Yesterday at Apple’s annual Developer Conference, a new feature, called Sign In With Apple, was announced for the upcoming iOS 13 to be launched to the general public this coming Fall 2019. We’ve had a number of questions from people asking what our cyber security opinion is about this feature. Bottom line, we are very much in favor of the use of this new feature wherever possible and highly recommend its use over other single sign-on services provided by companies like Google and Facebook. Here is why:
Apple’s Proactive Approach With Your Information vs. Google’s and Facebook’s Reactive Approach
Apple has made it a priority to keep their customer’s personal information safe and secure wherever legally possible. From a technical standpoint they have built encryption into their products at the hardware level to make it practically impossible for even their own software developers to access your data without your permission. They have taken a lot of heat from a lot of directions for this. Especially in the investigation of the 2015 San Bernardino, CA shooting in which then FBI Director, James Comey tried to compel Apple in the courts to produce technology that would break the security of their products in order to gain access to one of the shooters’ iPhones to gather evidence. Put simply, Apple has gone a long way to fight to maintain the privacy of their customers who use their products and have more often than not taken a proactive approach in the protection of privacy.
In the mean time, other companies such as Google and Facebook are companies that make the majority of their revenue off of targeted advertising dollars by allowing third party software developers and advertisers to access demographic and behavioral information about their users. Put another way, both of these companies make their money by selling your information to other people. Never has this been more obvious than with the Cambridge Analytica scandal in 2018 in which Cambridge Analytica harvested the personal data of millions of Facebook users without their permission for the purposes of political advertising. While this is nothing new for both political and non-political advertisers to target their advertising based on demographic data, the real scandal was that Facebook sought to make this data available to advertisers willing to pay for it without giving Facebook users the chance to disallow that. Only after the scandal came to light has Facebook begun putting in place protections to protect users, thus taking a reactive approach.
Apple Is Putting Control In The Hands of their Customers, Not In The Hands Of Developers
There are presently over 20 million developers registered on the Apple AppStore. The vast majority are honest developers trying to make a living selling their apps to the public. But as with any group of that size there are those who will sell your personal information to third parties without your permission. Sometimes it is as simple as your email address so that advertisers can bombard your email inbox with endless advertisements. Sometimes it is to track how you are using their software and other software on your device, without your permission, as Facebook did earlier this year.
Part of how they are combatting this issue is Apple is not giving your email address to app developers the way Facebook’s and Google’s sign on systems do. Every time you sign into an app or a web site through Facebook and Google, you are giving those developers the email address associated with your respective Facebook and Google accounts. With Apple’s system, developers will be given a single use email address that the user has control over. So if an app developer uses the email address in a way that the user doesn’t like, the user will be able to cut off ties with that developer permanently including by disabling that temporary email address that was provided to the developer.
Apple Is Only Verifying Who Are For Developers, Not Telling Them Your Birthday, Your Hobbies, Where You Live, Etc.
Another downside to using Google and Facebook to sign on to apps and websites is the variety of information that is provided to developers that can also be sold. Think of every piece of information in your Facebook account. Your birthday, where you were born, where you went to school, your hobbies and interests, your religious or political views. All of this is information that developers who use Facebook and Google single sign-on services could have access to and could then use to either sell to a third party. Or worse, if the developer or the third party they sell the information to is criminally minded, they could use that information to access other accounts such as bank accounts or personal email accounts.
Apple’s system is much simpler in that all it provides to developers is the assurance that you are who you say you are. This provides increased security from two directions. First, the developer is gaining the advantage of Apple’s cyber securtiy protections to make sure that it is ONLY you accessing your account with that developer. Second, the developer will never be given information by Apple that you do not give explicit approval for.