Safari, the inevitable iOS browser?
For a third-party browser, it's hard to compete Apple Safari on iOS:
- Unlike Android, iOS does not allow third-party browsers to use their own rendering engine. If we read the App Store “guidelines”, section 2.5.6 : "Apps that browse the web must use the appropriate WebKit framework and WebKit Javascript".
- Apple has long reserved the use of the latest version of Webkit for Safari, other browsers were forced to use an outdated version (based on the class
UIWebView), slow and unstable. - Still due to the obligation to use WebKit, iOS does not allow third-party browsers to offer their own library of extensions. On Android I can install Firefox extensions like uBlock Origin.
- Safari extensions such as content blockers are not accessible to other browsers.
- Before iOS 14, it was not possible to change the default browser.
As a result, it was not very interesting to use another browser. However, Apple is gradually evolving. Since iOS 8, third-party browsers can correctly use WebKit's latest rendering engine. And since iOS 14, Apple allows you to change default browser. Third-party browsers can thus better compete with Safari, particularly when it comes to protecting your privacy.
No matter your browser, you already have WebKit protection
Third-party browsers are required to use Apple's rendering engine, WebKit. This technically translates to using the class WKWebView. Out since iOS 14, this includes by default Intelligent Tracking Prevention, Apple's privacy protection mechanism (previously only available on Safari).
Yes, Chrome on iOS protects you against cross-site tracking, by default! The requirement to use WebKit forces Google to better protect your privacy.
Intelligent Tracking Prevention (ITP) contains numerous mechanisms to combat "cross-site tracking", including:
- Blocking all third-party cookies (planned for 2022 only on Chrome).
- Limiting the lifespan of cookies created via javascript (1st party cookies, but which can be created by third parties) to 7 days.
- Limitation of the lifespan of cookies placed via CNAME domains (again, 1st party cookies, but which may be placed by third parties) at 7 days.
ITP protections are not limited to cookies, for an exhaustive list read Safari's Cookie Status page.
While these protections help combat the worst of advertising (cross-site tracking), they do not prevent marketing companies from measuring each of your interactions on each site, nor from serving advertising. On the other hand, marketing companies continue to work to circumvent Apple's restrictions (via Server-Side Tagging, or third party identifiers disguised as 1st party for example).
If you want to be better protected, what are your options?
The browser, a first vector of surveillance
Before even analyzing browser protections against tracking while you surf, have browsers set up their own monitoring system? To do this, I will observe what happens when the browser is first launched. Note thata similar analysis has already been done by Brave recently. Here are the steps followed:
- Downloading the browser to test.
- Disabling NextDNS.
- Closing the various current applications.
- Launch of Charles Proxy and enabling tracking.
- Launch the browser, then search in the address bar (no private browsing).
- Export of the Charles session to my computer for analysis.
And here is a summary of the different browsers tested.
Safari, difficult to audit exhaustively
Safari is pre-installed so I cannot simulate a first launch. It is not impossible for Apple to recover telemetry data from Safari if you have not unchecked the various switches in "Settings" > "Privacy" > "Analysis and improvements":
I unchecked the various switches in "Analysis and Improvements", so I didn't see any Apple trackers specific to Safari.
When you do a search, the default search engine is Google. This would pay Apple $12 billion per year to be the default search engine on all Apple devices. Safari thus sends each character entered in the search bar (without identifier) to Google, to enable auto-completion.
On the privacy side, Apple is taking very good initiatives. But it allows Google and its surveillance capitalism to flourish, for big money.
DuckDuckGo, the good student
The American search engine (largely based on Bing) has made privacy his hobby horse, he is also one of the search engines recommended by PrivacyTools. It also offers a browser for iOS, and here are the requests sent during the first launch:
When you look in detail, it's very clean: DuckDuckGo downloads content blockers. When you type in the address bar, it retrieves the characters for auto-completion (advantage of also providing a search engine), without identifier. Telemetry is activated, but again without identifier.
The only constraint: the default search engine (that of the address bar) obviously cannot be changed. But if for certain requests you are not satisfied (reminder: behind DuckDuckGo, it is often Bing), you can use the "bangs", aliases which allow you to do a search on another search engine (Google obviously, but also YouTube, Wikipedia, Twitter, etc.).
DuckDuckGo does not lack humor, here is the dedicated message during your first Google search (prefixing your search with !g).
Also very appreciated is the ease of erasing data:
Just click on the flame to clear the data.
