I have been responsible for creating and maintaining an app generation system. Among other things, it taught me that App Store Connect has many sharp edges showing how easy it is to abuse the kind of power you've correctly pointed out Apple has.
It's perhaps less evil than the kind of wholesale data-farming the other big tech companies are engaged in, but it still doesn't make me like the idea of Apple ascendant.
And I was raised on Macs, giving Apple a heavy nostalgia bonus that they burned years ago.
You find that you're being strongarmed. As a oonsumer, I could not care less. Hell, I am thrilled that developers are being strongarmed when it comes to user privacy and security.
I am concerned with things like Apple's terms of service saying "If you put an app in the store, we reserve the right to copy it and ban yours."
They don't spell it out quite that clearly, but sections 14.4 and 11.2 of the developer guidelines make it clear
Yes, there are more charitable interpretations possible, but Apple does have some history of cloning and killing off third party software, so I see no reason to apply the more charitable interpretation.
Who said the Windows/Android model is the morally correct one anyway?
As a customer I'm glad that Apple is providing a truly different alternative.
I'm not scared of this anonymous signin feature, per se.
I'm scared of the sheer amount of power Apple has, and that they can abuse it to force third parties into compliance with what they think software should be.
That's what I was saying I found terrifying.
I'm not sure how this is manipulating to get me to purchase a new phone.
That's disingenuous. Apple has a recycling program, where they take apart every component to be reused or recycled into new materials.
7.8 million "Apple devices" in 2018 is a lot, but an average iPhone is far more likely to end up on a landfill. If it were easy to extract the battery, that wouldn't be such a problem.
 They group them all together and I can't find any other metric: https://www.apple.com/newsroom/2019/04/apple-expands-global-...
And this effect is massive last week I offered two of my old laptops to a friend child wanabee hacker. He quickly considered a 2012 HP for parts, then he kept on thanking me for a working state 2002 PPC iBook.
PS: To be honest he might be ranting about it in a few day, I’ve played around it a little and that 2002 iBook bios is a mostly undocumented nightmare!
The battery glue is like a 3M command strip, you're supposed to remove it by applying tension to the side. You need the heat source if the strip breaks and gets trapped underneath, but I used dental floss instead.
1. Services have little incentive to support mailinator, and indeed may deliberately choose not to if they feel it is leading to signups they don’t like. On the other hand it would be hard to argue with an incentive like the App Store requiring you to support apple’s service.
2. Because the service is built in to apple’s systems there seems to be an implicit contract that apple wont let it be abused for the purposes that many sites claim mailinator is used for (because it isn’t useful to apple customers if sites don’t trust it and it). So they might be more willing to accept these email addresses.
I guess neither of these help services like mailinator gain credibility.
"In order to send email messages through the relay service to the users’ personal inboxes, you will need to register your outbound email domains. All registered domains must create Sender Policy Framework (SPF) DNS TXT records in order to transit Apple's private mail relay. You can register up to 10 domains and communication emails."
The attacker wouldn't even be able to send e-mail messages to the users. He'd also need to compromise the registered domain's mailservers, or their DNS servers (to modify the SPF records), or their Apple dev account to add their own registered domain.
And, they have the money to do it.
For as long as Android has google ownership... they will never, ever be able to compete on the level of privacy that Apple is now buying into.
That's something I really dislike. Perhaps it's a necessary evil.
The goal is to explain the concept ahead of the pricing as I think it’s quite novel to most users.
I think it’s great, and use it a lot. Just wonder how you got to that price vs like $10/year.
That and people pay 4 bucks for a coke these days so it’s not really much. Also cPanel is most definitely an expert tool.
I might make it paid only soon and reduce the price but at present there’s not much option to get real feedback and user traction.
$4 is not very much, you’re right, but that doesn’t mean that it should be spent unwisely otherwise it adds up quickly. It seems unlikely that this would need a full time dev to operate and seems more like a “4 hour workweek” type business once it’s set up that would have pretty minimal maintenance, or a super bored developer waiting around for a bug to patch.
