This article originally appeared in Threatpost on June 4, 2019.
The login scheme promises it won’t share data — and will be required for all developers using third-party sign-ins.
Apple’s “Sign in with Apple” feature promises to protect user privacy – and while many are looking at that claim as more of a marketing move than anything else, authentication experts say it has the potential to have an enormous impact on the data privacy ecosystem.
The giant from Cupertino took the wraps off the feature at its Worldwide Developers’ Conference (WWDC) on Monday. Now in limited beta for app developers, the feature will allow users to sign into third-party websites and apps using their Apple ID. Apple claims that “Sign in with Apple” is far more privacy-aware than similar methods, like Log in with Facebook.
Apple is undoubtedly hoping that this will be a competitive mic-drop; it’s a golden opportunity to brand itself as a “privacy” company against the backdrop of all the bad press that others have gotten on that front.
“Apple are just competing with Facebook and the rest of the crew and protecting the shareholders,” Colin Bastable, CEO of Lucy Security, told Threatpost. “This is more about who is less untrustworthy.”
But OAuth’s Aaron Parecki, who manages https://oauth.net, told Threatpost that the claim has a legitimate technical foundation (Sign In with Apple works with OAuth on Chrome and Android).
“The way most “sign in with [blank]” systems work is that the app you’re signing in to will get your username on that service and likely also your email address,” he explained. “These apps can sell your email address to advertisers, or correlate your activity between unrelated applications by matching your username.”
In contrast, “Apple’s sign-in feature provides neither an email address nor an identifiable user ID. The unique user ID returned is just an opaque string like 001473.fe6f33bf4b8e4590aacbabdcb8598bd0.2039, and they will return a proxy email address instead of your real email,” he said.
Thus, it becomes impossible for apps to get access to gain any useful information about the person that’s signing in.
“Sign in with Apple is purely a way for an app to authenticate you across your devices or when you want to sign into the app’s website after making an account from the phone,” Parecki said.
Of course, this leaves apps developers with very little incentive to actually implement the feature – which Apple is addressing by requiring them to use it in order for their apps to be accepted into the App Store. Using the API will be mandatory for any app that offers third-party sign-in — which some see as a strong-arm move. Unsurprisingly, it has sparked some early controversy.
“Apple’s strategy here is to gather more users into their ecosystem whether they use Apple hardware or not, along with the promise that they’ll do a better job of protecting user privacy than some of their competitors,” Sam Bakken, senior product marketing manager at authentication specialist OneSpan, told Threatpost. “Will consumers embrace that? I’m not sure. If they don’t, developers won’t be thrilled with the requirement. Until we see whether consumers are convinced, it’s hard to say how developers will respond.”
Parecki noted, “You can look at this two ways. On one hand, Apple is using their position as gatekeepers of the App Store to get quick adoption of their new sign-in feature into apps. On the other hand, this does actually improve user’s privacy and will ultimately be a far better user experience once apps start using it.”
Much is still unknown about Sign in with Apple, including whether Apple will gain access to user data or be able to collect insights on app usage via the login mechanism; and it hasn’t mentioned how it will handle that data if it does harvest it. But there are also other security dimensions worth noting in Apple’s scheme, according to Will LaSala, director of security services and security evangelist at OneSpan.
“Apple is going one step further than traditional single sign-on, they are forcing their users to use stronger authentication, such as Apple’s FaceID and TouchID,” he said, noting that Sign in with Apple will ask mobile app users to use the biometrics functions. “The use of adaptive authentication is what should be celebrated – the ability to prevent login tracking or protect a user’s information is a secondary benefit. Any way that we can get users to move to adaptive authentication, that is easy and portable across many sites and platforms, is a security win for the internet.”
A Blow to Data Harvesters?
As a corollary to the privacy protections, some have noted that requiring developers to use Sign in with Apple has the potential to cause real disruption to an internet economy that’s built on collecting and selling user data.
“The data ecosystem has grown at the expense of consumer privacy,” Chris Olson, CEO of The Media Trust, told Threatpost. “Every company that has a digital presence has, knowingly or not, contributed to this dynamic. This isn’t only Facebook’s or Google’s fault. The software and devices we use, the companies we engage with all collect and make money from our information, frequently unbeknownst to us. This digital tracking of individuals, including our children, is not only pervasive, it’s constant.”
With regulatory moves like the GDPR and various consumer privacy laws reshaping the data environment and forcing companies to change how they operate, moves like this by Apple may become more common, he added.
“In a way, [this is] forcing companies to go back to the basics of treating customers right,” Olson said. Companies that fail to meet consumers’ growing demand for privacy, transparency and accountability will simply fall by the wayside.”