Brave protects you... and keeps your business running
The Brave browser was created by Brendan Eich, former co-founder of Firefox and creator of Javascript. Brave has a strong speech against trackers and other advertising that does not respect privacy. Here are some key points:
- Brave is based on Chromium (and its Blink rendering engine), the Open-Source part of Google Chrome. But on iOS, it cannot use Chromium, and is forced to use WebKit.
- Via Brave Shields, it blocks trackers and other advertisements that track you. If you accept it, it broadcasts privacy-friendly advertisements (served locally, which makes Brave an advertising network). This positioning, in competition with publishers (Brave recruits advertisers), arouses controversies.
- Brave Rewards allows you to pay for the sites you visit in various ways: via a monthly subscription (for example, €10 shared with the sites visited, depending on your time spent on these sites), via tips (micro payments) or via advertising served locally by Brave (for which you can also be paid). Brave Rewards is based on Brave's own cryptocurrency: BAT (or Basic Attention Token).
UPDATE December 15, 2020: Brave has other controversies under its belt (thanks @kinux), and in particular:
- Financing via affiliate links to cryptocurrency sites, practice stopped since the affair was revealed.
- The inclusion of infogalactic, a far-right Wikipedia, in the search engines offered by default. The practice would have stopped in December 2018 according to this site.
Brave allows you on first launch to choose your default search engine (and allows privacy-friendly search engines such as Qwant, DuckDuckGo or Startpage to find new users):
I select here Startpage, a search engine based on Google, but respectful of privacy.
Let's check the queries before clicking "Save":
Some requests are not readable on the Charles tool and I was therefore not able to check if identifiers were leaking, however we can note the call to sudosecuritygroup.com. It is in fact the Guardian company, who partnered with Brave to provide a VPN that also blocks trackers and ads. You will be able to activate the VPN in Brave, but you will have to pay.
Second step, Brave offers to block trackers:
Obviously I accept.
Third step, Brave thinks about its own advertising network, and offers you to view “private and anonymous” advertisements:
I click Skip, auditing Brave ads will be for another time.
Fourth step, I launch a search. Brave asks me if I want to enable search suggestions:
Question appreciated, I therefore refuse.
Now let's look at the requests sent (since the application was launched):
If we look at the detail, Brave has not sent any additional requests since step 1 except to Startpage, called only when I validate my search query.
Firefox, some unpleasant surprises
Firefox is my browser on Mac. Unlike Brave, Firefox has its own rendering engine, Gecko. But he too is forced to use WebKit. I expected that Firefox for iOS has an impeccable attitude towards privacy because Firefox has a good reputation and communicating advantageously. I was surprised:
From the first opening, Firefox leaks my personal data to Leanplum, a marketing company that allows you to display targeted messages. Leanplum is greedy, he collects in particular the deviceId, userId and uuid. It also recovers my main interactions with Firefox.
Firefox also collects my main interactions (such as opening the application, closing it, clicking on the address bar) live (via incoming.telemetry.mozilla.org), with the identifier clientId.
For calls to Google, no surprise, it is the default search engine on Firefox. Google represents the main source of revenue for Firefox, with around 450 million dollars per year. Each character entered in the search bar is sent to Google for auto-completion (without identifier).
Is it possible to disable the leak of personal data to Leanplum as well as telemetry? Yes, by unchecking the correct option in the settings:
I uncheck “Send usage data”
We would have expected opt-in from Firefox, and without leaking personal data to a marketing company.
Chrome, Google's voracious browser
If you use Chrome for iOS, you do not have any particular expectations regarding respect for your privacy. For example, we could see that Chrome sends a single HTTP header to all Google and Doubleclick domains, practical for tracking you. Also read "Why I'm done with Chrome", written 2 years ago.
As soon as you open Chrome, Google informs you that you must accept the conditions of use. First problem, sending usage statistics and error reports is checked by default:
So I uncheck the sending of usage statistics and error reports.
If I look at the requests before clicking on "Accept and continue", I see that Chrome is already calling a lot of sites: don't worry, it's actually loading the images for the default bookmarks (I imagine the most visited sites in France). Chrome also retrieves identifiers such as userid.
Second step, Chrome is very greedy here: it asks you to synchronize all my browsing with my Google account. A huge capture of your personal data therefore, which Google covers up by promising you the ability to also synchronize your passwords on your different devices “and more”.
So I click on “No, thank you”.
