrust ruling against Google. The decision, which found Google illegally maintained its search monopoly, puts Mozilla's primary funding source at risk. In 2021-2022, Mozilla received $510 million from Google out of $593 million total revenue, according to its latest financial report. Fortune adds: You can be sure that critics of the judge's ruling will highlight the potentially devastating impact on Mozilla to make the case that the antitrust ruling will have unintended consequences on smaller tech industry players. Others might argue that Mozilla hasn't done enough with those spoils to differentiate its Firefox browser, or that it could cut a deal with another search engine like Bing if its Google deal goes away completely. Either way, Google will appeal the suit so a long battle may ensue. And there's another big domino to fall: the judge will rule on the remedy or remedies -- essentially, the business-model penalties -- that Google will face. Apple also stands to lose more than $20 billion a year that Google pays the iPhone-maker to be the default search engine on Safari. But as Fortune notes, "Apple is a large, diversified company with many sources of revenue."

Apple has introduced a new feature for Safari that allows users to block distracting elements on web pages, such as sign-in popups, some autoplay videos and even ads (temporarily). The feature is called "Distraction Control" and is rolling out today in iOS 18 beta 5. 9to5Mac reports: Distraction Control is accessible via the same Page Menu interface in Safari as Reader and Viewer. Here, users will find a new "Hide Distracting Items" option to enable Distraction Control. Users will then be prompted to select different elements on a webpage that they feel are distracting. Users will have to manually choose each item on a webpage that they wish to hide. Distraction Control will persist through page refreshes and reloads, assuming that the hidden item does not change. Apple says that nothing is proactively hidden with this feature; only items that a user manually selects are hidden.

Apple also emphasizes that this feature is not meant to serve as an ad blocker. While a user can technically use Distraction Control to hide an ad on a website temporarily, that ad will re-appear when the page is refreshed or otherwise reloaded. In fact, the first time a user activates Distraction Control, Safari will display a pop-up that emphasizes the feature will not permanently remove ads or other areas of a website that frequently change. If a user chooses to hide something like a GDPR banner or a cookies request pop-up, Distraction Control behaves in the same way as if the user manually clicked to dismiss that pop-up. This means Distraction Control will serve as neither an "Accept" nor "Decline" for that cookies request. Finally, if a user wishes to unhide an item, they can click back into the Page Menu interface in Safari and choose "Show Hidden Items."

Apple's elaborate new ad campaign promises that Safari is "a browser that protects your privacy." And the Washington Post says Apple "deserves credit for making many privacy protections automatic with Safari..."

"But Albert Fox Cahn, executive director of the Surveillance Technology Oversight Project, said Safari is no better than the fourth-best web browser for your privacy." "If browser privacy were a sport at the Olympics, Apple isn't getting on the medal stand," Cahn said. (Apple did not comment about this.)

Safari stops third-party cookies anywhere you go on the web. So do Mozilla's Firefox and the Brave browser... Chrome allows third-party cookies in most cases unless you turn them off... Even without cookies, a website can pull information like the resolution of your computer screen, the fonts you have installed, add-on software you use and other technical details that in aggregate can help identify your device and what you're doing on it. The measures, typically called "fingerprinting," are privacy-eroding tracking by another name. Nick Doty with the Center for Democracy & Technology said there's generally not much you can do about fingerprinting. Usually you don't know you're being tracked that way. Apple says it defends against common fingerprinting techniques but Cahn said Firefox, Brave and the Tor Browser all are better at protecting you from digital surveillance. That's why he said Safari is no better than the fourth-best browser for privacy.
Safari's does offer extra privacy protections in its "private" mode, the article points out. "When you use this option, Apple says it does more to block use of 'advanced' fingerprinting techniques. It also steps up defenses against tracking that adds bits of identifying information to the web links you click."

The article concludes that Safari users can "feel reasonably good about the privacy (and security) protections, but you can probably do better — either by tweaking your Apple settings or using a web browser that's even more private than Safari."

Google is intensifying efforts to decrease its dependency on Apple's Safari browser, as a U.S. antitrust lawsuit threatens its default search engine status on iPhones. The tech giant has been trying to shift more iPhone searches to its own apps, with the percentage rising from 25% five years ago to the low 30s recently, The Information reported Friday.