Do you think you’ll drop the price once you no longer need a dev?
With Idbloc (and apple sign in) the address is completely random and untraceable, and it’s impossible to tell which addresses belong to which users.
Except it’s not real time until a support person is notified and responds minutes or sometimes hours later. Chat pop ups feel like a lame trick these days every time I try to use them; they pretend like they’re going to be fast and then make you waste your own time waiting. The last one I used the other day made me wait more than 10 minutes, so I did something else, and when the support person responded and asked a follow up question and I didn’t answer in 5 seconds, they closed the support ticket, making me start over. I’d rather use email.
I usually email them after, too. "I actually clicked through your instagram ad, looked at some clothes that looked nice, and didn't buy anything because I was on my phone and didn't want to make a new account and add credentials to my password manager. Have you considered adding apple pay support to your shopify account?"
I have no idea if i'm helping or not.
One of the reasons I get lunch from Panera and Pei Wei is because I can check out on my phone as a guest when I order ahead.
Heck, even fleaBay lets you do a guest check out now. That was what made me consider using it again.
Look, I use three email domains for online accounts, in addition to a unique address for each account — one domain that links to my actual identity (my public-facing, professional domain), one domain that’s somewhat anonymous, and one domain reserved for highly sensitive accounts, e.g. online banking, PayPal, AppleID, etc. And PayPal sharing my email address with third parties breaks the model, making my sensitive domain less secure.
i don’t care who processes the payment, i just like being able to buy physical goods without making a new account, and ideally without any more friction than faceID while impulse-buying nonsense while i’m on the toilet :)
Password management is a big problem for non-technical users. Even for people who don’t know/care about security and reuse the same password everywhere, it presents a huge issue when their preferred password doesn’t meet the website’s requirements. They are then forced to make one up which they’ll never remember so it’s gonna be a headache down the line when they need to sign in again.
When they learn that the magic “Sign in with Apple” button allows them to avoid all that, they’ll want it even if they don’t care about privacy.
So far it's only happened once, actually, when Keen.io got bought by a PE firm, I got a bunch of spam, so they clearly sold off my email address.
It's a system that would be hard to operate as a "normal" person, so this is a great step.
Mailinator can be pretty hard to use, since so many sites can detect the addresses and block their use.
I've pretty much given up on it, and use Fastmail's very easy aliasing features with my domain. It's not quite as private, but it's a lot more reliable.
The truly clever programmer could open an SMTP session to the mail exchangers specified in your email address, and reject you because they point to mailinator. I know of 0 programmers in the world that have written this code. I think you could ask the vast majority of programmers that work with email addresses and dark patterns to do this, and they wouldn't even know how. So you're probably pretty safe.
I use mailinator all the time and I have never had a problem, however, which is why I don't even have the MX records to host my own anymore.
While I'm sure that works. The main reason I'd use mailinator is for privacy (i.e. not exposing anything associated to me). If I have to use my domain, rather than their free ones, I'm still identifying my domain, so I might as well use my own aliases with my own mail system.
Domains are cheap, and mailinator really ought to register and discard a bunch of $1 specials on a regular basis.
My comment meant: "Bye bye " for me. As in: I'm not using it anymore.
I don't get you man.
(not to take away from this announcement at all; just to provide some context. it's an often overlooked feature which people here might appreciate.)
As someone who changed their name but had to keep their Google account with the old one because of how much Google account data/purchases can't be moved to a new account, this felt positively revolutionary. Google accounts can only have one Gmail address for their entire lifetime.
Apple can get way ahead of the competition by combining about 3 things.
1) Ephemeral email addresses
2) OAuth or apples equivalent tokens
3) Keychain autogenerate and auto-populate
If all those products are integrated correctly, this becomes the SINGLE sign on of single sign ons. If a service supports Apple OAuth, your name is hidden, and you only have one Apple password to remember. If the service doesnt support Apple Tokens, then apple fills in a private email address and a random password, and abstracts away the fact that the service doesnt support Apple Tokens. The user experience is nearly the same regardless. Tokens and randomly generated passwords should be managed from the same interface, allowing you to either revoke access (token) or cycle the key (both.)
