It is now possible to recover data from past Private Browsing sessions using off-the-shelf forensics tools

Oct 6, 2016 14:35 GMT  ·  By
It is now possible to recover some Private Browsing data from iOS 10
2 photos
   It is now possible to recover some Private Browsing data from iOS 10

Besides crippling the password system for iTunes backups, it appears that Apple has also weakened Safari's Private Browsing mode, according to Stacey Jury, Digital Forensic Analyst for IntaForensics.

The problem she discovered is related to how Safari stores data about Private Browsing sessions, and more particularly about "suspended state" URLs.

These are URLs for tabs the user has closed but the browser still keeps around in case they want to navigate back and forth in their public or private browsing session.

Safari now saves Private Browsing links inside a database file

Jury explains that, in previous iOS versions, Safari kept this list of Private Browsing "suspended state" URLs inside a Plist file. As soon as the user closed the Private Browsing session, iOS would clear those links from the Plist file.

Things changed in iOS 10, released last month. Jury says that Safari started using a database to store information on the Private Browsing "suspended state" URLs.

The IntaForensics expert says that, while Apple does its due diligence and removes the "suspended state" URLs from the database, it does not overwrite the DB entries with random data, as a precautionary safety measure.

Forensics tools can recover links from previous Private Browsing sessions

This allows an attacker with access to the device to use forensics or database recovery tools to salvage the deleted database entries. This would have been technically impossible if Safari continued to use Plist files.

"XRY [data recovery software] recovered those closed web pages," Jury says. "So whether you’re browsing the web in private mode or not, Safari web history can be recovered regardless using the latest forensics tools!"

This latest discovery is just another page in the pile of complaints stacking up at Apple's headquarters regarding iOS 10. Besides poor performance, iOS 10 seems to have opened a few security and privacy holes in one of Apple's most beloved products.

Security researchers have previously discovered that the iOS iTunes backup system uses an alternative password system that's 2,500 times easier to crack, and also that the link preview functionality added in the iMessage app exposes some of their personal details.

Private Browsing data recovered from an iPhone running iOS 10.0.1
Private Browsing data recovered from an iPhone running iOS 10.0.1

Photo Gallery (2 Images)

It is now possible to recover some Private Browsing data from iOS 10
Private Browsing data recovered from an iPhone running iOS 10.0.1
Open gallery