Progress has stalled in recent months, however. To attract users, Google has run advertising campaigns showcasing unique features like Lens image search. The company recently hired former Instagram executive Robby Stein to lead this initiative, potentially leveraging AI to enhance its apps' appeal. Google paid Apple over $20 billion last year for default status on Safari. Reducing this dependency could protect Google's mobile search advertising revenue if the antitrust ruling goes against it. The report adds: Google executives considered having its new AI Overviews feature, which shows AI-generated responses to search queries, appear on its mobile apps but not on Safari, people who have worked on the product said. But Google ultimately decided against that move.

storagedude shares a report from the Cyber Express: Some of the most widely used web and social media applications could be vulnerable to three newly discovered CocoaPods vulnerabilities -- including potentially millions of Apple devices, according to a report by The Cyber Express, the news service of threat intelligence vendor Cyble Inc. E.V.A Information Security researchers reported three vulnerabilities in the open source CocoaPods dependency manager that could allow malicious actors to take over thousands of unclaimed pods and insert malicious code into many of the most popular iOS and MacOS applications, potentially affecting "almost every Apple device." The researchers found vulnerable code in applications provided by Meta (Facebook, Whatsapp), Apple (Safari, AppleTV, Xcode), and Microsoft (Teams); as well as in TikTok, Snapchat, Amazon, LinkedIn, Netflix, Okta, Yahoo, Zynga, and many more.

The vulnerabilities have been patched, yet the researchers still found 685 Pods "that had an explicit dependency using an orphaned Pod; doubtless there are hundreds or thousands more in proprietary codebases." The newly discovered vulnerabilities -- one of which (CVE-2024-38366) received a 10 out of 10 criticality score -- actually date from a May 2014 CocoaPods migration to a new 'Trunk' server, which left 1,866 orphaned pods that owners never reclaimed. While the vulnerabilities have been patched, the work for developers and DevOps teams that used CocoaPods before October 2023 is just getting started. "Developers and DevOps teams that have used CocoaPods in recent years should verify the integrity of open source dependencies used in their application code," the E.V.A researchers said. "The vulnerabilities we discovered could be used to control the dependency manager itself, and any published package." [...] "Dependency managers are an often-overlooked aspect of software supply chain security," the researchers wrote. "Security leaders should explore ways to increase governance and oversight over the use these tools." "While there is no direct evidence of any of these vulnerabilities being exploited in the wild, evidence of absence is not absence of evidence." the EVA researchers wrote. "Potential code changes could affect millions of Apple devices around the world across iPhone, Mac, AppleTV, and AppleWatch devices."

While no action is required by app developers or users, the EVA researchers recommend several ways to protect against these vulnerabilities. To ensure secure and consistent use of CocoaPods, synchronize the podfile.lock file with all developers, perform CRC validation for internally developed Pods, and conduct thorough security reviews of third-party code and dependencies. Furthermore, regularly review and verify the maintenance status and ownership of CocoaPods dependencies, perform periodic security scans, and be cautious of widely used dependencies as potential attack targets.

Apple's grudging accommodation of European law -- allowing third-party browser engines on its mobile devices -- apparently comes with a restriction that makes it difficult to develop and support third-party browser engines for the region. From a report: The Register has learned from those involved in the browser trade that Apple has limited the development and testing of third-party browser engines to devices physically located in the EU. That requirement adds an additional barrier to anyone planning to develop and support a browser with an alternative engine in the EU.

It effectively geofences the development team. Browser-makers whose dev teams are located in the US will only be able to work on simulators. While some testing can be done in a simulator, there's no substitute for testing on device -- which means developers will have to work within Apple's prescribed geographical boundary. Prior to iOS 17.4, Apple required all web browsers on iOS or iPadOS to use Apple's WebKit rendering engine. Alternatives like Gecko (used by Mozilla Firefox) or Blink (used by Google and other Chromium-based browsers) were not permitted. Whatever brand of browser you thought you were using on your iPhone, under the hood it was basically Safari. Browser makers have objected to this for years, because it limits competitive differentiation and reduces the incentive for Apple owners to use non-Safari browsers.

Google is making its last attempt to fight back against a historic effort by the US Department of Justice to break the tech giant's grip on online search, as the most significant antitrust trial in 25 years comes to a close in Washington. From a report: A federal court in Washington began hearing closing arguments on Thursday after a 10-week trial in which the DoJ accused Alphabet, the parent company of Google, of suppressing search rivals by paying tens of billions annually for anti-competitive agreements with wireless carriers, browser developers and device manufacturers. During the hearing on Thursday, John Schmidtlein, a lawyer from Williams & Connolly representing Google, sought to push back on claims that it had hindered rivals' efforts to gain a foothold in online search, and argued that users had plenty of alternatives.

Unsealed court documents revealed this week that Alphabet paid Apple $20bn in 2022 alone to be the default search engine for its iPhone and Safari browser on its other devices. "Google winning agreements because it has a better product is not a harm to the competitive process, even if it gives it scale to improve its product," Schmidtlein told the court. A lawyer for the government, Kenneth Dintzer, told the court that Google's "anti-competitive conduct harms competition and is self perpetuating." Defaults "are a powerful way to drive searches, otherwise Google wouldn't pay billions of dollars for them," he added.

