Sign In With Apple Exposes Users to Security Risks, OpenID Foundation Claims

The foundation is asking Apple to make Sign In with Apple compatible and interoperable with OpenID Connect.

By Gadgets 360 Staff | Updated: 2 July 2019 14:07 IST

Sign In With Apple Exposes Users to Security Risks, OpenID Foundation Claims

Highlights

Sign In with Apple will work on apps and websites
It is natively supported on all Apple platforms
Sign In with Apple can also work in Web browsers

Apple announced its “Sign In with Apple” feature with much fanfare at WWDC last month. Meant to be a brand-new way for the Apple users to log into apps and websites without losing their privacy, the feature has now been called out by OpenID Foundation. The foundation says that although Apple has used significant parts of OpenID Connect for Sign In with Apple implementation, its code is not completely aligned with OpenID, leaving the users vulnerable to security and privacy risks.

In an open letter to Apple's Senior Vice President of Software Engineering Craig Federighi, OpenID Foundation wrote, “the current set of differences between OpenID Connect and Sign In with Apple reduces the places where users can use Sign In with Apple and exposes them to greater security and privacy risks.”

The foundation has also detailed the spec violations as well as peculiarities in Sign In with Apple implementation, at least one of which is known to enable attacks. Other violations and peculiarities mostly seem to hamper the interoperability of Apple's solution with OpenID Connect partners. It is unclear if any of them pose any security or privacy risks to Apple consumers.

The OpenID Foundation is asking Apple to address the gaps between Sign In with Apple and OpenID Connect and make it compatible and interoperable. The foundation is also asking Apple to join it.

Apple has said to have fixed one of issues pointed out by the foundation. So, the company is clearly paying attention to what OpenID Foundation is saying, but it remains to be seen whether the iPhone maker will do everything that the foundation is asking or just fix the security issues and keep its implementation independent.

To recall, with Apple ID authentication, Apple will just provide the app developers or website publishers with a random ID and keep all of users' data safe with itself. The company also said that it won't use the Apple ID authentication data to profile users or their activity.

Comments

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.