Following a report that Apple is sending information to Chinese company Tencent for its Safe Browsing, the Cupertino firm has issued a statement assuring users that website URLs are not shared with Tencent or its other “Safe Browsing” partner Google.
The feature sends data to both Google Safe Browsing and Tencent to cross-reference URLs against blacklists to protect users against malware and phishing schemes. While it has long been known that data was being sent to Google, no one is certain when Apple began also sending data to Tencent.
Users were concerned that data form outside China was being shared with Tencent, including user IP addresses. However, Apple says that is not what is happening, and that Tencent is used only for devices that have their region code set to mainland China. Users outside of China do not have their web browsing checked against Tencent’s safe browsing list.
Apple protects user privacy and safeguards your data with Safari Fraudulent Website Warning, a security feature that flags websites known to be malicious in nature. When the feature is enabled, Safari checks the website URL against lists of known websites and displays a warning if the URL the user is visiting is suspected of fraudulent conduct like phishing.
To accomplish this task, Safari receives a list of websites known to be malicious from Google, and for devices with their region code set to mainland China, it receives a list from Tencent. The actual URL of a website you visit is never shared with a safe browsing provider and the feature can be turned off.
Safari from time to time will receive a list of hash prefixes of URLs known to be malicious from Google or Tencent, selecting between the two according to device’s region setting. Hash prefixes are the same across multiple URLs, which means the hash prefix received by Safari does not uniquely identify a URL.
When the Fraudulent Website Warning is enabled, prior to loading a site, Safari checks whether the URL has a hash prefix to match the hash prefixes of malicious sites. If a match is found, Safari sends the hash prefix to the safe browsing provider and then requests the full list of URLs having a hash prefix that matches the suspicious one.
Once Safari receives the list of URLs, it checks the original suspicious URL against the list, and if there is a match, Safari displays a warning suggesting users stay away from the site. The checking process happens on the user’s device, and the URL itself is not shared with the safe browsing provider. However, the providers do receive device IP addresses.
Users can turn off the feature by going to “Settings” -> “Safari” and toggling off “Fraudulent Website Warning.” Take note that protection against malicious sites is then lost.