UPDATE: An iPhone developer has turned this into an awesome little SBSetting addon. You'll still need a jailbroken phone but can install it via Cydia.
My previous experiments in killing the Evercookie in Safari sparked similar posts describing how to do the same for Chrome and Firefox. However, my second most frequent browsing platform is my iPhone, and I thought I would investigate how Apple IOS, MobileSafari & embedded WebKit fares. It does much worse. There are two problems; the first is, any app which embeds MobileWebKit has it's own stores for normal cookies, browser cache and HTML5 storage. Even if you go to your Safari settings (Settings -> Safari -> Clear {Cookies|Cache} & Settings -> Safari -> Databases -> Edit -> (delete all present) ) and delete everything, you haven't cleared the cookies, caches & stores in the other apps (e.g. even a simple cookie set for singe.za.net in Twitter.app's embedded browser, will still exist). The second problem is that, in MobileSafari, even if you do clear your MobileSafari store, the HTML5 localStorage mechanism isn't properly cleared and the evercookie reloads itself.
To hard clear all the WebKit datastores, including normal cookies, I put the following quick script together (you'll need a JailBroken iPhone). It will iterate through all WebKit databases, including MobileSafari's and clear out the evercookie. You'll need to close (not suspend) all apps running WebKit for this to be effective (the evercookie reloads itself in seconds if they're open). Note, it produces ugly output, and prompts before you delete files, but I wanted some visibility into who is storing what where. The first run deleted over 30 cookies in various places.
#!/bin/bash
echo "Deleting evercookie locations Safari missed (see samy.pl/evercookie)"
for DIRNAME in $(find /var/mobile/Applications -maxdepth 3 -type d -print|grep WebKit); do
#Delete HTML5 SQLite DB
ls "$DIRNAME"/Databases/*
rm -ri "$DIRNAME"/Databases/*
rm -ri /var/mobile/Library/WebKit/Databases/*
#Delete HTML5 local storage
ls "$DIRNAME"/LocalStorage/*
rm -ri "$DIRNAME"/LocalStorage/*
rm -ri /var/mobile/Library/WebKit/LocalStorage/*
#Delete normal cookies
ls "$DIRNAME"/Cookies/*
rm -ri "$DIRNAME"/Cookies/*
rm -ri /var/mobile/Library/WebKit/Cookies/*
done
I know this and my previous entry are scorched earth tactics. I'm okay with that for initial work and for browsers I don't use as my primary, due to limited privacy controls. Eventually these controls will need to be built into browsers (control to prevent, visibility into what is set when allowed, and an ability to delete). Something I can see all browsers (possibly except Chrome, because Google wouldn't be able to make money monetising your personal details then) doing.
In short, what does Apple need to do to fix this? They first need to update the MobileSafari preferences to properly clear HTML5 local storage. Currently, there is no way to do this without jailbreaking. Second, they need to add the ability to clear the history/cache/cookies/HTML5 storage for all apps with an embedded WebKit browser. How they do it is up to them, but a central option to clear all would be a good start.
Update: Clarified what the two separate problems are, and added a section on what Apple should do to fix. Also, hello to all the Slashdot and ThreatPost readers :)
Tracked: Oct 18, 10:43
Tracked: Oct 20, 10:40
Tracked: Oct 20, 10:42
Tracked: Oct 21, 05:51
Tracked: Oct 21, 18:58
Tracked: Oct 21, 21:23
Tracked: Oct 23, 06:53
Tracked: Jul 08, 08:41
(Hi Slashdot & The Register readers. Make sure to check the 2nd part on killing iPhone Evercookie's too) Samy Kamar recently released his tool, evercookie. This uses multiple persistent data stores to set unique identifiers that can be used to i
Tracked: Nov 09, 15:22
Tracked: Mar 25, 01:38
Tracked: Apr 17, 21:31
Tracked: May 29, 17:10