I've felt it for a while, but the banking industry needs to arrive at something similar. Chase, BoA, WF, and Citi should turn Zelle into a banking OAuth Identity Service.
>For people who lack the expertise or will to roll their own infra then they can use something like Apple ID.
SO 99.9% of the population. It's a nice sentiment, but for what apple is doing to work (random username generation, and identity obfuscation) the only way for it to work is strength in numbers, that the Apple userbase of people who will only use frictionless sign in, becomes too big to ignore, and to tempting too left uncourted.
>It seems like it would be _safer_
Im not sure I would say safer. Depending on millions of people to keep their software up to date hasnt historically worked super well for Windows and Wordpress. One central authority patching all its services and 24/7 devops sounds a lot safer than trusting millions of self hosted OAuth servers to be up to date and not compromised. What percent of people who have non-self-updating home routers, do you think go in regularly and press the update firmware button?
I'm sure there's logging or other AD property (think something like sidHistory) to keep track of this.
Companies don't like being liable for not being able to provide data under order[s].
 - https://docs.microsoft.com/en-us/windows/desktop/ADSchema/a-...
In a choice between strictly maintaining your privacy and fines/jail time, most - if not all - companies will sell you down the river (if given a feasible chance that it doesn't entirely ruin them, say for example, if they weren't purely in the privacy trade) to save their own hide[s] (e.g.: see the whole PRISM scandal and its fall-out).
 - https://www.reuters.com/article/us-facebook-brazil-idUSKCN0W...
I also like how you can set it so only a specific email can login. That way if your alias is compromised, your account won’t be.
"Sign In with Apple will be available for beta testing this summer. It will be required as an option for users in apps that support third-party sign-in when it is commercially available later this year."
Someone at Apple deserves a raise.
Quite the gambit.
(Data is mostly correct though)
I have switched almost exclusively to Apple Pay, and frequent only one chain of gas station because they rolled out NFC at all of their pumps last year. After the introduction of chip readers gas pump mag stripe readers became the main vector for card skimming in my area and even with the security stickers all of the gas stations have been putting on their pumps I don't trust any mag reader anymore.
At locations that don't have an Apple Pay logo on their card readers, like my local movie theater, I have spied the NFC logo and given it a try and it works.
Except for Amazon, almost all of my online shopping is now done through Apple Pay. I have a shirt out for delivery today from a small retailer I had never heard of before that I purchased with one click and a fingerprint via Apple Pay.
It has not only changed how I buy things, but how I dress. Instead of my George Costanza wallet I only carry an ID and two cards in a slim front pocket wallet, relying on Apple Pay for almost everything and walking out of a store if they are cash-only or don't support chip/NFC.
Regardless of your chosen NFC platform, I recommend that everyone use it and shun points of sale that don't have it.
Personally I used it only once (although I am not in US market)
Fortunately, most payment terminals in London already supported NFC payments thanks to NFC debit and credit cards long being prevalent here, and Apple Pay is just tokenised NFC payments.
Same is true of literally every iPhone owner I know, and usage simply increased as payment limits went from £20 to £30 to unlimited (unlimited on Apple Pay, but still limited to £30 on NFC cards or when using older payment terminals).
Plus I got to ditch my oyster card and just use weekly fare capping after a while too. Good times.
Even the existing Sign In with Facebook is implemented terribly by many apps, e.g. requiring me to enter my password in app instead of calling out to the Facebook app like maybe 50 of apps support properly.
I think honestly this comes from apps that are built with cross platform frameworks but its still frustrating.
Further more it drives me crazy new apps (and websites) released this year focused on mobile (e.g. pay for fuel at a fuel station with your phone) and I can't even auto complete the credit card or name using the new keyboard extensions because they somehow labelled the forms in a way apple can't figure out.
