When Private Browsing Isn’t Private On iOS: HTML5 And AirPlay

Want to help support this blog? Try out Oh Dear, the best all-in-one monitoring tool for your entire website, co-founded by me (the guy that wrote this blogpost). Start with a 10-day trial, no strings attached.

We offer uptime monitoring, SSL checks, broken links checking, performance & cronjob monitoring, branded status pages & so much more. Try us out today!

Profile image of Mattias Geniar

Mattias Geniar, March 23, 2015

Follow me on Twitter as @mattiasgeniar

Private Browsing: the illusion of privacy.

This applies to mobile devices that use iOS (iPhone, iPad). They have have a peculiar way of handling a “private” session.

chrome_incognito_browsing

Shared HTML5 Storage

It’s actually explained in the incognito FAQ, but HTML5 storage on those iOS devices have a shared state. Everything stored in HTML5 storage in Incognito Mode can be accessed in normal mode.

… regular and incognito mode tabs share HTML5 local storage in iOS devices. HTML5 websites can access their data about your visit in this storage area.

Source: Browse in private

This mostly shows when websites use the HTML5 local storage for searchbox completion or store the session state of games. In most common use cases, you won’t notice. Mainly because HTML5 Local Storage isn’t that widely adopted yet.

AirPlay Cache

Apple devices have the ability to use AirPlay to stream audio and video to a remote receiver, like a stereo (Airport Express) or a TV (Apple TV).

When you start such a session in Incognito Mode and stream your audio or video, and later close that session, the Airplay cache will still hold the filename/title of the media item you most recently played.

For instance, if you play Psy’s Gangnam Style on an iOS device in Incognito mode, close the tab and continue browsing in Regular Mode, the Airplay info screen will still show you the filename/title of the movie last played.

ios_incognito_bug_airplay_1_1

This meta info of the media played is only removed after you forcefully close the browser.

ios_incognito_bug_airplay_2

Closing the tab isn’t enough. This meta info will also be broadcast to any remote device you have connected, be it an Apple TV, Airport Express or in-car entertainment that syncs with AirPlay.

It Could Be Worse

Sure, it’s not as bad as storing Incognito URLs in a plain DB file like Safari does, but it just goes to show: Incognito Mode isn’t really incognito. It’s perfect for testing websites in a fresh environment though.

Regardless of server-side user matching, man-in-the-middle proxies and network sniffers, even local devices can’t separate regular vs incognito mode properly. Don’t use Incognito Mode for anything you don’t want people to know. Expect, one day, to see your Incognito Browsing habbits to be made public.

Make sure you don’t have to be (too) ashamed.



Want to subscribe to the cron.weekly newsletter?

I write a weekly-ish newsletter on Linux, open source & webdevelopment called cron.weekly.

It features the latest news, guides & tutorials and new open source projects. You can sign up via email below.

No spam. Just some good, practical Linux & open source content.