Apple's reluctant compliance with European antitrust rules by allowing third-party app stores on iPhones has left users of its Safari browser exposed to potential tracking of web activity.

Developers Talal Haj Bakry and Tommy Mysk investigated how Apple implemented the installation process for third-party software marketplaces on iOS with Safari, and concluded that Cupertino's approach is particularly sloppy.

tl;dr: The way Apple has added support for third-party app stores means that any website, when visited by Safari on iOS at least, can ping a selected approved software market with a unique identifier per user. This means that as users move from site to site, or use a site, those sites can silently reveal that activity to a non-Apple app store — revealing the kinds of things that individual netizens find interesting. That information can be used for targeted app campaigns, ads, and so on. This appears to apply to iOS 17.4 users in the EU. Whether someone will use this in nature remains to be seen – but the potential is there.

"Our tests show that Apple shipped this feature with catastrophic security and privacy flaws," Bakry and Mysk wrote in an advisory published over the weekend.