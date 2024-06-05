My son’s iPad is set to restrict him from visiting most websites. And yet I was able to use it to access the most X-rated parts of the internet.

Porn, violent images, illicit drugs. I could see it all by typing a special string of characters into the Safari browser’s address bar. The parental controls I had set via Apple’s Screen Time? Useless.

Security researchers reported this particular software bug to Apple multiple times over the past three years with no luck. After I contacted Apple about the problem, the company said it would release a fix in the next software update. The bug is a bad one, allowing users to easily circumvent web restrictions, although it doesn’t appear to have been well-known or widely exploited.

Parents who read this aren’t surprised. Apple’s Screen Time has seen more bugs than a soda spill on a summer’s day. Many report that the app time restrictions they set for kids—say, one hour for YouTube—don’t work. Last year Apple told my colleague Julie Jargon that it fixed a bug where kids could use their devices even during preset Downtime hours. When my son requests to download a new app, I often don’t get a notification, and the Screen Time interface doesn’t always accurately show how much my kids or I are using our devices.

The system meant to protect Apple’s youngest users feels like an afterthought.

Apple says that isn’t the case.

“We take reports of issues regarding Screen Time very seriously and have been consistently making improvements to ensure users have the best experience," an Apple spokeswoman said, adding that the latest iOS 17.5 software includes substantial Screen Time fixes. “Our work is not done and we will continue to make updates in upcoming software releases."

Two researchers who reported this bug to Apple tell a different story of how seriously the company takes this.

Reporting the bug

Back in 2020, Andreas Jägersberger, a Vienna-based security researcher, was conducting some tests when he realized that typing a string of characters into the Safari address bar in any Apple software—iOS, iPadOS and MacOS—would sidestep website restrictions set by Apple’s parental controls. It was also a way around web blacklists set on company phones and laptops with device management software, he said.

Jägersberger and his colleague Ro Achterberg detailed what they believed to be a security vulnerability in a report to Apple’s security team in March 2021, according to correspondence I reviewed. Apple’s bounty program rewards people who spot and submit security or privacy vulnerabilities.

A day later Apple told them the flaw wasn’t a security issue and to submit a report via Apple’s feedback tool. The researchers did and say they never heard back.

In August 2021, they tried again. Apple’s security team was more explicit this time: “We do not see any actual security implications." So again, the researchers submitted through Apple’s feedback channel. Nothing.

“They rejected without knowing implications or severity or anything, which is frustrating to us," Achterberg said.

They feared that others could stumble across this trick and spread it across TikTok and YouTube, as has happened with Screen Time workarounds. They also worried about corporate security given that the same workaround could be used to circumvent employee web filters. That could open the door to malicious attacks, they said.

After three years of report submissions, which included documentation of a suggested fix, and contacting others in Apple security, Jägersberger and Achterberg felt the company wasn’t going to release a patch or pay them a bounty. So they contacted me.

Testing the bug

I tried a number of Apple devices. With Screen Time enabled on iPads and iPhones running iOS/iPadOS 15, 16 and 17, I was able to visit porn sites, watch graphic, violent news footage on YouTube and Google “how to buy cocaine."

I was able to do the same in Safari on a MacBook Pro running the latest MacOS, Sonoma. All I had to do was type the character string—which we won’t reproduce here so it isn’t abused—plus any web address.

After I contacted Apple, a spokeswoman said that the company is “aware of an issue with an underlying web technology protocol for developers, which allows for a user to bypass web content restrictions." She said “a fix has been planned for the next software update."

She also said Apple is committed to improving the process by which it receives and escalates bug reports. Additionally, an Apple spokesman told me that the company values its relationship with these researchers but maintains the flaw was a software issue, not a security vulnerability. Only security holes are eligible for bounties. They typically could let an attacker gain access to a user’s data or take control of a user’s device, the spokesman said.

Beyond the bug

While few seem to have known about this bug, many others have been spotted by parents and kids. And since Apple appears to be listening to my bug reports, here are a few others the company should prioritize:

App limits. Sandra Castro, a mother of two from El Dorado Hills, Calif., has set a one-hour limit on Instagram for her daughter. When the hour is up, her daughter still has full access to the app. Castro says she has called Apple customer service repeatedly. The suggested fixes don’t work. Many others have complained about this on Apple’s community pages.

Screen usage chart. Want to see your child’s screen usage for the day? The chart is often inaccurate or just blank.

Time and app requests. Sometimes I get notifications to approve more YouTube time for my son or an app download. Sometimes I don’t. And according to this community page, plenty of others have the same issue.

Ask to Buy loophole. Adam Pletter, a child and adolescent psychologist in Maryland, has started a campaign to get Apple to fix another issue. He says when he deletes an app (paid or free) from his daughter’s phone, she can redownload it without asking permission again. The “Ask to Buy" only happens once, so there isn’t a way to take apps away from kids once they have them. (While confirming this in testing, I removed the App Store from my son’s iPad and now can’t get it back. Another bug people report!)

Apple says it has addressed many of these issues in its last several software updates. Specifically, iOS 17.5 improved app and device usage tracking, time requests and app limits. So be sure to update every device used by your family.

Still, Castro said she is so frustrated with Screen Time that she plans to buy her son an Android phone. “So much of Screen Time doesn’t work. It’s a big pile of you-know-what," she said.

She isn’t wrong, Apple. Please fix it.