Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //


06:30 PM

Apple Pledges Privacy, Beefs Up Security

The company hits back at the data economy - and fellow tech giants Facebook and Google - by announcing its own single sign-on service. A host of other iterative security improvements are on their way as well.

Whether it's from Apple fans, embedded marketing people, or actual developers, applause is an oft-heard feature of any keynote at Apple's Worldwide Developers conference. 

Yet the loudest applause at this year's conference came not for some shiny feature, but for a seemingly insignificant, geeky detail: providing users with randomized e-mail addresses. As part of its coming "Sign in with Apple" feature, the company said it will provide users with the ability to use a random e-mail address for each app, holding out the possibility that consumers could, once again, have some small control over the informational transactions with application makers.

The applause for that small detail was both raucous and sustained

"A lot of love for random addresses here," said Craig Federighi, senior vice president of software engineering at Apple, before the WWDC 2019 crowd last week. "And that's good news because we give each app a unique random address. This means that you can disable any one of them at anytime when you are tired of hearing from that app."

Among a host of announcements, the "Sign in with Apple" offering stood out. It promised to treat people as valued customers rather than digital horseflesh to trade on the open market, taking aim squarely at two technology giants of whom consumers — and governments — have increasingly become wary: Google and Facebook. And it gave Apple some measure of cover in the US government's investigation of whether its own business should be considered a monopoly that needs to be broken up. A bifurcated Apple, after all, may not be able to offer privacy as a selling point.

"This gives them a chance to improve the privacy of, at least, Apple users,"  says Jacob Hoffman-Andrews, senior staff technologist at the Electronic Frontier Foundation. "They also show a world is possible where companies are not snarfing up all your data to make money."

The announcement placed the focus at the WWDC 2019 on privacy, but in smaller venues speaking to a more technical crowd, Apple focused on security as well.

The company announced it had made app notarization — a process that runs automated security checks against developers' release candidates — mandatory as of June 1, 2019. Not to be confused with the App Review process, notarization involves sending a release candidate to Apple, which scans the code and checks it for common errors and security problems, as well as creates a certificate that validates the software. In return, developers are prevented from inadvertently shipping malicious code, gain the benefits of Apple's hardened runtimes, and are provided an audit trail of their developer account's activity, Garret Jacobsson, CoreOS security engineer at Apple, told developers at the conference.

"Users are more likely to download and try new software knowing that Apple has scanned it for known security issues," he said.

The next version of the Mac OS, dubbed Catalina, will also have more extensive security checks. Apple has applied defense-in-depth principles to a greater extent in the coming version of the Mac OS. Gatekeeper, a program that originally blocked specific malicious software programs from running on Macs, has evolved into a much more comprehensive tool that scans for malicious content but also validates the signature provided by as part of the notarization process. 

While the current version of the Mac OS, Mojave, blocks apps from accessing certain types of data without explicit user permission — including contacts, calendar appointments, reminders, and photos — almost all user data will be included in the permission-based model in the coming version. Applications that try to access files on the desktop, in the user's Documents folder, or in any type of storage will require either explicit or inferred permission. 

Unsurprisingly, considering its recent privacy-focused advertisements, Apple spent a great deal of time on showcasing its pro-privacy technologies. Any app that offers the capability of single sign-in with Facebook or Google will have to offer the user the "Sign-in with Apple" capability, Federighi said. In addition, the company will give users the ability to share location only a single time, requiring applications to request permission for each new time they want to use location data. 

"At Apple, we believe that privacy is a fundamental human right, and we engineer it into everything we do," he said.

Apple moves, along with the regulatory pressure from the European Union's General Data Protection Regulation (GDPR) and antitrust investigations, will likely put pressure on Google and Facebook to change how much control they give users.

"I think there is a lot of pressure on the data companies from a lot of different directions," says Omer Tene, vice president and chief knowledge officer at the International Association of Privacy Professionals. "Apple will continue to be the most aggressive proponent of privacy as it provides them a competitive advantage."

Yet, whether technology companies that provide services for free can wean themselves off of data remains to be seen, the EFF's Hoffman-Andrews says.

"Apple's particular corner of the market is sustainable because they are one of the richest companies on the planets," he says. "But can others follow in their footsteps? Probably not."

Related Content

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to bypass authentication via a web-administration request that lacks a password parameter.
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to conduct persistent XSS attacks by leveraging administrative privileges to set a crafted server name.
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to denial-of-service the device via long input values.
PUBLISHED: 2020-08-07
DIGITUS DA-70254 4-Port Gigabit Network Hub 2.073.000.E0008 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.