When the "Sign in with Apple" functionality to appear as part of iOS 13 was announced at the Worldwide Developers Conference (WWDC) back on June 3, it was met with broad approval from Apple users. After all, what's not to like about having an alternative to signing in to applications and services via your Facebook, Google, or Twitter account? It turns out, truth be told, quite a lot. Just how much depends upon whom you are talking to, of course.
The OpenID Foundation (OIDF), whose own OpenID Connect platform shares much in common with the proposed Apple solution and counts Google, Microsoft and PayPal amongst its members, is edging towards the not so keen side of the fence. Moreover, it's not alone either.
In a June 27 open letter addressed to Craig Federighi, senior vice-president of software engineering at Apple, Nat Sakimura, OIDF chairman, begins with some faint praise regarding Apple's "efforts to allow users to log in to third-party mobile and Web applications with their Apple ID using OpenID Connect." It very quickly goes downhill from there, however.
After explaining how OpenID Connect has been developed by a broad range of companies, along with experts from within the OIDF itself, the letter points out how it has become a widely-adopted protocol built on OAuth 2.0 to enable third-party logins in a secure and standard manner. The differences between OpenID Connect and Sign in with Apple, the letter continues, expose users "to greater security and privacy risks."
It then goes on to insist that developers will be unnecessarily burdened by having to work on both as Apple will insist they offer it alongside the others, whereas by "closing the current gaps," the OIDF argues, "Apple would be interoperable with widely-available OpenID Connect Relying Party software."
So what seems to be the real problem here? The Apple system gets around having to pass your email to the third-party developer by creating a disposable one-off email address just for that purpose, assuming you choose to hide your real email address. By doing so, you also avoid the data aggregation problem that these sign-on platforms enable by seeing the various apps and services you use, which could build an accurate, and valuable, marketing profile. Opting out of emails can be done by deactivating individual service addresses, and Apple knows the apps you are using anyway so, assuming you trust it with that information, then the Sign in with Apple platform adds no new privacy concerns.
Why, then, is it being painted as such a security and privacy risk by the OIDF?
The answer comes mainly in the form of those "differences" mentioned earlier. These include failure to use the Proof Key for Code Exchange (PKCE) system that mitigates code injection and code replay attack threats. A document listing the differences was updated July 3 to acknowledge fixes that had been made since the open letter was sent.
That document can be found here and is worth reading as it also describes the specific attack and privacy problems that remain as a result of the protocol differences. These include Cross-Site Request Forgery (CSRF) attacks and potential leakage of the ID Token, which contains a set of personal data and Authorization Code, which could be used in the aforementioned code injection attack. According to this latest information, only the Apple documentation regarding the exchange of authorization codes has been fixed to date.
Sean Wright, an application security specialist, understands only too well how the problem with many open protocols is that at times organizations modify the protocol or standard just a little bit. "This causes potential compatibility issues when other organizations try to integrate," Wright says, "so I can see why OpenID is so interested in trying to ensure that Apple sticks to the standard." As for the security issues, these potentially stick their collective heads above the development parapet only because it will be a modification of a protocol and so open to newly introduced vulnerabilities.
I ran a very quick poll of information security professionals on Twitter earlier today, which saw 60% thinking OIDF was right to call Apple out on these issues. The remaining 40% being evenly split between thinking OIDF was wrong, and it not mattering as both options improve security and privacy anyway.
"Any extra layer of security or privacy support added to accounts is a bonus in my book," says Jake Moore, a security specialist at ESET, who continues, "but admittedly it appears this could still be even more secure by today's standards." Moore told me that because Apple is dealing with millions of accounts, sadly this means if it were to make signing in too tricky for the average user, then there's a risk that customers could be lost. "Albeit a bold move," he concludes, "I like seeing accounts that force users to make their accounts more secure with strong password policies and Multi-Function Authentication as default."
Neira Jones is a partner at the Global Cyber Alliance and an internationally renowned cyber risk and information security speaker. Jones tells me that she thinks that while there will undoubtedly be teething problems, as with anything new, Sign in with Apple remains a good thing. "I do not doubt that Apple will address the security issues," Jones says, "but whether Apple will fix the interoperability issues mentioned by OpenID remains to be seen as a number of factors are at play." After all, Apple has traditionally been in the business of remaining a closed ecosystem, and Jones isn't sure that will change any time soon.
Not that it's impossible given that Facebook has announced the Libra cryptocurrency and in amongst the white paper documentation there's a paragraph that states: "An additional goal of the association is to develop and promote an open identity standard. We believe that decentralized and portable digital identity is a prerequisite to financial inclusion and competition."
With more than 3 billion users, Facebook is potentially hoping for a big play in the identity space, according to Jones. They may or may not succeed, but Facebook does have a trust issue. "Apple haven't," Jones concludes, "or certainly not to the extent of Facebook's trust issues."