For example, Slack can be (and is often) configured to use Okta or some other SSO provider. Does the Slack app have to implement some kind of support for Apple Sign In when such use cases are involved?
Not for the first half of the iPhone’s life, I’d say.
This sounds like a tremendous headache that I really don’t want to worry about. But Apple is looking to leverage their power in the app market to force me to implement a tool I may not be interested in as a merchant?
I despise being strong armed. I hope the EU crushes this.
The above scenario goes against what they are trying to achieve though
1) If you support SSO and email/password - then the email and password are still stored (and possibly not hashed and salted if the developer is incompetent) - so you are at risk of compromise if you reuse passwords
2) If you store the users actual email, you are putting them at risk of credential stuffing, as well as opening them up to tracking
The EU can always surprise, but I suspect they would actually like this because it addresses key risks to consumers of password reuse, credential stuffing, and tracking. Additionally it competes against their ideological targets, Facebook and Google.
Not saying what the EU does is goos or bad, but painting it as pro free market competition seems unfounded.
Every tech related legislation doesn’t and shouldn’t need to so,be every tech related problem. The EU has other, non GDPR related, mechanisms to handle monopoly issues.
So to me it seems unfounded to say EU cares about market health and is not, in fact, just picking on FB and Google.
I am honestly curious what you think are examples of EU mechanisms fostering healthy markets. Maybe the MS case but that is the same “EU picks on US tech giant” genre.
I’m not sure what kind of examples you want.
However, I wish email and sms would go away as a way to authenticate. Until it does I will be using email@example.com so that my account can’t get transferred to someone else through socially engineering a tired rep.
I personally don’t use FB login. And I use `+merchant` to keep track of bad actors. But from a merchant perspective this will likely be a chore. And Apple has decided that we don’t get to decide if it’s worth it. We can’t disable FB login because we’ve supported it for a long time and a ton of accounts only have a FB-synced profile.
To be clear, it’s not the product I have issue with. It’s the draconian ultimatum that because we are in bed with FB we have to also get in bed with Apple Sign In.
They could have just built this into their form system. It already recommends my personal email / credit card / auto generated password. Why not prepopulate / suggest an Apple-generated email? Why force the merchant to implement another standard which breaks all other SSO integrations _by design_?
I don’t have answers to those questions. If this was a consumer feature embedded into their keyboard I’d be ecstatic. Strong arming merchants to implement and bear the full cost of confused consumers who can’t seem to login to their app _even when they click the Apple button_ is inexplicable (to me).
Can confirm what parent poster is saying, we remove them on signup.
Also, if you try to mail people based on GeoIP data, you're going to have a bad time.
You could argue that a major feature of the GDPR is to legislate that just because a company can do something, doesn't mean it's allowed to do it.
The 'detail' is optional, and doesn't infer any privacy.
It's kind of like if you get mail delivered to:
nprateem, office 2, university of ycombinator
and instead they only store:
nprateem, university of ycombinator
Odds are, mail will still be delivered to you, but it might not come to office 2, and might come to office 1 instead. It's not what you wanted, but there's absolutely no impact to your privacy by them stripping away additional details.
The 'user' part is still public information, as is what it's used for. There should be no expectation of privacy for information being used per specification design.
The usability trade-off is a shame, but the solution was half-baked at best, and is primarily useful when combined with privacy-sacrificing public email providers. When you have greater control of your email, distinct 'user' parts can be used, which does provide the privacy aspect desired.
> we also don’t operate in any country requiring compliance with the GDPR
You know it's nothing to do with the country you operate in but the nationalities of your customers though don't you? You could only have a presence on the moon but if you had any EU customers you'd still be bound by the GDPR AFAIK.
Not Gmail-specific. Labels however are ;)
Once I chose to use Apple-Sign In will I be locked into the ecosystem? Will there be 'Apple-Sign In' for Android?
That said, the concept of "Apple Sign-In" for Android and other platforms is an interesting one, not likely in the short term, but possible someday!