Amit Mehta, the judge hearing the case, noted that search "today looks a lot different than it didâ 10 to 15 years ago. He pushed back on the DoJ's contention that the quality of search had suffered due to the lack of competition, although he also noted that only two "substantial competitors" had entered the search market in the past decade. "Doesn't that tell us all we need to know in terms of barriers of entry," he asked.

Alphabet paid Apple $20 billion in 2022 for Google to be the default search engine in the Safari browser, according to newly unsealed court documents in the Justice Department's antitrust lawsuit against Google. From a report: The deal between the two tech giants is at the heart of the landmark case, in which antitrust enforcers allege Google has illegally monopolized the market for online search and related advertising. The Justice Department and Google will offer closing arguments in the case Thursday and Friday, with a decision expected later this year.

Google and Apple had hoped to shield the payment amount from public disclosure. At the trial last fall, Apple executives testified that Google paid "billions," without specifying a number. A Google witness later accidentally disclosed that Google pays 36% of the revenue it earns from search ads to Apple. Court documents filed late Tuesday ahead of the closing arguments mark the first public confirmation of the figures by Apple's senior vice president of services, Eddy Cue. Such numbers aren't disclosed by either company in their securities filings. The documents also revealed the importance of the payments to Apple's bottom line. For instance, in 2020, Google's payments to Apple constituted 17.5% of the iPhone maker's operating income.

As reported by Bloomberg (paywalled), Apple's iPadOS will need to abide by EU's DMA rules, as it is now designated as a gatekeeper alongside the Safari web browser, iOS operating system and the App Store. "Apple now has six months to ensure full compliance of iPadOS with the DMA obligations," reads the EU's blog post about the change. Engadget reports: What does Apple have to do to ensure iPadOS compliance? According to the DMA, gatekeepers are prohibited from favoring their own services over rivals and from locking users into the ecosystem. The software must also allow third parties to interoperate with internal services, which is why third-party app stores are becoming a thing on iPhones in Europe. The iPad, presumably, will soon follow suit. In other words, the DMA is lobbing some serious stink bombs into Apple's walled garden. In a statement published by Forbes, Apple said it "will continue to constructively engage with the European Commission" to ensure its designated services comply with the DMA, including iPadOS. "iPadOS constitutes an important gateway on which many companies rely to reach their customers," wrote Margrethe Vestager, Executive Vice-President in charge of competition policy at the European Commission. "Today's decision will ensure that fairness and contestability are preserved also on this platform."

An anonymous reader quotes a report from Reuters: Independent browser companies in the European Union are seeing a spike in users in the first month after EU legislation forced Alphabet's Google, Microsoft and Apple to make it easier for users to switch to rivals, according to data provided to Reuters by six companies. The early results come after the EU's sweeping Digital Markets Act, which aims to remove unfair competition, took effect on March 7, forcing big tech companies to offer mobile users the ability to select from a list of available web browsers from a "choice screen." [...]

Cyprus-based Aloha Browser said users in the EU jumped 250% in March -- one of the first companies to give monthly growth numbers since the new regulations came in. Founded in 2016, Aloha, which markets itself as a privacy focused alternative to browsers owned by big tech, has 10 million monthly average users and earns money through paid subscriptions, rather than selling ads by tracking users. "Before, EU was our number four market, right now it's number two," Aloha CEO Andrew Frost Moroz said in an interview. Norway's Vivaldi, Germany's Ecosia and U.S.-based Brave have also seen user numbers rise following the new regulation. U.S.-based DuckDuckGo, which has about 100 million users, and its bigger rival, Norway-based Opera (OPRA.O), opens new tab are also seeing growth in users, but said the choice screen rollout is still not complete. "We are experiencing record user numbers in the EU right now," said Jan Standal, vice president at Opera, which counts over 324 million global users.

Under the new EU rules, mobile software makers are required to show a choice screen where users can select a browser, search engine and virtual assistant as they set up their phones. Previously, tech companies such as Apple and Google loaded phones with default settings that included their preferred services, such as the voice assistant Siri for iPhones. Changing these settings required a more complicated process. Apple is now showing up to 11 browsers in addition to Safari in the choice screens curated for each of the 27 countries in the EU, and will update those screens once every year for each country. While DuckDuckGo and Opera are offered in Apple's list, opens new tab in all 27 countries, Aloha is in 26 countries, Ecosia is in 13 and Vivaldi in 8. Google is currently showing browser choices on devices made by the company and said new devices made by other companies running Android operating system will also display choice screen in the coming months. A Google spokesperson said they do not have data on choice screens to share yet.

