Apple’s New Privacy and Security Features: A Closer Look

Usually when Apple CEO Tim Cook makes a big announcement at the company’s annual Worldwide Developers Conference, it involves a new device or a major device upgrade. This year, the big reveal was the ending of iTunes, but the more important news involved major security and privacy improvements.

Apple WWDC19 Tim Cook
Apple CEO Tim Cook addresses the crowd at WWDC 2019

Overall, privacy is something that the big tech companies have struggled with. So perhaps it isn’t surprising the security update generating the most interest is Sign In with Apple, a new feature in iOS 13.

AppSec/API Security 2022

“Apple says it can authenticate a user using Face ID on their iPhone without turning over any of their personal data to a third-party company,” reported Tech Crunch. It lets users hide their information from apps such as Facebook and Google, and if they don’t want to share their email with these apps, Apple will generate a random alias email.

Through this service, Apple can still gather the data it needs to maintain a relationship with users, contingent on if the user willingly opts-in to name and email sharing, explained Pablo Villareal, chief security officer and head of Globant’s Cybersecurity Studio.

“This is a change from how users were able to sign-in previously—given the option of logging into their Apple ID via Facebook or Google, which mined their data to then sell advertising,” Villareal noted. “With privacy limitations similar to the ones above in place, Apple proves its commitment to keeping customer’s privacy a priority—a strategy all businesses should begin to adopt as well, or fear being left behind and losing consumer’s trust.”

Will It Really Improve Privacy?

Anything designed to improve privacy is a step forward, but while this could be a game-changing technology, it may not be exactly as it seems, said Chris Morales, head of security analytics at Vectra.

The technical argument for Sign In with Apple, he explained, is that “Touch ID and Face ID are not a password and represent a hashed token, so no actual password is used in a transaction to be collected from a compromised site, the vendor or someone eavesdropping on a conversation. A side benefit is using Apple biometrics forces a user to enable multi-factor authentication, which every user should be doing anyway.”

The problem, he said, is this is a very Apple-centric technology. It only woks for logging into sites from an Apple device that happens to support Apple biometrics—or any new Apple product. For someone who likes to use multiple platforms and devices, you have to use the same password systems of the past.

Morales added that not sharing email addresses is interesting. “It isn’t something I have overly thought about or concerned myself with too much, mainly because I don’t see my email address as something that I consider private or secure,” he said. “But it could in theory reduce reselling of that information or correlating an email to a password—unless, of course, you don’t log in with an Apple device, in which case you still need to log in like every other service.”

“Apple’s move to help users prevent this tracking and interaction is a noble one; however, there are still many other sites out there that can gain access to this same information,” said Will LaSala, director of security solutions and security evangelist at OneSpan. “The use of adaptive authentication is what should be celebrated—the ability to prevent login tracking or protect a user’s information is a secondary benefit.”

Other New Security and Privacy Announcements

It’s worth noting—and what many are overlooking with these announcements—is the new technology is only partially about user privacy; the important part is the security of the technology, LaSala said. Last week’s news appeared to focus on user privacy but instead was really about a massive security update for users. Those other security updates include:

  • Apple HomeKit Secure Video, which is meant to address privacy and security concerns of how video footage from security systems is stored. Craig Federighi, Apple senior vice president of software engineering, said in a keynote address, “The video is analyzed in your home, on your resident iPad, HomePod or Apple TV, and then it’s encrypted and securely sent to iCloud where no one—not even Apple—can see it.”
  • New location-sharing capabilities. Users of iOS 13 will be able to limit how much access apps have to your location. Apps are sneaky—and nasty—about connecting to information about you that you don’t want to share, especially tapping into your GPS or other location indicators. With this new feature, users can deny permission to location detection after the initial download. It’s a small change, but it’s a move in the right direction.
  • Health data collection. All health-related data collected by Apple Watch will stay on your device or encrypted in your iCloud, but not stored on any Apple server.
  • Activation Lock features come to Mac devices. Now users can lock their computers as well as their iPhones if they are lost or stolen.

Sue Poremba

Featured eBook
The State of Cloud Native Security 2020

The State of Cloud Native Security 2020

The first annual State of Cloud Native Security report examines the practices, tools and technologies innovative companies are using to manage cloud environments and drive cloud native development. Based on a survey of 3,000 cloud architecture, InfoSec and DevOps professionals across five countries, the report surfaces insights from a proprietary set of well-analyzed data. This ... Read More
Palo Alto Networks

Sue Poremba

Sue Poremba is freelance writer based in central Pennsylvania. She's been writing about cybersecurity and technology trends since 2008.

sue-poremba has 214 posts and counting.See all posts by sue-poremba