If you want to select which items to sync, the blue "settings" text might trick you into thinking you already have control, but it's not clickable. Note again the blue “I accept” button, very natural. Compared to “No, thank you” in black: a good example of “Dark Pattern".
Third step, Chrome continues its momentum and asks me to access my exact location (to "Improve my experience")!
I click on "Do not allow"
Note that with iOS, I can now only authorize access once (Chrome will then have to ask me again on the next launch), I can also deactivate "Exact position". These options can be useful to protect you from certain applications.
Last step, Chrome is already launched but I do a search, on Google obviously, to come across a consent banner which has just been withdrawn by the CNIL :
The new information banner implemented by the companies upon arrival on the google.fr page still did not allow users residing in France to understand the purposes for which cookies are used and did not inform them of the fact that they could refuse these cookies.
And indeed, good luck refusing cookies, you can get lost in the menus without finding the option, or even being sure that the option chosen actually allows you to refuse cookies (I won't go into detail, that would deserve a dedicated article).
Here you might say to yourself: I haven't clicked on "I accept" yet, Google must not have placed cookies. Especially since if we read the latest sanction from the CNIL against Google (dated December 10, 2020), he allowed himself to do so but he corrected the situation:
The restricted training took note that, since an update in September 2020, companies stop automatically placing advertising cookies as soon as the user arrives on the google.fr page.
However, let's look at the requests sent (since step 2):
Among the numerous requests sent to the various Google services, we can note the requests to adservice.google.com and to doubleclick.net. The request to adservice.google.com contains the cookie NEST. What is this cookie for? According to Google's own words :
We use cookies, such as "NID" and "SID", to personalize ads on Google sites, such as Google Search. For example, we use them to remember your most recent searches, your previous interactions with an advertiser's search results or ads, and your visits to an advertiser's website. This allows us to show you personalized ads on Google.
Does the CNIL talk about cookies? NEST in his deliberation ?
The restricted training notes that the company GIL indicated in its letter of April 30, 2020 that four of the seven cookies placed, namely the NID, IDE, ANID and 1P_JAR cookies, pursue an advertising purpose.
Thus, in contradiction with the CNIL's deliberation, Google has not stopped automatically placing certain advertising cookies on the google.fr page.
Edge does even worse than Chrome
The reputation of Microsoft browsers no longer to be done :
Via Twitter parody account @intrnetexp.
Only there, no more mockery about the delay of Internet Explorer, Microsoft is now based on Chromium and its Blink rendering engine for its Edge browser (just like Brave, Opera or Vivaldi), it is investing to make it competitive. For Edge too, no Chromium on iOS due to Apple restrictions, and therefore the forced use of WebKit. What about respecting your privacy?
The first launch of Edge looks a lot like Chrome, which is not a good sign. Edge suggests you sign in to enable syncing: bookmarks, passwords and "much more."
I click on “Ignore” (note the Dark Pattern).
If we look at the requests sent before clicking on "Ignore", Edge is already greedy:
Via several requests, Edge retrieves several identifiers such as deviceId or clientId. Note in particular the domain vortex.data.microsoft.com, so well named. Each time you interact with Edge, it will collect data, and this leak is impossible to deactivate.
Like Firefox, Edge also leaks your personal data to a third party, Adjust, a company specializing in mobile measurement and attribution. Adjust retrieves identifiers such as persistent_ios_uuid.
Second step, Edge is still as greedy as Chrome, it seeks to save my browsing history :
I click on “Not now”.
Third step, we don't quite understand the difference with the previous step ("Find out more" always redirects to the page "Windows 10 activity history and privacy"), Edge insists by asking you for data on "how you use the browser":
I click “Not Now” again.
Fourth step, I do a search (on Bing obviously), note the consent banner:
Let's check the requests (I haven't interacted with the consent banner yet):
Microsoft services are omnipresent, all collect your personal data. Leboncoin is called but simply to download the logo. Edge not only leaks your personal data to Adjust but also to Comscore (via scorecardresearch.com), marketing giant which can thus better profile you.
Bonus: Bing leaks your searches to the Yellow Pages site
Because of Bing (and not Edge), I was surprised (and alarmed) to see that it leaked potentially sensitive data, my request, directly to Pages Jaunes (via pagesjaunes.fr) :
Fortunately my "hello" search was not sensitive, but Bing leaks all of your searches to the Yellow Pages site (as well as your city), in real time, whatever the device and browser used.