Matthew Connatser reports via The Register: A study has concluded that Apple's privacy practices aren't particularly effective, because default apps on the iPhone and Mac have limited privacy settings and confusing configuration options. The research was conducted by Amel Bourdoucen and Janne Lindqvist of Aalto University in Finland. The pair noted that while many studies had examined privacy issues with third-party apps for Apple devices, very little literature investigates the issue in first-party apps -- like Safari and Siri. The aims of the study [PDF] were to investigate how much data Apple's own apps collect and where it's sent, and to see if users could figure out how to navigate the landscape of Apple's privacy settings.

The lengths to which Apple goes to secure its ecosystem -- as described in its Platform Security Guide [PDF] -- has earned it kudos from the information security world. Cupertino uses its hard-earned reputation as a selling point and as a bludgeon against Google. Bourdoucen and Janne Lindqvist don't dispute Apple's technical prowess, but argue that it is undermined by confusing user interfaces. "Our work shows that users may disable default apps, only to discover later that the settings do not match their initial preference," the paper states. "Our results demonstrate users are not correctly able to configure the desired privacy settings of default apps. In addition, we discovered that some default app configurations can even reduce trust in family relationships."

The researchers criticize data collection by Apple apps like Safari and Siri, where that data is sent, how users can (and can't) disable that data tracking, and how Apple presents privacy options to users. The paper illustrates these issues in a discussion of Apple's Siri voice assistant. While users can ostensibly choose not to enable Siri in the initial setup on macOS-powered devices, it still collects data from other apps to provide suggestions. To fully disable Siri, Apple users must find privacy-related options across five different submenus in the Settings app. Apple's own documentation for how its privacy settings work isn't good either. It doesn't mention every privacy option, explain what is done with user data, or highlight whether settings are enabled or disabled. Also, it's written in legalese, which almost guarantees no normal user will ever read it. "We discovered that the features are not clearly documented," the paper concludes. "Specifically, we discovered that steps required to disable features of default apps are largely undocumented and the data handling practices are not completely disclosed."

Apple is preparing to allow EU-based iPhone users to uninstall its first-party Safari browser by the end of 2024 and is working on a more "user-friendly" way of transferring data "from an iPhone to a non-Apple phone" by fall 2025. From a report: That's according to a new compliance document published by the company, which outlines all the ways it's complying with the European Union's new Digital Markets Act that comes into force this week.

Other user-facing initiatives detailed in Apple's document include a "browser switching solution" to transfer data between browsers on the same device, which it plans to make available by late 2024 or early 2025. It'll also be possible to change the default navigation app on iOS by March 2025 in the EU. The document doesn't explicitly state whether any of these features will be available globally or whether they'll be exclusive to users in the EU. But many of the company's previously announced plans to comply with the DMA -- including the ability to run browser engines other than WebKit and install third-party app stores -- are only available in the bloc.

Jess Weatherbed reports via The Verge: Apple's iOS 17.4 update is now available, introducing new emoji and a cryptographic security protocol for iMessage, alongside some major changes to the App Store and contactless payments for the iPhone platform in Europe. Apple is making several of these changes to comply with the EU's Digital Markets Act (DMA), a law that aims to make the digital economy fairer by removing unfair advantages that tech giants hold over businesses and end users. iOS 17.4 will allow third-party developers to offer alternative app marketplaces and app downloads to EU users from outside the iOS App Store. Developers wanting to take advantage of this will be required to go through Apple's approval process and pay Apple a "Core Technology Fee" that charges 50 euro cents per install once an app reaches 1 million downloads annually. iPhone owners in the EU will see different update notes that specifically mention new options available for app stores, web browsers, and payment options.

The approval process may take some time, but we know that at least one enterprise-focused app marketplace from Mobivention will be available on March 7th. Epic is also working on releasing the Epic Game Store on iOS in 2024, and software company MacPaw is planning to officially launch its Setapp store in April. iOS 17.4 allows people in the EU to download alternative browser engines that aren't based on Apple's WebKit, such as Chrome and Firefox, with a new choice screen in iOS Safari that will prompt users to select a default browser when opened for the first time. While no browser alternatives have been officially announced, both Google and Mozilla are currently experimenting with new iOS browsers that could eventually be released to the public.

Apple is also introducing new APIs that allow third-party developers to utilize the iPhone's NFC payment chip for contactless payment services besides Apple Pay and Apple Wallet in the European Economic Area. No alternative contactless providers have been confirmed yet, but users will find a list of apps that have requested the feature under Settings > Privacy & Security > Contactless & NFC. While Apple previously revealed it was planning to drop support for progressive web apps (PWAs) in the EU to avoid building "an entirely new integration architecture" around DMA compliance, the company now says it will "continue to offer the existing Home Screen web apps capability" for EU users. However, these homescreen apps will still run using WebKit technology, with no option to be powered by third-party browser engines.