Apple says it wants to help you use new apps “without revealing any new personal information” to Google, Facebook and other third-party services. And Tom Van de Wiele, Principal Security Consultant at F-Secure, thinks consumers may benefit.
“Sign in with Apple”—a new feature announced at Apple’s annual developer conference—allows users to join new services using the Face ID on their iPhone without turning over any other personal data.
A positive step, but ‘no silver bullet’
“If we take it at face value this is indeed a positive step taken by Apple to ensure that your email address doesn’t get sold off by dubious mobile app makers or the ad giants out there, including Facebook, Google and all the partners they work with,” Tom says. “But as always in security there is a trade-off to be made, and there is no silver bullet.”
If you use the new service—which Apple will require to developers to prominently include in all iOS apps that use social sign-in—Facebook and Google, the two largest sellers of online advertising in the world, will get less information about the apps you use and how you use them. This should limit the impact of a breach or public leak so that data cannot simply be tied to you based on your email address.
If you still want to log in with an email, “Sign in with Apple” generates random “relay” emails that keep your email address private.
The tracking continues
Avoiding the suck of these media giants could be a welcome option, especially given the recent privacy and security issues plaguing the world’s largest social network.
And less information for the world’s largest search company could mean less profiling of your online activity—if the world’s largest search company weren’t already so expert in profiling your online activity.
“Google does keyword and other parsing on your emails to know what you are doing and knows what kind of hobbies you have based on what applications you have and what emails you receive,” Tom says. “But this is not going to change that much. Google just sees more alias email addresses coming in and will link those to your online identity within the G-suite eco-system. So as such you will not be anonymous from Google.”
What Apple gets out of offering more anonymity
Anonymity always comes with pluses and minuses, Tom warns.
“By being able to generate these aliases and using Apple as an anonymous remailer, you are locking yourself into the Apple eco-system as Apple’s services now play a critical step in you being able to log on to your mobile apps. This also means dependence; if you are in need of an email as part of something you are doing in, for example, a mobile application and Apple’s relay service is not available or loses data then you might lose control over your application. Think password resets or Apple simply ‘forgetting’ your alias.”
This should be fine for games and other social apps. But Tom notes the apps you use for communications, your doorbell and other smart home appliances could also be tied into the eco-system of the world’s first trillion-dollar company.
No matter what Apple does, app makers will likely still figure out ways to figure out your location or other identifiable information—though Apple also announced that is giving users more control of how apps use GPS along with more transparency about what location data has been tracked.
“Mobile application makers might still store a lot of information on you, either entered by the end-user or collected by them with or without permission,” Tom says.
All of that information can still be compromised, even if you “Sign in with Apple.”
‘Sign In with Apple’ may be right for you
Who does Tom think can benefit most from this feature?
“Anyone that wants to take steps towards limiting the impact of a breach or leak made public as we have seen in the past, that might lead to identity theft or financial theft.”
Categories