A service supporting alternate identity providers via OAuth (Facebook, Twitter, Google, Github) via a flow like this shouldn't have trouble with Apple Sign In from a web page, iOS app, or Android app.
Unless I'm misunderstanding what the mandatory part is.
The option is mandatory. End users using it is optional.
Again, the tech is fine. The strong-arm is indefensible.
If you support FB login now and decided to add Google, for example, that doesn't require your existing FB users to do anything different. It should only affect new users who are creating an account and choosing to use the new provider. Wouldn't that be the same for Apple Sign In?
Note, I'm not taking a position on the strong arm tactics, just pushing back on your claim regarding existing users being affected by a new identity provider. That doesn't sound right to me.
I have to assume there will be exceptions.
obviously apple has considered this and is forging on anyway. good for them.
If it's defined as a market, then Apple will be surely in trouble but enforcing Apple ID alone doesn't make much differences from the current situation as it always has been doing similar things for web browsers, music apps, app store itself etc. So it's pretty natural to enforce this policy for Apple; no additional risks but only benefits.
Excluding other third party sign on options would be problematic if Apple were abusing a dominant position among smartphone makers, which is not the case by any objective measure.
Note that I'm not making an argument about how to classify the behavior legally, I'm arguing that calling it "competing" is pretty generous.
For instance, even if Apple decides to increase the app store fee to 50% so its app's prices as well, still consumers don't have much choice since buying a new phone is typically more expensive by order of magnitude than buying an app. This is also a part of Spotify's claim as well and Apple is trying to defend itself for this time unlike Apple v. Pepper.
Pretty much the standard.
I haven’t studied this since the late 90’s, so I may be out of date...
Apple would have long ago been cited for Antitrust if Android hadn’t had most of the market. I personally think that the definition of a trust is too narrow — one member of an oligopoly abusing its position as a platform provider and strongarming people is also pretty bad.
It's not entirely how European anti-trust law works.
If Apple was the only provider of smartphones then there would be a case for them to open up their platform to third parties.
Fun thing is, Apple themselves block firstname.lastname@example.org addresses when using their dev console. You can bet that some companies will disallow Apple’s signature private passwords similarly if they can, in the name of ‘security’ or what have you.
Or am I being too cynical? Feel free to CMV.
EDIT: best response addressing this seems to be ‘The addresses are only generated from the "Sign In With Apple" workflow that a developer has to enable in the first place’
The useful thing about Apple is that they can force people to do things they don't particularly want to do, like accept anonymous e-mail addresses or stop using Flash. (unfortunately this is also the bad thing about Apple)
There by, when apple passes a XXXXXXX@privaterelay.appleid.com address back, it won't match the existing account's email address = Sorry, matching account not found ?
Of course they wont. They still want the business and as you've pointed out, these accounts will be in a different customer engagement category. They are almost certainly real people and they a lot of value to marketers, even is you don't have all of their other personal details.
There really isn’t much choice here for us. Leave Apple / iOS? Abandon FB login and piss off thousands of people? Implement Apple Sign In regardless of its tech stack / requirements?
Do you have any plans to adopt any other login provider? I would really like to, but other than email/password, I'm not really sure what would be a good alternative, and I'd really like not having any personal information stored at all - email addresses included.
I’m not a FB fan. I post on social media maybe twice a year. As an advertiser I don’t trust the numbers they report. None of my criticisms of Apple in this decision should be interpreted as pro-FB. I just have a very strong distaste for Apple deciding that they get to decide how we run our apps.
They have to mandate usage because it’s the only way devs will do it. And it seems like a fine enough product for Apple-only hardware. But when you get to supporting multiple connected devices it falls apart. Are they going to support this for PCs? What about on the Roku? How will anyone who uses Apple Sign In on the iPhone log in anywhere else?
If Apple makes this extremely user friendly and quick to use than blocking it will cause a loss of signups.
‘Error: We love Apple and anonymity but we require a real email address to prevent fraud and to properly secure your account. Please enter your real email address.’
