Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //


06:30 PM

Apple Pledges Privacy, Beefs Up Security

The company hits back at the data economy - and fellow tech giants Facebook and Google - by announcing its own single sign-on service. A host of other iterative security improvements are on their way as well.

Whether it's from Apple fans, embedded marketing people, or actual developers, applause is an oft-heard feature of any keynote at Apple's Worldwide Developers conference. 

Yet the loudest applause at this year's conference came not for some shiny feature, but for a seemingly insignificant, geeky detail: providing users with randomized e-mail addresses. As part of its coming "Sign in with Apple" feature, the company said it will provide users with the ability to use a random e-mail address for each app, holding out the possibility that consumers could, once again, have some small control over the informational transactions with application makers.

The applause for that small detail was both raucous and sustained

"A lot of love for random addresses here," said Craig Federighi, senior vice president of software engineering at Apple, before the WWDC 2019 crowd last week. "And that's good news because we give each app a unique random address. This means that you can disable any one of them at anytime when you are tired of hearing from that app."

Among a host of announcements, the "Sign in with Apple" offering stood out. It promised to treat people as valued customers rather than digital horseflesh to trade on the open market, taking aim squarely at two technology giants of whom consumers — and governments — have increasingly become wary: Google and Facebook. And it gave Apple some measure of cover in the US government's investigation of whether its own business should be considered a monopoly that needs to be broken up. A bifurcated Apple, after all, may not be able to offer privacy as a selling point.

"This gives them a chance to improve the privacy of, at least, Apple users,"  says Jacob Hoffman-Andrews, senior staff technologist at the Electronic Frontier Foundation. "They also show a world is possible where companies are not snarfing up all your data to make money."

The announcement placed the focus at the WWDC 2019 on privacy, but in smaller venues speaking to a more technical crowd, Apple focused on security as well.

The company announced it had made app notarization — a process that runs automated security checks against developers' release candidates — mandatory as of June 1, 2019. Not to be confused with the App Review process, notarization involves sending a release candidate to Apple, which scans the code and checks it for common errors and security problems, as well as creates a certificate that validates the software. In return, developers are prevented from inadvertently shipping malicious code, gain the benefits of Apple's hardened runtimes, and are provided an audit trail of their developer account's activity, Garret Jacobsson, CoreOS security engineer at Apple, told developers at the conference.

"Users are more likely to download and try new software knowing that Apple has scanned it for known security issues," he said.

The next version of the Mac OS, dubbed Catalina, will also have more extensive security checks. Apple has applied defense-in-depth principles to a greater extent in the coming version of the Mac OS. Gatekeeper, a program that originally blocked specific malicious software programs from running on Macs, has evolved into a much more comprehensive tool that scans for malicious content but also validates the signature provided by as part of the notarization process. 

While the current version of the Mac OS, Mojave, blocks apps from accessing certain types of data without explicit user permission — including contacts, calendar appointments, reminders, and photos — almost all user data will be included in the permission-based model in the coming version. Applications that try to access files on the desktop, in the user's Documents folder, or in any type of storage will require either explicit or inferred permission. 

Unsurprisingly, considering its recent privacy-focused advertisements, Apple spent a great deal of time on showcasing its pro-privacy technologies. Any app that offers the capability of single sign-in with Facebook or Google will have to offer the user the "Sign-in with Apple" capability, Federighi said. In addition, the company will give users the ability to share location only a single time, requiring applications to request permission for each new time they want to use location data. 

"At Apple, we believe that privacy is a fundamental human right, and we engineer it into everything we do," he said.

Apple moves, along with the regulatory pressure from the European Union's General Data Protection Regulation (GDPR) and antitrust investigations, will likely put pressure on Google and Facebook to change how much control they give users.

"I think there is a lot of pressure on the data companies from a lot of different directions," says Omer Tene, vice president and chief knowledge officer at the International Association of Privacy Professionals. "Apple will continue to be the most aggressive proponent of privacy as it provides them a competitive advantage."

Yet, whether technology companies that provide services for free can wean themselves off of data remains to be seen, the EFF's Hoffman-Andrews says.

"Apple's particular corner of the market is sustainable because they are one of the richest companies on the planets," he says. "But can others follow in their footsteps? Probably not."

Related Content

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-16
The JSON web services in Liferay Portal 7.3.4 and earlier, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 20 and 7.2 before fix pack 10 may provide overly verbose error messages, which allows remote attackers to use the contents of error messages to help launch another, more focused att...
PUBLISHED: 2021-05-16
Denial-of-service (DoS) vulnerability in the Multi-Factor Authentication module in Liferay DXP 7.3 before fix pack 1 allows remote authenticated attackers to prevent any user from authenticating by (1) enabling Time-based One-time password (TOTP) on behalf of the other user or (2) modifying the othe...
PUBLISHED: 2021-05-16
The SimpleCaptcha implementation in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.3 before fix pack 1 does not invalidate CAPTCHA answers after it is used, which allows remote attackers to repeatedly perform actions protected by a CAPTCHA challenge by reusing the same CAPTCHA answer.
PUBLISHED: 2021-05-16
Delta Industrial Automation CNCSoft ScreenEditor Versions 1.01.28 (with ScreenEditor Version 1.01.2) and prior are vulnerable to an out-of-bounds read while processing project files, which may allow an attacker to execute arbitrary code.
PUBLISHED: 2021-05-16
Cross-site scripting (XSS) vulnerability in the Asset module's categories administration page in Liferay Portal 7.3.4 allows remote attackers to inject arbitrary web script or HTML via the site name.