The advertising agency of Yellow Pages is called Solocal. It is about of an old partnership, having surely been renewed, on the back of your privacy (reminder, I still have not interacted with the consent banner, my Bing search leaked to the Yellow Pages site).
Additional gift from Bing and Yellow Pages, the domain at.pagesjaunes.fr (which places a cookie without your consent) is a alias CNAME to the French AT Internet analytics tools:
As we have already seen with Criteo, Boursorama or Lemonde.fr, these CNAME aliases are intended to bypass browser protections and adblockers, they are also often the cause of a significant security vulnerability.
Does clicking on “More options” and then disabling “non-essential” cookies prevent your queries to the yellow pages and your surfing data from being leaked to AT Internet?
The consent banner without first level option to refuse everything, a classic.
Unfortunately no, this doesn't change anything in Bing's behavior: it always leaks my searches to the Yellow Pages site.
A key piece of information was missing for Microsoft: my geolocation! And in fact, without me continuing my navigation, Edge now asks me for access to my location:
Conclusion: hard to believe, but via Edge and Bing, Microsoft has achieved the feat of being worse than Google when it comes to respecting your privacy.
The browser as protection against site surveillance
While they themselves respect your privacy more or less well, browsers are also supposed to protect you when you surf the web. Let's see if this is really the case, by browsing two sites known for massively leaking your personal data:
- Le Bon Coin, cf. "The big sale of your personal data on Le Bon Coin".
- Le Monde, see "Consent: the worst user experience and surveillance with Lemonde.fr".
The protocol will be the same for all browsers:
- Deleting cookies and other browser data.
- Disabling NextDNS.
- Closing the various current applications.
- Launch of Charles Proxy and activation of tracking.
- Launching the browser to test, no private browsing.
- Surf on the home page of these 2 sites, with acceptance of tracking via the consent banner.
The comparison cannot be perfect because it is only 2 home pages, and from one moment to the next, the advertisements served may be different. But the number of trackers should give us a good idea of the browser's effectiveness.
Safari without content blocker, everything goes
The nominal case, I deactivated my content blocker, Firefox Focus. Here are the condensed results:
- 94 hosts contacted.
- 338 requests.
- 9.2 MB of data downloaded.
Needless to say, the number of tracers is impressive, even if Intelligent Tracking Prevention limits damage by stopping cross-site tracking.
Safari with content blocker, significant holes in the racket
Here I used Firefox Focus (of which the list of trackers is provided by Disconnect), you can also select other content blockers like Adguard. Are the results better? Noticeably:
- 45 hosts contacted (which means 49 fewer trackers).
- 200 requests.
- 6.2 MB of data downloaded.
Does this mean that the content blocker has completely protected you? When you look in detail, many third parties continue to track you, even if the most "obvious" trackers have disappeared:
I deleted the 1st party requests to see more clearly.
DuckDuckGo, improved protection
DuckDuckGo uses its own list of trackers, "Radar Tracker", generated by its own web crawl. The “Tracker Radar” information on the different trackers can also be used by third parties (like in Safari, to provide information on these trackers). Here are the results:
- 39 hosts contacted.
- 226 requests.
- 6.3 MB of data downloaded.
These statistics seem close to Safari with content blocker, if we now look at the details:
The list of trackers is shorter, DuckDuckGo is a little more efficient than Safari combined with Firefox Focus.
Brave, strong protection
Brave Shields, the tracker blocking system, allows you to be very flexible:
- The default settings keep you well protected.
- You can change the default settings.
- You can also change settings for specific sites.
So here are the default settings:
You can decide to block scripts, all cookies and digital fingerprinting. But from experience, some sites will no longer work correctly. Here are the results with the default settings:
- 29 hosts contacted.
- 168 requests.
- 5.4 MB of data downloaded.
Brave is therefore the most effective. If we look in detail:
It's almost perfect (Brave protects, for example, against CNAME cloaking of AT Internet on the website lemonde.fr, via the domain buf.lemonde.fr), but Brave notably misses Facebook and Twitter.
Firefox protects you relatively poorly by default
While Firefox is a very good option on my Mac, it has a severe limitation on iOS: as with all other iOS browsers, you cannot install extensions. And Firefox without an extension unfortunately protects you much less well. Here are the results with the default settings:
- 111 hosts contacted.
- 454 requests.
- 11.9 MB of data downloaded.