(It remains to be seen if they'll put in the legwork to actually police these things, though)
GDPR would probably want to know specifically why you need someone's real email address.
However they most likely won't for the same reason that people who are upset about Apple's 30% App Store cut still develop apps for iOS: they have their customers spend far more on average than other phone / OS users.
Critical mass might be achieved where if you don't include Apple Sign-In you might lose more users than whatever benefit you see from having more identifiable personal information.
Note: This comes from my own developer account having 3 name+addon@ accounts live, and working with things like ApplePay etc for testing.
If Apple users use Apple Sign-In en masse then any services which blocks it will face harsh negative publicity. If enough people use it then services will have no choice but to acquiesce.
No one is gonna make a group chat on iMessage where half the people aren't able to join anyway.
Apple should release iMessage for Android.
Or Mac and Android?
or Android and iPad?
Either you have an iPhone or you dont. Sure they might have an ipad and imac and an android phone. I suppose thats possible. But at that point, you are the exact kind of customer this business model is designed to get to switch over to the full ecosystem.
Are we really arguing if the "Sign in with apple" button will work on websites from chrome on windows? If apple wants to be an identity provider, their web sso will work everywhere. Or are we talking about iMessage, the flagship iPhone app, not working on android phones? Apple will lose more customers to Android, who only want an iPhone for iMessage, than they will gain.
(I really doubt the sign in with Apple button is going to be available in Android apps. If you create an account with the button, it becomes ever so harder to switch to Android. How convenient for Apple.)
I don't think continuing this discussion is helpful. Have a nice day.
The create account button might not be available on android apps, but hopefully the sign in sso buttons works. Maybe identity portability will become law someday, like cell number portability and being able to change your address at the post office.
Apple's products are not a play for anything. Their services are built for people with more money than sense.
>He works in IT at an unnamed company, and his team noticed something crazy: of the 500 employees at the company, only 8 of them chose to use an Android phone. Everyone else — all 492 of them — chose an iPhone over Android phones. It was because they didn’t want to be “green bubbles,” a reference to the fact that iMessage chats in the iPhone’s Messages app use blue bubbles while SMS chats are displayed with green bubbles. Forget all of the great advantages iPhones might offer, iMessage is the main reason all these people wanted an iPhone. 98% of the employees at this company went with Apple over Android, and for the majority of them, it was mainly because of a single service.
If people didnt "throw away the key" services like Google ID, Microsoft ID, and Facebook ID wouldnt exist. Centralized OAuth providers are here to say, even if a lot of us on HN dont like them. You want to get into your tshirtclub account after facebook locks your account, too bad!
>Yes they do
>It was because they didn’t want to be “green bubbles,” a reference to the fact that iMessage chats in the iPhone’s Messages app use blue bubbles while SMS chats are displayed with green bubbles
Sorry, it seems to me like the story you're relating supports the point of the post you disagree with. Surely "sensible" people don't choose a phone on the basis of what color their messages appear as on other people's phones.
(I think there are sensible reasons to choose either platform. But the reason you're talking about here certainly isn't.)
Perception has value. You can rail against society all you want, but the reality is your peers make and break you.
If Apple let me spec a physical ESC key, inverted-T arrow keys, and native 1920x1200 point screen size @2x on the existing form factor I'd be VERY happy. Assuming, of course, the keyboard is actually reliable.
As for the ESC key, I rebound my Caps Lock key to Esc & Ctrl. Works great!
It would be a huge migration for me. Everything I own is tied to one of a few Gmail accounts. My photo history, my uni work in GDrive, my contact lists, my email history, everything about my entire online identity. I'm just increasingly fed up with how Google approaches privacy.
The ifixit tear down shows that the 2019 model has done nothing to fix the issue. I highly recommend the Dell XPS over a macbook pro. The form factor is very similar but the hardware is much more reliable and fixing it is way way easier as most parts can be replaced separately.
I recently switched to iPhone after using Android devices for many years to get away from Google and that was actually a purchase I can recommend. The Macbook Pro, not so much.