or Connect
AppleInsider › Forums › Mobile › iPhone › iOS 6 bug reenables JavaScript in Safari without user consent
New Posts  All Forums:Forum Nav:

iOS 6 bug reenables JavaScript in Safari without user consent

post #1 of 26
Thread Starter 
The Safari browser in Apple's iOS 6 platform has a potentially serious JavaScript bug that could have major security and privacy implications.

JavaScript


The new "Smart App Banner" feature in iOS 6 is designed to allow developers the ability to promote App Store software within Safari. The Smart App Banner detects whether a user has a specific application installed, and invites them to view the software on the App Store or open it on their iOS device.

But for users who choose to turn off JavaScript in the Safari Web browser, the appearance of a Smart App Banner on a website will automatically and permanently turn JavaScript back on without notifying the user.

iOS device owners can test this issue, first discovered by AppleInsider reader James, by opening the Settings application and choosing Safari, then turning off JavaScript. Then simply launch the Safari browser and visit a website with a Smart App Banner, such as the test page we've set up at appleinsider.com/smart-banner.html (this will turn on JavaScript to demonstrate the issue).

Users can then go back into the Settings application to verify that the JavaScript setting switch has been flipped back to the "on" position without warning. Accordingly, JavaScript features on websites will begin working again.

The issue has reportedly existed since the release of iOS 6 months ago, though it has not been widely reported. Michael Stockwell, founder of FizzPow Games, helped confirm for AppleInsider that the issue applies to all builds of iOS 6 on all devices ??iPhone, iPad and iPod touch. In addition, people familiar with the latest beta of iOS 6.1 said the problem also remains in Apple's pre-release test software on the iPhone.

A potentially 'serious' issue?

Peter Eckersley, technology products director with digital rights advocacy group the Electronic Frontier Foundation, said he would characterize such an issue as a "serious privacy and security vulnerability."

Neither Eckersley nor the EFF had heard of the bug in iOS 6, nor had they independently tested to confirm that they were able to replicate the issue. But Eckersley said that if the problem is in fact real, it's something that Apple should work to address as quickly as possible.

"It is a security issue, it is a privacy issue, and it is a trust issue," Eckersley said. "Can you trust the UI to do what you told it to do? It's certainly a bug that needs to be fixed urgently."

But Lysa Myers, a virus hunter at security firm Intego, said she doesn't see the bug as a major concern for the vast majority of iOS device owners.

?While this issue is certainly not an ideal situation, by itself it actually isn?t that large a problem," Myers told AppleInsider. "At the moment it doesn?t pose a threat, but we?ll continue to monitor it to make sure it doesn?t become more exploitable. There?s also the fact that few people actually disable JavaScript completely as it can partially, or totally, disable the majority of websites.?

Safari


Eckersley acknowledged that most users would not feel compelled to dive into a browser's settings and turn off JavaScript. But for those who view security as a paramount concern, disabling JavaScript in a browser is one of the first actions typically taken.

"It's not necessarily directly and immediately a security vulnerability, but it's the kind of thing that would enable some other vulnerability to be exploited," he said.

Why disable JavaScript?

While JavaScript enables developers to create rich Web experiences and is required by most websites, it can also be used to help track and provide a "digital fingerprint" of a user's Web browser. With JavaScript, a website can potentially track information such as how much time a user spends on a page, what parts of the page they look at, what characters they type into entry fields on the page, and what link they click to leave.

The EFF's Panopticlick project showcases how personal and trackable a user's browser can be. The foundation recommends that users disable JavaScript to defend against browser fingerprinting.

EFF


Thanks to JavaScript, each browser is a "beautiful and unique snowflake," Eckersley said. Our one-of-a-kind browsing history can tell advertisers and others information about ourselves that is potentially personal and valuable.

"The only way you can really reduce that in practice is to disable JavaScript," Eckersley said.

Highlighting less flexibility with mobile browsers

For Eckersley, any issue with JavaScript in iOS 6 would only further establish his view that current mobile browsers are woefully underpowered when compared to their desktop counterparts. He noted that with more full-featured browsers on platforms like OS X and Windows, users can install custom plugins or add-ons that can enhance features and improve security if users choose.

For example, a popular choice among the privacy conscious is "NoScript," an open source plugin that blocks JavaScript, Java and Flash for Firefox users. Because Apple's mobile version of Safari does not support third-party plugins, there are no such enhancements available for iOS.

Eckersley feels the design ideology of modern smartphone platforms is to make everything as simple as possible, a strategy that he called "hostile to privacy."

"At this point, our advice for browsing the mobile web in private is: Don't do it," he said. "If you need privacy while you browse, use a desktop browser."
post #2 of 26

That must be why Android users never show up in web usage stats, they're worried about the privacy issue.

post #3 of 26
1. Some dude from the EFF screaming about a 'bug' he hasn't verified. Classy
2. Are we sure it is a bug and not a part of the feature. JavaScript could be required for the banner to actually function. Yes it would be nice if folks were told it was being switched on. Or even that it needs to be and force them to go do it themselves but does the lack really make it a full court press issue
3. Is not 'permenant' when I can switch it back just fine. Permenant implies the switch is grayed out for life or some such

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply
post #4 of 26
Quote:
Originally Posted by AppleInsider View Post


The EFF's Panopticlick project showcases how personal and trackable a user's browser can be. The foundation recommends that users disable JavaScript to defend against browser fingerprinting.

