Share this page!

Brad Hill Profile picture
Twitter logo
Jun 14, 2018 10 tweets 2 min read
Thread: Apple's recent policy change to forbid apps using social sign on from saving or using access tokens server-side is going to harm security, and well beyond for just users of Apple devices.
Remember that passwords are the #1 source of user security and privacy harm. Social sign in is the most usable, preferred alternative in use today. Password managers just aren't as easy and useful, especially for those who use apps across multiple platforms and devices.
The biggest source of abuse against single sign on systems comes on the client side, not the server side, when tokens leak to malware, malicious browser extensions, bad redirects, XSS, and apps impersonating other apps in the app store.
The mitigation for these weaknesses is to use a "code" flow, where the authorization process on the client only returns a code, which must be combined with a server-side secret to obtain an access token. It seems Apple's new policy forbids this long established best practice.
Why does this matter? Because apps and sign on providers now need to always support direct token flows. That might be fine if it were only for iOS apps. but a server can't tell. Once you enable token flows, all that malware can now just pretend it's an iPhone over the network.
There's no way to attest that an app is actually running on iOS. Apple could implement FIDO, and that would partially solve this, though it still wouldn't protect from impostor apps in the app store (it happens) or attacks using Mobile Safari.
And Apple's new policy also forbids apps from offering only social sign in. So get ready for more passwords - because Apple still doesn't support interoperable, standards-based password alternatives - and worse privacy, since the username will almost always be an email address.
It all makes me wonder. is it a coincidence that, against the industry wave of standardization, all of Apple's work on authN in the last 5 years has been tech that just happens to make it more difficult for people to use non-Apple devices or ever switch away from their products?
And do they really care that much about privacy (hello, Chinese market!) or is it that too many apps found that being free and ad-supported was a preferred way of doing business for them and their users compared to direct payments. (30% of which just happens to go to Apple?)
I guess we'll learn soon enough, if Apple starts demanding their vig on APIs like developer.apple.com/documentation/… once they've forced out other business models and put themselves in the middle of every way a developer might collect revenue from their app.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Brad Hill

Brad Hill Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @hillbrad

Brad Hill Profile picture
May 23, 2020
Remote work changes are being driven by the expectation of 25% occupancy limits at facilities for many months to come. I wish the implications of this fact on childcare were getting 1% of the attention that tech WFH is getting. We are about to enter a new crisis.
I'm not an economist or industry insider, just a parent with a kid who is (was?) supposed to start preschool in a few months. But this is what I see coming that almost nobody is discussing or demanding a plan for...
Private sector preschool daycare in cities looks a lot like restaurants. Low operating margins, low reserves, high fixed costs of rent, and large, likely debt-financed, investments in facilities and equipment. We should expect many to fail without special assistance.
Read 10 tweets
Brad Hill Profile picture
Jul 12, 2019
Thinking a lot about what the BA and Marriott fines mean in a very near future where India, Indonesia, Brazil, Canada, etc.. and 30 US states all have similar penalties.
The current terribleness of information security needs to improve, but not sure that the instant corporate death penalty for getting, e.g. magecarted or breached by a state intel service is the right incentive structure.
RIP my mentions, of course, for everyone cheerleading for this as a deserved outcome for FB and Google.
Read 14 tweets
Brad Hill Profile picture
May 28, 2019
@alexstamos This is tricky to do from a purely technical standpoint because apps will just take everything currently hitting 3rd party endpoints and start proxying it through their own domain, causing more opacity and likely new classes of security vulnerability.
@alexstamos Apple has been trying to push something like this in the W3C for web apps, where composing apps from multiple sources (like CDNs) a is fundamental part of the platform and analysis-in-advance isn't possible.
@alexstamos I and others have asked Apple to prove the viability of this concept on their own platform first, where they do set policy and can do analysis, but they so far have refused.
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @hillbrad has new unrolls!

Check out other threads from @hillbrad!

Read all threads by @hillbrad

:(