Serious privacy flaw in iOS's new universal links feature

Number:rdar://23061949 Date Originated:10-Oct-2015 08:05 PM
Status:Open Resolved:
Product:iOS Product Version:iOS 9.1
Classification:Security Reproducible:Always
Safari Private Browsing mode opens Universal Links without concern for user privacy

Steps to Reproduce:

1. Install the Twitter app and login
2. Open Safari
3. Enable Private Browsing Mode
4. Send a text to the phone (or write a note) containing “”
5. Tap the link to the off-color joke

Expected Results:
I expect the link to open in Safari’s Private Browsing Mode, since I have expressed that I don’t want to be tracked right now.

Actual Results:
The link is opened in the Twitter app, which allows the Twitter corporation to track my affinity for off-color jokes, and possibly associate me with drug use. This is because I’m logged in to the Twitter app, even though I am not logged in to Twitter in Safari’s Private Browsing mode.

(This is a basic example, but the potential for privacy violation is real and could be much more disastrous.)

- The workaround to long-press the link and tap “Open in Safari” is unacceptable - the default behavior should be to respect the user’s privacy preferences, not ignore them
- Most users can’t see or understand the apple-app-site-association JSON file, so they will not be able to predict when tapping a link will open Safari or an app
- Suggested design improvement: tapping a link that has a apple-app-site-association match should prompt the user to select Safari or a third-party app.


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!