I've been on that site before. They can't prove that any actual private information is taken without anyone's consent with their 'test' and I found it amusing that it doesn't really work with you have JavaScript off. Which might provoke many folks into turning in JavaScript to see actual results

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply
post #5 of 26
Can't most of this tracking info, search field logging etc be done by the web server logging IP info?
post #6 of 26
Just tested my ip5 running 6.0.2 and this reported bug is pure bs. I have JS turned off and when I attempt to launch anything that needs JS I get a message the JS is off and must be turned on to view. There is NO automatic JS turnon, at least not in 6.0.2.
post #7 of 26
Why would anybody ever turn off JavaScript? All that does is break the web. Who cares if you get more targeted ads? How is that a bad thing? It's still anonymous.

This is way overblown.
post #8 of 26

iOS 6.1 beta 4 doesn't exhibit this issue.  

post #9 of 26
Who turns off JavaScript? I mean, if you want to browse the web like it's 1993...

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply
post #10 of 26
Quote:
Originally Posted by dtidmore View Post

Just tested my ip5 running 6.0.2 and this reported bug is pure bs. I have JS turned off and when I attempt to launch anything that needs JS I get a message the JS is off and must be turned on to view. There is NO automatic JS turnon, at least not in 6.0.2.

 

Not just any page with JavaScript will turn it back on... only those with a Smart App Banner do. Clearly the underlying system that detects whether a Banner needs to be displays also re-enabled JavaScript in order to do so, but forgets to disable it again after the banner has been displayed. It could be that if JavaScript were disabled, the banner wouldn't function. Catch-22.

 

But this is really not a serious bug... probably 99% of people don't even disable JavaScript, and as another poster said, it's easy to disable again.

post #11 of 26

The test page set up by AppleInsider does indeed re-enable JavaScript. Note that you need to reload the Safari Settings page to see the changed state of the toggle switch.

post #12 of 26

Seriously, who turns off JS? I am sorry, no JS, no service for you. 

 

JS is PART of the web standards and if you want dynamic webpages, you must have JS enabled. Otherwise you'll get nothing. 

post #13 of 26
Quote:
Originally Posted by netrox View Post

Seriously, who turns off JS? I am sorry, no JS, no service for you. 

 

JS is PART of the web standards and if you want dynamic webpages, you must have JS enabled. Otherwise you'll get nothing. 

 

I just turned off JavaScript and reloaded this AI page after restarting Safari. Everything works. The only meaningful change is the removal of the custom hover states that Huddler has applied to every button. You know, the ones that break the desktop site when on the iPad. I'm worried that I'm about to call it an improvement.

Originally posted by Marvin

Even if [the 5.5” iPhone exists], it doesn’t deserve to.
Reply

Originally posted by Marvin

Even if [the 5.5” iPhone exists], it doesn’t deserve to.
Reply
post #14 of 26
"The only way you can really reduce that in practice is to disable JavaScript," Eckersley said.

 

Or, once in a while, you can launch Settings, tap to the Safari page, and tap Clear Cookies and Data.

And tap Clear History while you're at it.

 

Better yet, slide the Private Browsing switch to ON.

Sent from my iPhone Simulator

Reply

Sent from my iPhone Simulator

Reply
post #15 of 26

Java is scary. JavaScript is not. Yes, this is a bug that should be fixed, and yes desktop browsers have better anti-tracking controls, but treating this as a security concern is overblown. If JavaScript has a security flaw, then THAT is a BIG issue. If it doesn’t, then enabling it (like 99.99% of people need anyway) then this is a small one.

 

http://www.ehow.com/how_2049858_make-tinfoil-hat.html

post #16 of 26
"Seriously, who turns off JS? " This site is funny at times. Real people do.
post #17 of 26
Insane piece of 'info'.
If someone tells you to turn JavaScript off, don't listen.
JavaScript is entirely different from Java and Flash. The latter two are bug ridden and can be seen as one big security hole, the former is part of the Internet standard and essential for viewing the web.
Being able to install plugins is the cause of most security breaches not the solution for it.
So browsing on iOS is safe compared to a desktop OS, even more so because iOS has restricted multitasking (so safari stops working if you switch apps and you cannot install a background process) and very strict sandboxing.
So all in all it's insane and factually wrong to advice people not to browse on iOS because it's unsafe.

J.
Edited by jnjnjn - 12/21/12 at 12:00pm
post #18 of 26
Quote:
Originally Posted by aBeliefSystem View Post

"Seriously, who turns off JS? " This site is funny at times. Real people do.


I know, it's like watching people live in a bubble and they have no clue that there are like 8 billion other people in the world. 

post #19 of 26
Originally Posted by zippy2shoes View Post
I know, it's like watching people live in a bubble and they have no clue that there are like 8 billion other people in the world. 

