Apple was broadly praised for its security prowess at WWDC 2019, especially the newly announced “Sign in with Apple” feature, which provides the functionality of a universal log-in without the privacy issues that have been associated with Facebook and Google log-ins.
However, it may have security flaws, as the OpenID foundation has claimed in an open letter to Apple SVP of software engineering Craig Federighi that the tech giant could leave users open to attack.
Apple is using a version of the OpenID Connect specification to make its secure login tech possible, but the OpenID Foundation has claimed that as Apple have only adopted certain parts of the specification, they’re leaving users open to malicious attacks.
“The current set of differences between OpenID Connect and Sign In with Apple reduces the places where users can use Sign In with Apple and exposes them to greater security and privacy risks,” says the letter from OpenID Foundation. “It also places an unnecessary burden on developers of both OpenID Connect and Sign In with Apple. By closing the current gaps, Apple would be interoperable with widely-available OpenID Connect Relying Party software.
To ensure the safety of Apple customers, the OpenID Foundation is suggesting that Apple adopts all parts of the specification.
It’s worth mentioning that the OpenID wants full specifications to be adopted, that’s kind of their gig. They also want Apple to sign up as a full member of the OpenID Foundation and make it work with other OpenID Connect partners, but Apple has spent a long time in a walled garden of their own making, so the chance that they’ll want to play nice with third party associations is low.
Regardless of whether there are any real security concerns, apps will have to play ball with Apple, too. A full release is due to accompany iOS 13’s launch in the fall, and at that stage every app with third-party logins supported will need to also offer the ability to Sign In With Apple with iOS 13. Testing on the feature starts this Summer.