Apple took a swipe at Facebook at its Worldwide Developers’ Conference (WWDC) on Monday, unveiling fresh privacy features for the upcoming version of its iOS operating system for iPhone and iPad (iOS 13).
Most notably, it took the wraps off of an authentication mechanism that will allow users to sign into third-party websites and apps using their Apple ID. This is similar to the near-ubiquitous “Log in with Facebook” function (Google has something similar) that lets people avoid creating new credentials for every website by using “trusted” social-media logins instead – except that Apple claims that “Sign in with Apple” is far more privacy-aware.
“Now, [Log in with Facebook] can be convenient, but it also can come at the cost of your privacy, your personal information sometimes get shared behind the scenes and these logins can be used to track you,” said Apple software engineering chief Craig Federighi from the stage of the annual event.
In contrast, Apple’s sign-in mechanism allows users to opt out of revealing their real e-mail address to the site they’re signing into, by automatically creating a unique dummy address that will act as a masked relay.
“That’s good news because we get each a unique random address, and this means you can disable any one of them and anytime when you’re tired of hearing from that app,” noted Federighi.
Is Apple likely to actually be more privacy-conscious than the rest? Chris Morales, head of security analytics at Vectra, told Threatpost that the jury is out.
“It feels the exact same as what we already have but with a promise from Apple that they will be nice. Google once had the slogan ‘don’t be evil,'” he said. “It is all big companies trying to be the central point of authentication. I’m sure it works great, however, I think the privacy angle is more marketing than anything else.”
Apple’s positioning is undoubtedly savvy given the ongoing litany of Facebook privacy snafus — like when it recently confirmed that it had harvested the email contact lists for 1.5 million people, in an ongoing effort since May 2016. It was also recently revealed that the social network was using personal data as leverage with some of its partners. And, a security researcher earlier in April noticed Facebook was asking some – not all, curiously – new users to provide their email passwords when they signed up for a Facebook account, if they used certain email platforms, like Yandex or GMX.
And, of course, Facebook isn’t the only one in the privacy dog house of late.
“After witnessing Netflix customers and Amazon partners having their accounts hacked, this new feature from Apple is a much needed step in the right direction toward safer web commerce,” said Shlomi Gian, CEO at CybeReady, told Threatpost. “One area that would still remain vulnerable has to do with consumer behavior toward phishing, as there are still too many instances where consumers literally give away their credentials to hackers unintentionally. Increased awareness might be the only way to reduce risk in the foreseeable future.”
Developers can build the Sign in with Apple feature into macOS, iOS and other apps using the Sign in with Apple API; users can log in using Face ID or their Touch ID as well. Federighi said that a one-click button will allow sign-in, “without revealing any new personal information.”
Location, Location, Location
Also on the privacy front, Apple unveiled location-tracking mitigations. In iOS 13, users that opt to share their location with an app will only be able to do so on a one-time basis; if a session ends and an app wants to access the user’s location again, the user will have to give approval again.
Apple further said that apps will no longer be able to triangulate a user’s location using Wi-Fi and Bluetooth information; and indeed, they won’t be able to capture information about those connections at all. And finally, Apple said that iOS 13 makes it much more transparent to the user when it comes to what information apps are collecting in the background.
“We believe privacy is a fundamental human right, and we engineer it into everything we do,” Federighi said. “This experience is meant to let you have control over your data.”