 

7 billion is like 8 billion at times. Usually when 1 billion just wants to be alone with 1 billion but no, then half billion has to step in and say something embarrassing that makes 1 billion flush.

Originally posted by Marvin

Even if [the 5.5” iPhone exists], it doesn’t deserve to.
Reply

Originally posted by Marvin

Even if [the 5.5” iPhone exists], it doesn’t deserve to.
Reply
post #20 of 26
Yes it is true, yet I want Java script on I tested multiple sights with Java script on/ off. I thought that some where I heard the smart app banner uses java script, do you think it might run off it, has this been recorded on other website that don't have a ask for smart app banner.
post #21 of 26
"The latter two are bug ridden and can be seen as one big security hole," You, well not you, someone will find that all operating systems are far more bug ridden than feature apps. Best abandon them all? People turn JS on and off for many reasons. Its just a tool, so use it. But whatever you do, best not to do what some tool tells you.
post #22 of 26
Quote:
Originally Posted by SockRolid View Post

Or, once in a while, you can launch Settings, tap to the Safari page, and tap Clear Cookies and Data.
And tap Clear History while you're at it.

Better yet, slide the Private Browsing switch to ON.

No. JavaScript can allow for immediate tracking. That is, JavaScript can send details of your browsing immediately back to the server. Clearing cookies and history does nothing if a script has already sent a whole bunch of information back to the server. Yes, it will be harder to find you again without a cookie, but the stuff they wanted from you they've probably already got as soon as you're on their site.
post #23 of 26
After the previous furore about JavaScript I turned it off on my Mac. Went to my favourite forum to submit a post and the clickable links to allow me to contribute had disappeared. I was all ready to notify them of the 'bug' that had appeared on their website when I realised that disabling Java had removed the functionality of the site! It's all very well being secure but if you can no longer interact with web pages it's pretty pointless going online!
post #24 of 26
Quote:
Originally Posted by aBeliefSystem View Post

"The latter two are bug ridden and can be seen as one big security hole," You, well not you, someone will find that all operating systems are far more bug ridden than feature apps. Best abandon them all? People turn JS on and off for many reasons. Its just a tool, so use it. But whatever you do, best not to do what some tool tells you.

Hey, aBeliefSystem, if you have a real argument, just say it.
Calling someone a 'tool' (and thinking your clever about it) isn't very nice and absolutely wrong in this case.
As you should know if you read this forum all my comments are based on real knowledge and experience (and mostly right I might add), as this one was.
So the 'tool', is you.

J.
post #25 of 26
Quote:
Originally Posted by nagromme View Post

Java is scary. JavaScript is not. Yes, this is a bug that should be fixed, and yes desktop browsers have better anti-tracking controls, but treating this as a security concern is overblown. If JavaScript has a security flaw, then THAT is a BIG issue. If it doesn’t, then enabling it (like 99.99% of people need anyway) then this is a small one.

http://www.ehow.com/how_2049858_make-tinfoil-hat.html
Agreed, nice 3D icon by the way!

J.
post #26 of 26
I'm James, the one who reported this bug to AppleInsider. I'd like to address some of the comments in this thread, especially those stating that this is a non-issue.

Firstly, as the article states, this is not a security vulnerability in itself; it is a trust issue.

I typically disable JavaScript for normal browsing and only enable it when required for specific sessions, say, when shopping online or playing a game.

However, starting about a week ago I noticed a bunch of ads and pop-up boxes with all sorts of blinky and animated crap that I normally don't see in the sites I typically visit. When I checked my JavaScript settings, I discovered to my surprise that it was enabled!

Sure, I could turn it back off, and indeed I did; but that's not the point. The point is that my browser settings were changed without my knowledge or consent. Moreover, the change was acted upon request from an external source in the Internet. Wouldn't that concern any of you?

It is thus a trust issue: If JavaScript settings are magically changed without my knowledge, what else can a web site cause my device to do without my permission?

Secondly, the fact that JavaScript is automatically enabled is not in and of itself a vulnerability. However, it has the potential of being exploited. If external sources can trigger a change in the browser settings, it could also trigger additional changes. It also invalidates any confidence a user could have visiting dubious sites thinking that his JavaScript option is disabled.

Lastly, as to why would anybody turn off JavaScript? Well, for one thing, to avoid most advertisements. Another is to prevent web tracking to some degree. Disabling JavaScript offers a modicum of privacy and piece of mind, and prevents the display of intrusive ads in every page. You'll be surprised how many sites work perfectly well without JavaScript including this very one). I don't need the blinky and interactive widgets, the text content is fine for me.

At the end of the day, it doesn't matter if you agree with me or not, what matters is trust and personal control. At most, this is a potential security vulnerability, and violates a user's explicit configurations. At the very least, it's a user experience nuisance I'm sure you'd be annoyed if your browser decided to turn it's JavaScript settings "off" on its whim, and forced you to have a "1993 experience" while browsing the web. Why should you have to put up with that?

Thanks for reading.

-dZ.
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: iPhone
AppleInsider › Forums › Mobile › iPhone › iOS 6 bug reenables JavaScript in Safari without user consent