Whenever an Apple iOS device, whether it’s an iPhone, iPad, or iPod Touch, connects to a Wi-Fi network, it makes a request to an Apple URL (http://www.apple.com/library/test/success.html). The URL looks harmless, and no personal identifying information is sent to this site. It’s not exactly a privacy issue, but it opens the door for potentially scary scenarios.
We have a name for software that calls the mothership without our being aware of it: spyware.
Security expert Robert Graham of Errata Security downplayed concerns, pointing out that the URL request actually served a useful function. The Apple devices hit the test site to determine if there is a “captive portal” on the Wi-Fi network. This refers to networks that require users to login or accept the Terms of Service before allowing the user to get online, such as free Wi-Fi at the library or a paid hotspot service.
Users using a Web browser on these networks are forced to a login or ToS page, before being redirected to the page they were trying to access. Users trying to get online by other means, such as syncing e-mail, can’t get online and don’t see a prompt indicating they need to open the browser first.
When the mobile device gets on the network for the first time, it tries to access the test site. If it can’t get a response from Apple’s servers confirming the connection is up, the operating system launches a dialog box. The user can log in without opening up the Web browser, and when it’s time to access the e-mail sync, everything works fine.
However, since this is just a simple HTTP request, it can easily be redirected to somewhere less wholesome, and potentially damaging. Even if it’s trying to be helpful, we have some issues with something we bought accessing sites without our say-so.