To many, it sounded like a good idea when Apple announced its Sign In with Apple service at WWDC 2019 last month: a privacy-focused login feature that will let macOS Catalina and iOS 13 users sign into third-party apps and websites using their Apple IDs.
It’s a service that’s designed to rival those of the data-gobbling behemoths, Google, Twitter and Facebook, each of which have their own no-no-how-about-you-sign-in-with-ME authentication services. All of these services allow you to use your ID for a quick, one-click sign up or sign on, no password required, as long as you’re signed into whatever tech bigwig’s service that you’re using.
But on 27 June 2019, Apple’s implementation of a sign-in service that doesn’t send personal information to app and website developers was critiqued by the OpenID Foundation (OIDF), the standard-setting organization behind the OpenID open standard and decentralized authentication protocol. The non-profit organization includes tech heavyweights such as Google, Microsoft, PayPal, and others.
The OIDF published an open letter to Apple software chief Craig Federighi, lauding the company for having “largely adopted” OpenID Connect into Sign In with Apple. OpenID Connect is a standardized protocol used by many existing sign-in platforms that lets developers authenticate users across websites and apps without them having to use separate passwords.
However, things are not all hunky dory with Apple’s implementation of OpenID Connect, according to Nat Sakimura, OpenID Foundation Chairman. From his letter:
The current set of differences between OpenID Connect and Sign In with Apple reduces the places where users can use Sign In with Apple and exposes them to greater security and privacy risks. It also places an unnecessary burden on developers of both OpenID Connect and Sign In with Apple.
Parting of the ways
The OIDF published this list of ways in which Sign In with Apple differs from OpenID Connect and what security and/or privacy risks those deviations entail.
For example, Apple’s tweaks to OpenID means that the protocol can’t thwart Cross Site Request Forgery (CSRF) attacks.
We saw an example of what that could lead to in February when a researcher discovered that Facebook had a CSRF flaw that could have allowed an attacker to hijack accounts in multiple ways. As we said at the time, CSRF flaws enable attackers to trick users into making unintended actions on websites they may be logged into but aren’t using (imagine clicking a link on a malicious website and it triggering a bank transfer at the bank website you forgot to log out of).
Another one of Apple’s spec violations enables attackers to pull off code injection attacks. This type of vulnerability can prove disastrous: for example, it allows computer worms to propagate.
Apple’s deviations from OpenID protocol could also lead to privacy problems, given that users’ ID Token and Authorization Code – and, hence, personal data – could potentially leak… personal data that could be used for a code insertion attack, the OpenID Foundation says.
Which is ironic, given that Sign In with Apple is supposed to present a privacy-conscious alternative to the services offered by Facebook and Google. The whole idea behind Sign In with Apple is to make signing in – and signing up – to websites as simple as possible, without having to provide any personal information.
Those are just some of Apple’s spec violations, but there’s an even longer list of “peculiarities” in Sign In with Apple, Sakimura wrote – weirdnesses that include, for example, forcing developers to read through the Apple docs to find out about endpoints, scopes, signing algorithms, authentication methods and more, since Apple apparently didn’t publish a Discovery document at its OpenID configuration page.
Cut a developer some slack, would ya?
The OIDF asked Apple to fix the situation by doing these things:
- Address the gaps between Sign In with Apple and OpenID Connect based on the feedback.
- Use the OpenID Connect Self Certification Test Suite to improve the interoperability and security of Sign In with Apple.
- Publicly state that Sign In with Apple is compatible and interoperable with widely-available OpenID Connect Relying Party software.
- Join the OpenID Foundation.
From the letter:
By closing the current gaps, Apple would be interoperable with widely available OpenID Connect Relying Party software.
Apple’s updated Human Interface Guidelines are also asking app developers to place its authentication feature above other rival third-party sign-in options wherever they appear.
Apple hadn’t responded to the OIDF’s letter as of Friday.
5 comments on “Privacy and security risks as Sign In with Apple tweaks Open ID protocol”
Steve would have given the finger to the letter as well and would have hired new developers with the drive.
I agree that this will weaken Apple’s grip on sign-in dominated security… the ease of use does not always bring advantages… can also open you up to credential hacks on phishing fake sites etc… it’s not new and a quick search will show it’s been done before with the quick auto sign in with Facebook, instagram, Pinterest. or social media sites… but you sometimes you may not always be signing in on legit social media sites but a fake one collecting you creds… I’m surprised at Apple for joining this band wagon…. maybe create a separate cred for this sort of thing but not link it to your major Apple account containing your financial info etc…..
sooo, apple service security is “almost” good.
kinda like, “dinner was almost good” just doesn’t make me want it…..
Apple’s gargantuan ego (inherited from Jobs, natch) continues with the ‘not built here’ mentality to the continued detriment to their users.
Not fully implementing OpenID will also make it harder for developers as most of them rely on some OpenID libraries to add social login buttons like Facebook, Google, Twitter, etc.