You may have high regard for Apple’s attention to detail, and place a lot of trust in them through your use of their products and services — your iPhone, iPad, Mac and beyond. Apple are generally very good at protecting their customers but we have discovered a blindspot in their internet services. We are highlighting deficiencies, exemplified by the results Apple presents in their search engine.

When using Siri or the Search button on Apple devices, Apple Spotlight returns results including web links. The result quality is poor compared with Google Search, and incorrect and malicious results are often returned.

In the first example, a search for “popcorn action”, we see a strange URL and title in the first result and the third result. User generated websites that are hosted on "netlify·app" and Google’s "web·app" are third party developer creations and sandboxes, and should not be trusted, especially not for a simple query like “popcorn action”.

example 1

Searching for “ChaseNet”, we don’t get a JPMorgan result as we would expect. The first result is a link to a parked domain. A parked domain ostensibly means the domain was recently purchased by someone and they have parked it until they have developed a website. Parked websites should not be trusted, particularly because a user cannot do anything with the site if it’s official, and if malicious, they can hide phishing pages hosted behind them.

Apple should not publish search results for parked websites.

example 2

example 3

Searching for “BBL”, intending the British Basketball League, the correct result is returned first. Unfortunately, a bad listing is shown for result three. If we ignore the relevance of this query to Cricket Australia, the more pressing issue is that raw tags, including PHP server source code, are being returned. This could be an issue with the Cricket Australia website but Apple should not include this result for an end user. It looks spammy and risky to a user.

example 4

With this first result, there is a cut-off and poor quality title.

example 5

Searching for “Society for the Propagation of the Gospel”, it returns results for United Society Partners in the Gospel. The rich result is correct overall, but the links are incorrect. In the “Links” section, appearing before Siri Suggested Websites, there is a link to the supposed official website of United Society Partners in the Gospel — stated as "weareus·org·uk". When clicking on this, you get a parked website with paid adverts. In the Siri Suggested Websites section, the first result has the correct official website — "uspg·org·uk". It looks like they moved their domain.

For knowledge gathering, Apple uses a combination of Wikipedia (and Wikidata) and web crawling with Applebot. It appears that the link listed as the official website is related to the Wikipedia result — so Wikipedia’s official website reference is out of date.

For the end user, it is not clear that the “official website” is sourced from the Wikipedia article (or its Wikidata item). Even so, many people trust Wikipedia, so many would trust it too. But it is easy to assume that Apple is stating that this is the official website. This is a dangerous scenario because users tend to place a lot of trust in Apple products and services. Apple needs to cross reference their knowledge sources and make sure results are correct and official.

example 6

example 7

example 8

example 9

Blackpool Illuminations is an annual event in Blackpool and does not have a standalone official website. When searching for “illuminations” in Apple Spotlight, you get a rich result. Listed as the “official website” is "blackpool-illuminations·net", which is an ad-laden unofficial site providing little useful information. It is a site set up by someone for ad revenue generation, masquerading as a genuine information source.

In the Siri Suggested Websites section, the second result backs up this supposed official website listing, providing a link to the same website — "blackpool-illuminations·net". The third result goes to the official website for the Illuminations, on Visit Blackpool — "visitblackpool·com".

Even when searching “Blackpool Illuminations”, the unofficial result comes before the official result.

Another salient point: the issue with a rich result, followed with a link to the “official website”, is that the rich result, with a “hero” photo and introduction, builds trust for what follows. But this trust is misplaced.

Wikipedia and Apple have unofficial websites listed as official and trusted. To fix trust on the web, this needs to be addressed.

example 10

example 11

example 12

example 13

example 14

Golden Goose is an Italian sneaker and fashion retailer. Searching for the brand in Apple Spotlight, the official website is correctly returned and listed first — "goldengoose·com". But this should be the only result. The two other results are malicious.

Golden Goose would not use "golden-gooses·com" — a domain with a plural ending and a hyphen — completely against their brand identity. They would also not host a website on "goldengoose-outlet·us·com", which is on a pseudo country code top-level domain (not an ICANN TLD), run by a company that purchased the "us·com" domain and opened up registration to organisations to purchase subdomains. It is not a particularly trusted TLD. The ICANN official TLD for the United States is ·us, although most US companies use ·com.

Regarding search results and their ordering, users tend to trust the first result and click it more than anything else, but when other results, in close proximity, promote supposed discounts and offers of 70% off through an apparent outlet store, this will tempt users to go to a malicious site. It is human nature to want to save money and get a good deal, so this social engineering will convince a range of users. These social engineering attacks are inadvertently endorsed (Siri Suggested) by Apple, putting their trust and reputation behind results like these.

example 15

Searching for “Eurodec” in Apple Spotlight, a bad result appears in position three, with the domain "websiterz·com". This site hosts a parking page, but the title of the Apple Spotlight result is mysterious — it looks like a Baidu search result URL. Baidu is the number one search engine in China and the second-largest search engine globally. The "websiterz·com" site could be hosting ad-stuffed revenue-generating search pages that look like Baidu, hosting phishing campaigns, or masquerading as Baidu to host malicious content. It could do this temporarily or under any number of subdomains, hiding their activities, but keeping the main domain parked so it looks innocuous. There are many possibilities, but it is not an official or good result to host.

example 16

example 17

Apple needs to urgently review and fix their ranking and trust algorithms to rid their results of malicious websites, and help make the internet safe.