The change is this: last year Apple introduced something called Sign in With Apple, inevitably abbreviated to SiWA. You’ve probably seen it in action: it sits alongside other so-called social logins from Google, Facebook and others, allowing users to sign up for services and apps with their account at one of those services, meaning they don’t have to enter lots more information, and remember a new password.
Google and Facebook have been in this game since around 2011, and Apple is a little late to the party. They only introduced the option last September, and said that developers only needed to add the option to apps on their platform if the only existing choice was another social login.
So before we get in the weeds here, let’s just take a couple of steps back. What is the benefit to companies like Google, Facebook, Amazon, LinkedIn, Twitter and Apple to offer this log-in service? Surely it’s extra work for them to wire another company’s plumbing, so to speak?
Well, no. As you might have guessed, there’s a significant advantage for the likes of Facebook and Google — they get to track you to yet another corner of the web, while the host service saves money on setting up, managing and securing passwords etc. Yes, you might say, that is true of those companies that make money out of your data, but Apple don’t do that, right? Why would they be interested in doing this?
Here is where it’s a big murkier. Apple’s argument, as I understand it, is essentially this: We want to help keep our users’ data secure, and so if we offer this service — where users don’t need to set up a new password, they just use their existing Apple account — we help limit their exposure to crooks and bad guys. As if to prove that point, they offer an extra layer onto their SiWA: you can make yourself partly anonymous to the service you’re signing up for via a layer of throwaway email addresses, all of which Apple handles and which can’t be tracked back to you.
So no question: if you’re an Apple user and you want to use one of these services, then Apple is the way to go. So far, so good. Until March, that is. On March 4 Apple quietly removed a word — “exclusively” — from its terms for developers to post their apps on the App Store. Developers can’t get their apps onto your iPhone or iPad unless they get approval of the App Store police, and so this word turns out to be quite an important one.
Previously the sentence read: Apps must include the Apple SiWA option if they “exclusively use a third-party or social login service”. When that word disappeared, it meant that now if any app offered any third-party or social login service, they must offer the Apple version as well. Otherwise their app would not be approved by, or an existing app slung from, the App Store.
So what in practice does this mean? In effect, Apple is saying that either apps remove all third-party sign-in options, or they include Apple’s as well. This might seem like no big deal, but some developers aren’t happy. One, a company called Pushbullet which (ironically) makes it easier to connect devices together, has pulled its iOS app in part because of the rule which they said would create a lot of extra work (See below). Another developer I spoke to said that after getting their app thrown out of the App Store until it complies they have decided to remove all third-party options and set up their own system, costing them $20,000 and likely some subscribers in the process. “It’s an example of Apple imposing their will as a condition for approving a minor change,” he says.
Some app developers have already baulked at the idea of social logins, realising they lose visibility into and access to their customers. While Facebook, say, will share some of the user’s profile details with the service when they use that sign-on option, many say that most people use for their social login the service they use the least: oftentimes the Facebook profile lacks a full name, or an email address. Others have found that they now have one more layer, rather than one fewer, when it comes to security. Indian top-up service Freecharge said this week it had recently removed social logins for Google and Facebook had been removed “for security reasons”. A spokesperson told me that “As part of our regular reviews, we decided to disable social login and streamline the login process with an OTP as it provides an easier user experience,” without elaborating.
And this is the thing. These social logins are popular among users, but probably for all the wrong reasons. We like them because they’re faster, less hassle and because we don’t have to remember our password. But that’s just it: we feel like we’re giving away less information, whereas we aren’t. We may use our least-used account for the sign-in, but that’s still data being passed onto two services — the app developer and the big technopoly. Some services still go ahead and create a separate account, so you’ve ended up worse off than better off.
There are other reasons to think this isn’t a good deal either. Security is one: All these big players have been hacked at one point or another, so just because we have put all our sign-on eggs in one big basket doesn’t mean the eggs can’t break. And if someone does hack your Facebook account, say, you’ve just made it a lot easier for them to access all the other services you’ve provided your login details to.
Mohammad Ghasemisharif of the University of Illinois, who co-wrote a paper exploring the security risks of single sign-on (the umbrella term which includes social logins)1, told me: “I do think there is a trade-off here. On one hand, big tech companies have enough resources and talents to allocate towards securing their products. However, they are still prone to mistakes like any other company, with a caveat that their mistakes could have a much larger impact.”
And is it a good thing, asks Troy Hunt, who runs the excellent haveibeenpwned, and has been critical of social logins in the past: “I worry about the conditioning of people to enter their social credentials into a context different to the social site itself,” he told me. At the same time, he sees advantages: “I love that it reduces the footprint of the total number of credentials repositories out there. I also like that it’s a lot harder to screw up from an implementation perspective.”
Never far from the tree
And Apple? Well Apple is right when it says it’s more in the privacy game rather than the data game. Friends I’ve spoken to say that having Apple offer social login means they don’t have to give their details to some random site, and yet still receive emails. They’d rather entrust their data to Apple than to someone mining it for data.
But my feeling is this: that shouldn’t really be what gives you pause. The real reason they (and Google, and Facebook, and Amazon) are doing this is because it adds another brick to the wall and a lock to do the door to keep you in their walled garden. For them, as I’ve said before, more important now is not selling you more hardware — that’s assured, even if you’re not maybe upgrading as much as you did before — but to get you locked into more services that are exclusive to Apple. An Apple SiWA fits the bill perfectly.
What happens, for example, if you swap your iPhone for and Android phone? How are you going to use your Apple SiWA now? (The answer is, you can, but it’s a kludge, and Apple has no incentive to make it any easier.)
Of course, this is also why Facebook, Google, LinkedIn (Microsoft), Twitter and Amazon are in this game. It’s a game of overlapping territories, a grand canvas upon which the great technopolistic game is played. No-one player dominates the whole map, but Apple has belatedly realised that this is a theatre they need to be playing in. Being a technopoly is always about controlling the gates, because as gatekeeper you can decide what goes through and what doesn’t, and what price has to be paid. Being a gatekeeper you can change the rules, as Apple did with no fanfare or explanation on March 4. They can shut things down.
The idea is always to make it easier to move around within the walled garden, so long as you’re not doing anything where you either go out of the walled garden, or your money does.
Does this all really matter? In itself, no. Though what I’m trying to show is how these small things end up becoming big things, but in a way that mostly flies under the radar. I couldn’t find anything in the Judiciary Committee documents about these social logins, nor in the recent UK’s Competition and Markets Authority’s report about the creeping battle to control the sign-up and authentication process. But it seems an obvious new battleground, and now that Apple is in it, expect it to get hotter, and sneakier, as the garden walls grow taller.
- O Single Sign-Off, Where Art Thou? An Empirical
Analysis of Single Sign-On Account Hijacking
and Session Management on the Web, https://www.usenix.org/conference/usenixsecurity18/presentation/ghasemisharif ↩