When Private Browsing Isn’t Private On iOS: HTML5 And AirPlay

Oh Dear! monitors your entire site, not just the homepage. We crawl and search for broken pages and mixed content, send alerts when your site is down and notify you on expiring SSL certificates.

Start your free 10 day trial! »

Image of Mattias Geniar

Mattias Geniar, March 23, 2015

Follow me on Twitter as @mattiasgeniar

Private Browsing: the illusion of privacy.

This applies to mobile devices that use iOS (iPhone, iPad). They have have a peculiar way of handling a “private” session.

chrome_incognito_browsing

Shared HTML5 Storage

It’s actually explained in the incognito FAQ, but HTML5 storage on those iOS devices have a shared state. Everything stored in HTML5 storage in Incognito Mode can be accessed in normal mode.

… regular and incognito mode tabs share HTML5 local storage in iOS devices. HTML5 websites can access their data about your visit in this storage area.

Source: Browse in private

This mostly shows when websites use the HTML5 local storage for searchbox completion or store the session state of games. In most common use cases, you won’t notice. Mainly because HTML5 Local Storage isn’t that widely adopted yet.

AirPlay Cache

Apple devices have the ability to use AirPlay to stream audio and video to a remote receiver, like a stereo (Airport Express) or a TV (Apple TV).

When you start such a session in Incognito Mode and stream your audio or video, and later close that session, the Airplay cache will still hold the filename/title of the media item you most recently played.

For instance, if you play Psy’s Gangnam Style on an iOS device in Incognito mode, close the tab and continue browsing in Regular Mode, the Airplay info screen will still show you the filename/title of the movie last played.

ios_incognito_bug_airplay_1_1

This meta info of the media played is only removed after you forcefully close the browser.

ios_incognito_bug_airplay_2

Closing the tab isn’t enough. This meta info will also be broadcast to any remote device you have connected, be it an Apple TV, Airport Express or in-car entertainment that syncs with AirPlay.

It Could Be Worse

Sure, it’s not as bad as storing Incognito URLs in a plain DB file like Safari does, but it just goes to show: Incognito Mode isn’t really incognito. It’s perfect for testing websites in a fresh environment though.

Regardless of server-side user matching, man-in-the-middle proxies and network sniffers, even local devices can’t separate regular vs incognito mode properly. Don’t use Incognito Mode for anything you don’t want people to know. Expect, one day, to see your Incognito Browsing habbits to be made public.

Make sure you don’t have to be (too) ashamed.

Subscribe to my newsletter

Get a weekly-ish update on Linux, open source & webdev called cron.weekly.

Will you help me share this post?

It would mean a lot to me if you could help share this post on social media. 🤗