View this article at: //
Friday, Dec 21, 2012 8:18pm
Report: iOS 6 Safari has JavaScript flaw in App Banners
The Safari browser in iOS 6 has a flaw in its handling of JavaScript that, while not presenting any serious problems thus far, could evolve into a potentially security and privacy issue if not corrected soon, reports AppleInsider. Users who have turned JavaScript off for security or other reasons on their iOS device will see it turned back on -- without notification -- if the user visits any site that uses Smart App Banners, a feature of iOS 6 that requires JavaScript to work. The flaw has so far been found in all builds and versions of iOS 6, including the in-testing v6.1 beta, though Apple has now been informed of the issue.

To clarify, the problem isn't so much that Smart App Banners turns JavaScript back on when it requires it as much as that it doesn't return the user's default (if they have set JavaScript to be off) on completion, and doesn't respect the users' choice on JavaScript in the first place. By default, JavaScript is turned on and so the issue is unlikely to be noticed by the vast majority of users. However, for those who have turned it off, there is a reasonable expectation that it will remain off in all circumstances, which means that it being reactivated by Smart App Banners could open the user up to possible security or privacy breaches, though the possibility remains remote for the time being.

Smart App Banners are used by advertisers to detect if a user has a specific app installed, and suggests they either open the app or visit the app page on the iTunes App Store. While JavaScript has had occasional security issues in the past, it is considered reasonably safe and is part and parcel of most websites, making the disabling of it something only the most security-conscious users would be likely to do -- since the lack of JavaScript can be a serious inconvenience when surfing the web. JavaScript is a scripting language that is not to be confused with Java, an independent programming API that features cross-platform compatibility and has had numerous security problems in recent years.

AI spoke with a security expert named Lysa Myers at Intego, who said the forced reactivation of JavaScript is "not ideal," but also said it can't be considered much of a problem at this point." She said Intego would continue to monitor for potential exploits using the flaw. Peter Eckersley of the Electronic Frontier Foundation, on the other hand, saw the issue as a breach of user trust that leaves the browser vulnerable to "digital fingerprinting" by advertisers, and called on Apple to fix the problem as quickly as possible.

He said the EFF advises users that if they need high levels of privacy while browsing, it is best to use a desktop browser, since security options are more extensive and customizable. Mobile browsers tend to forsake customizability and complexity in favor of easy operation, which limits options. For example, a desktop browser can be outfitted with a blocker such as NoScript, an open-source plugin that disables other plugins, or ClickToPlugin, which blocks add-ons such as Flash, Java and JavaScript, and lets users re-enable them as needed. With Mobile Safari, the option is simply to turn JavaScript "on" or "off" (Flash and Java are already disabled in iOS browsers).

Again, JavaScript is a key ingredient in most websites and is generally considered safe, but this newly-discovered flaw that overrides user choices -- particularly in service to advertising -- is seen as a bug with possibly serious consequences if left unaltered. Apple has been informed of the issue but has not responded as of yet.