August 8, 2019
Do you recall those Facebook and Google buttons that allow you to sign in to almost any app nowadays? Well, soon they won’t be the only option available to you and your app users. At the latest annual World Wide Developers Conference, held on June 3-7 in Silicon Valley, Apple announced their game-changing “Sign in with Apple,” a privacy-focused login system for iOS.
Given that other social login systems have been affected by massive security and privacy concerns and violations in the past, this new system seems to be quite a big deal.
What kind of issues are we talking about?
Well, global companies like Google, Facebook, Amazon, Microsoft etc. collect users’ data and metadata which they later use to create personalized ads and content. This wouldn’t be the worst thing in the world as targeted ads already exist on various platforms, but these players sell datasets to third parties without users’ consent.
And some of them have already paid the price (literally). In July 2019, Facebook was charged with $5bn fine which has already been called the biggest financial punishment imposed on anyone for violating consumers' privacy.
Apple Sign In might become a trigger for change in companies' attitude to data privacy. But what exactly does this new system change for existing app owners or people considering building new applications? Today, I’ll be taking you through the potential changes, outlining what, why, and when. You’ll see how Apple’s new sign-in is going to impact your app and how to prepare for the official release of iOS 13 in the fall of 2019.
Sign In with Apple makes it easy for users to sign in to your app or website using their Apple ID and start using the app right away. An Apple user doesn’t have to fill out any forms, verify email addresses or choose new passwords anymore. As a result, Apple is able to successfully log the user in while transferring only a minimum amount of data (name, email address) to third parties.
Notably, accounts are automatically protected with two-factor authentication for superior security. Generally, two-factor identification vastly improves the security of the Apple ID and all the personal information stored with Apple. On Apple devices, users are persistently signed in and can re-authenticate anytime with Face ID or Touch ID.
On non-Apple devices, Apple sends a six-digit verification code to a trusted device or phone number besides providing their password.
An integral part of the whole Sign In with Apple idea is the additional protection afforded to sensitive personal data, as data collection is limited to just the email address and the user’s name. Additionally, if a user requests so, Apple will generate a random email address to use for registration and then route the email traffic the app wants to send to that address, leaving the app without knowledge of the user’s primary email.
The default option is to use the real email associated with the Apple ID, leaving the user to choose whether to use the real or anonymized email address (as pictured below). Also, Apple will not track user activity in your app or website.
Craig Federighi introduces Sign In with Apple at WWDC 2019. Source: Apple
Sign In with Apple will work natively on iOS, macOS, tvOS, and watchOS. It will also work in any browser via email and password with two-factor authentication, which means you can deploy it on your website and in versions of your apps running on other platforms.
What about non-iOS devices?
If a user signs up for an app on their Apple device, e.g their iPhone, then wants to use the app on a non-Apple device, like their Android tablet, they’re sent to a Web view that allows them to authenticate their Apple ID via email and password with two-factor authentication.
The advantages offered by this new sign-in system include:
Working against Apple in this particular instance are the company’s strict app review guidelines, but on the other hand, from a user perspective, those guidelines are what makes all App Store apps look consistent and work great.
Sign In with Apple allows the user to show or hide their email, Source: Apple
At the WWDC keynote, Apple claimed that their focus on privacy and their minimalist approach to sharing user profile data, as well as storing and sharing with third parties, is what stood them apart from their key competitors, like Facebook, Google, etc.
Sign In with Apple is obligatory only if an app allows third party login. If there's no such choice available, then it's optional. The third party, however, doesn’t have to be a social platform, though—it could be any other site.
So basically, if your app allows login via anything external than just standard in-app email+password, you must allow Sign in with Apple. This includes all social media, SSO platforms, and any other service that offers an external sign-in feature. Think Facebook or Google, but also Twitter, Instagram, Snapchat, etc. Moreover, Apple has strong design guidelines for the authentication flow and the visual side of the sign-in button.
If you already have an app, the migration to Sign In with Apple is left up to developers, who should always offer a way for users to stop using their social login or allow using email instead.
If you’re thinking about building an app soon, this change will apply to your software from the very beginning and will be built into your software, just like any other feature.
Apple has launched a public beta of Sign In with Apple in July 2019, while the official release will be bundled with the latest iteration of iOS, expected in the fall of 2019.
As Apple itself compiled a comprehensive information package on their latest privacy-focused feature, I’ll only be mentioning a handful of general guidelines concerning Sign In with Apple development.
AuthenticationServices for iOS developers:
So far, there’s no working library for integrating Sign In with Apple with ReactNative. For now, RN devs would need to figure out themselves how to implement the authentication flow using native frameworks. But a dedicated library will probably be released in the wake of the release of iOS 13.
I found one library under construction that’s worth bringing up:
In Web browser, we can authenticate with Apple ID using the email+password form with two-factor authentication (as described previously).
Want to build meaningful software?
Pay us a visit and see yourself that our devs are so communicative and diligent you’ll feel they are your in-house team. Work with experts who will push hard to understand your business and meet certain deadlines.