‘Sign in with Apple’ Ripped Apart By Critics Who Claim It May Be a Security Risk

The new Sign in with Apple feature in iOS 13 is meant to protect users’ privacy. But a non-profit organization is concerned that the feature might do just the opposite. Here’s what you should know.

Sign in with Apple, first announced at WWDC ’19 last month, is a new sign-in option that lets users create accounts for apps and platforms with their Apple ID. It’s similar to other sign-in options from the likes of Google and Facebook, but Apple’s platform has some added privacy and cybersecurity benefits.

Benefits of Sign in with Apple

  1. For one, a user’s real email address isn’t revealed. Instead, Sign in with Apple uses an Apple relay email address which can be revoked at any time.
  2. It also relies on Touch ID and Face ID for authentication — two systems with strong security.
  3. And the feature also doesn’t allow any personal information to make its way to apps or websites.

As you might expect, reception to the feature has been pretty warm. But now, a nonprofit organization called the OpenID Foundation is raising questions about Sign in with Apple’s in the privacy, security and development spheres.

Questions from the OpenID Foundation

The OpenID Foundation — which includes members such as PayPal, Google and Microsoft — controls a number of sign-in platforms using its own OpenID Connect platform. The platform lets users create accounts without needing a separate password.

In an open letter to Apple SVP Craig Federighi, the OpenID Foundation applauds Apple and says that the Sign In with Apple feature has “largely adopted” OpenID Connect.

On the other hand, the Foundation notes that there are some key differences in Apple’s implementation that it says could expose users of the feature to privacy and security risks.

What’s the Issue with Sign in with Apple?

The OpenID Foundation has listed some of these differences in a document, which you can view here. The differences appear to be in the code and implementation of the OpenID Connect platform.

Just as an example, the Foundation says that Sign in with Apple does not use PKCE for the Authorization Code grant type, which could lead to code injection and code replay attacks.

Alongside the privacy and security risks, the Foundation’s letter also says that the feature places “an unnecessary burden” on website and app developers that work with both OpenID Connect and Sign in with Apple.

The OpenID Foundation is urging Apple to address these issues and close the gap between its authentication platform and OpenID Connect.

A Caveat

It’s worth noting that the OpenID Foundation counts tech firms like Google among its members. Google is notorious for leveraging using user data to target ads as part of its core business model.

That isn’t to say that there aren’t any legitimate privacy or security concerns with Sign in with Apple. But it may be worth taking any backlash against Apple’s feature with a grain of salt — particularly if the criticism is coming from a company with a financial stake in having users sign in with their own platforms.

This article was originally posted here