Sign In with Apple

2019-07-01 2 min read

    Apple recently made the announcement that apps that provide third party login will also be required to offer a Sign in with Apple option. Apple will then, in turn, anonymize the email address and thus anomyze the user. The idea here being that the app will only have access to the random email generated by Apple and all email will have to be proxied through the email address generated by Apple.

    It’s a noble idea and Apple is clearly leaning into their privacy positioning hard. They’ve been positioning themselves as the anti-Google and this is an example of leveraging their market dominance to protect the customer.

    I suspect it’s more marketing than truth. This will help but the critical piece of tracking information, IDFA, is still tied to the device and can be accessed easily by the various tracking companies. The app itself may not have access to the de-anonymized user information but having access to IDFA doesn’t block or stop any of the tracking. I also suspect that there’s some sketchy service or product somewhere that allows companies to get access to email address from an IDFA.

    The one real benefit is that compromised accounts stay isolated and the risk that one account compromises others is significantly lowered. Right now if an app is compromised and the attacker has access to the email address and some sort of password (plaintext, hashed, encrypted) it’s possible to crack that password. And since most people reuse their password and email addresses across multiple sites the attacker will have a much easier time breaking into them. Having a different email address will make it significantly more difficult, if not impossible, to access the user’s other accounts.

    So while I think there’s a fair amount of spin on this and it’s not going to be as impactful as many believe there’s still value here and I’m curious to see how it manifests itself.