You are therefore widely tracked. In fact, everything is not black, if you go to the settings:
Click in the “privacy” section on “Protection against tracking”
You can see that by default, Firefox applies the "Enhanced protection against tracking" (ETP for "Enhanced Tracking Protection") in "Standard" version:
By clicking on the "i", you can learn that Firefox protects you against social network trackers (in fact, Facebook and Twitter have been blocked), against cross-site trackers (nothing new here, you already are via ITP), against cryptocurrency miners and against digital fingerprint detectors (a technique commonly called "fingerprinting").
If you activate "Strict" protection, Firefox will also protect you against "Content used for tracking" (protection which is of particular interest to us):
Are you better protected? Here are the new results:
- 42 hosts contacted.
- 225 requests.
- 6.7 MB of data downloaded.
The results are therefore much better. If we look at the detail:
We find the same tracers as with the Safari and Firefox Focus option: the 2 Mozilla applications use a list provided by Disconnect to block certain trackers.
Chrome, the browser without protection
With Chrome it's very simple, you have no default protection, nor any settings allowing you to protect yourself. Chrome does not remain completely inactive, the teams are working on the project Privacy Sandbox, with the mission:
The Privacy Sandbox project’s mission is to “Create a thriving web ecosystem that is respectful of users and private by default.”
In detail, "a thriving web ecosystem"means supporting current advertising use cases: conversion measurement, behavioral advertising, retargeting, etc. "Private by default" means no longer allowing trackers to track users individually (Chrome will block third-party cookies in 2022).
Measurement and targeting will be done via "cohorts" of users (sufficiently large groups), via decisions made directly by the browser, via mechanisms to prevent data cross-referencing, etc.
Obviously Google is less affected by Chrome's changes than an average website: it will continue to track the vast majority of users via their Google accounts.
Here are the results of surfing on Chrome:
- 100 hosts contacted.
- 370 requests.
- 11.3 MB of data downloaded.
No surprise then, you are not protected at all.
Edge, well-hidden protections
Edge was dead last when the browser first launched. What about protection when surfing? If we look at the results with the default configuration:
- 96 hosts contacted.
- 368 requests.
- 10.2 MB of data downloaded.
Edge is comparable to Chrome, which is not a compliment. But Edge has some interesting hidden options. If you go to “Settings”, to “Content blockers”, you can discover a “native” integration of the Adblock Plus blocker:
So I activate “Block ads”
Yes Edge has integrated Adblock Plus into its browser. However, Adblock Plus is also an advertising company, which gets paid big sums by marketing giants (including Microsoft, but also Google, Amazon, Criteo, Taboola or Outbrain) to let certain advertisements pass, a great hypocrisy. You must therefore go further to block all advertisements, namely go to the “Advanced settings” of “Content blockers”:
I disable “Acceptable Ads”.
But you are not at the end of your troubles! Another option is useful, it is in "Settings", "Privacy and security", and in the Security section (!) you will find the item "Tracking prevention" (apparently already "Enabled"):
Here you need to click on “Tracking Prevention”.
You then access a new screen:
The "Balanced (recommended)" version is selected by default. So Edge would already block “trackers from sites you haven’t visited”, as well as “known malicious trackers”. In fact, we wonder what Edge is really blocking, all trackers are invited to the party (Criteo, Google, Doubleclick, Weborama, Facebook, Amazon, etc.).
Microsoft indicates to rely on Disconnect to block trackers, from the "Balanced" version of "Tracking Prevention", it seems that this is an announcement effect (Firefox is also based on Disconnect, but blocks many tracers).
Does switching to “Strict Tracking Prevention”, activating Adblock Plus and deactivating “Acceptable Ads” allow you to be protected against all trackers? Given the effort involved, we would like it. Here are the results:
- 41 hosts contacted.
- 200 requests.
- 6.8 MB of data downloaded.
Edge rises to the level of Safari with Firefox Focus (which is the least you can do with Adblock Plus activated and Disconnect). If we now look in detail:
We can clearly see that Edge still has progress to make.
NextDNS, in support of the browser
To conclude, the choice of browser is personal, but certain iOS browsers provide a good first level of protection: I am thinking in particular of DuckDuckGo. NextDNS can be used in addition.
I usually use the Safari - Firefox Focus combo (although DuckDuckGo and Brave are tempting), NextDNS allows you to block trackers that have slipped through the cracks. Here is the result on the same combined LeBonCoin and Lemonde.fr test:
Trackers that could not be blocked by the Safari - Firefox Focus combo were blocked by NextDNS.
In short, the choice of your browser and any additional protections can make a big difference!