Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //

Compliance

6/12/2019
06:30 PM
50%
50%

Apple Pledges Privacy, Beefs Up Security

The company hits back at the data economy - and fellow tech giants Facebook and Google - by announcing its own single sign-on service. A host of other iterative security improvements are on their way as well.

Whether it's from Apple fans, embedded marketing people, or actual developers, applause is an oft-heard feature of any keynote at Apple's Worldwide Developers conference. 

Yet the loudest applause at this year's conference came not for some shiny feature, but for a seemingly insignificant, geeky detail: providing users with randomized e-mail addresses. As part of its coming "Sign in with Apple" feature, the company said it will provide users with the ability to use a random e-mail address for each app, holding out the possibility that consumers could, once again, have some small control over the informational transactions with application makers.

The applause for that small detail was both raucous and sustained

"A lot of love for random addresses here," said Craig Federighi, senior vice president of software engineering at Apple, before the WWDC 2019 crowd last week. "And that's good news because we give each app a unique random address. This means that you can disable any one of them at anytime when you are tired of hearing from that app."

Among a host of announcements, the "Sign in with Apple" offering stood out. It promised to treat people as valued customers rather than digital horseflesh to trade on the open market, taking aim squarely at two technology giants of whom consumers — and governments — have increasingly become wary: Google and Facebook. And it gave Apple some measure of cover in the US government's investigation of whether its own business should be considered a monopoly that needs to be broken up. A bifurcated Apple, after all, may not be able to offer privacy as a selling point.

"This gives them a chance to improve the privacy of, at least, Apple users,"  says Jacob Hoffman-Andrews, senior staff technologist at the Electronic Frontier Foundation. "They also show a world is possible where companies are not snarfing up all your data to make money."

The announcement placed the focus at the WWDC 2019 on privacy, but in smaller venues speaking to a more technical crowd, Apple focused on security as well.

The company announced it had made app notarization — a process that runs automated security checks against developers' release candidates — mandatory as of June 1, 2019. Not to be confused with the App Review process, notarization involves sending a release candidate to Apple, which scans the code and checks it for common errors and security problems, as well as creates a certificate that validates the software. In return, developers are prevented from inadvertently shipping malicious code, gain the benefits of Apple's hardened runtimes, and are provided an audit trail of their developer account's activity, Garret Jacobsson, CoreOS security engineer at Apple, told developers at the conference.

"Users are more likely to download and try new software knowing that Apple has scanned it for known security issues," he said.

The next version of the Mac OS, dubbed Catalina, will also have more extensive security checks. Apple has applied defense-in-depth principles to a greater extent in the coming version of the Mac OS. Gatekeeper, a program that originally blocked specific malicious software programs from running on Macs, has evolved into a much more comprehensive tool that scans for malicious content but also validates the signature provided by as part of the notarization process. 

While the current version of the Mac OS, Mojave, blocks apps from accessing certain types of data without explicit user permission — including contacts, calendar appointments, reminders, and photos — almost all user data will be included in the permission-based model in the coming version. Applications that try to access files on the desktop, in the user's Documents folder, or in any type of storage will require either explicit or inferred permission. 

Unsurprisingly, considering its recent privacy-focused advertisements, Apple spent a great deal of time on showcasing its pro-privacy technologies. Any app that offers the capability of single sign-in with Facebook or Google will have to offer the user the "Sign-in with Apple" capability, Federighi said. In addition, the company will give users the ability to share location only a single time, requiring applications to request permission for each new time they want to use location data. 

"At Apple, we believe that privacy is a fundamental human right, and we engineer it into everything we do," he said.

Apple moves, along with the regulatory pressure from the European Union's General Data Protection Regulation (GDPR) and antitrust investigations, will likely put pressure on Google and Facebook to change how much control they give users.

"I think there is a lot of pressure on the data companies from a lot of different directions," says Omer Tene, vice president and chief knowledge officer at the International Association of Privacy Professionals. "Apple will continue to be the most aggressive proponent of privacy as it provides them a competitive advantage."

Yet, whether technology companies that provide services for free can wean themselves off of data remains to be seen, the EFF's Hoffman-Andrews says.

"Apple's particular corner of the market is sustainable because they are one of the richest companies on the planets," he says. "But can others follow in their footsteps? Probably not."

Related Content

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Now this is the worst micromanagment I've seen.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17210
PUBLISHED: 2019-07-20
An issue was discovered in PrinterOn Central Print Services (CPS) through 4.1.4. The core components that create and launch a print job do not perform complete verification of the session cookie that is supplied to them. As a result, an attacker with guest/pseudo-guest level permissions can bypass t...
CVE-2019-12934
PUBLISHED: 2019-07-20
An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress. wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF, as demonstrated by an XSS payload in the hljs_additional_css parameter.
CVE-2019-9229
PUBLISHED: 2019-07-20
An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A to F7.20A.251. An internal interface exposed to the link-local address 169.254.254.253 allows attackers in the local network to access multiple quagga VTYs. Attackers can...
CVE-2019-12815
PUBLISHED: 2019-07-19
An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.
CVE-2019-13569
PUBLISHED: 2019-07-19
A SQL injection vulnerability exists in the Icegram Email Subscribers & Newsletters plugin through 4.1.7 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system.