Hacker News new | past | comments | ask | show | jobs | submit login

It seems like it could be really good for users, but the fact that it's _required_ for any apps that use other 3rd-party sign-in options and that it's _required_ to be listed first among those options leaves a bad taste in my mouth.

I can't even imagine what would happen if Google did the same thing with Google Sign In and the Play store.

Disclaimer: I work for Google, not on anything related, and am speaking for myself (as always).

It's not required to be first, it's "suggested" :-/

But lets look at it another way:

* I buy an app on the App Store, and then find out that I have to use FB or Google login.

* So to use the app I have purchased I am required to allow the app and/or Google or Facebook to further their abuse of my privacy.


* An App is shown as "Free"

* I install it, and it require FB or Google sign in.

That isn't free. Again, signing up for abuse of my privacy is not free.

>> That isn't free. Again, signing up for abuse of my privacy is not free.

Surely the logical extension of this is that no app with ads should be marked as "free". Your attention is not free. Right?

The Google Play Store will show "contains ads" under the install button. Same for "contains in app purchases". Makes it much easier to see which app is really free.

This is a good policy, and the Apple App Store has done the same thing for a while.

Not just the attention, but also the knowledge of where my attention is, shouldn't be free. Right?

However it is _required_ that you add Sign in With Apple. I'm all for privacy but I disagree with this move because apple said "You must add Apple Sign In" rather than "You must allow one form of anonymous login" which means they are forcing developers to use their tools.

Additionally, if the app only has FB or Google login and you don't use either, you can just not use the app

Developers wouldn’t add it if it wasn’t required, full stop. They want access to your social media presence and personal information.

The problem here is very basic:

Why should an app be listed as free if using it requires sacrificing my privacy to use it? That's fundamentally not free.

If the app cost me money then I've purchased an app I cannot use.

This is very simple: they're saying that you cannot require Apple's (and by extension your) users to submit to abuse of their privacy in order to use your app.

This "they're stealing my privacy!" outrage is tiresome. Someone built an app; it authenticates a certain way; if you don't like it, uninstall it. Both Google and Apple offer near immediate refunds. But really there's some due diligence required here - installing an app is not like visiting a web page, you should take a little care what you spend money on.

You're complaining that someone else is building apps in a way you don't like. That's their right; they aren't building them for you.

Why should Google know what apps I'm installing?

Why should Facebook?

Why should I have to get accounts for those services just to use your app?

Why should apple list apps that can't be used by users because of they require user's to create accounts with companies that are known to abuse user privacy?

The last point I think is the most reasonable: why should I, a user, be required to use some arbitrary third party just to use your app?

If you are solely using them for login support, and nothing else, then all you're doing is adding one more OAuth provider. What makes it so hard to require an Apple identity if you're already willing to accept google or facebook ones?

Besides that, I’m downloading an app from the Apple App Store. They already know which apps I’ve downloaded. They aren’t getting anymore information via “Sign in with Apple”.

Why should I build an app the way you want?

You are entitled to not use my app. I am entitled to not care.

They are complaining that these app developers are misrepresenting the cost of the "free" app. What it really costs is access to data about you as a Google/FB user. Sure, build an app like that all you want, but don't lie about it.

In the common usage of the word they are totally free. If you want to redefine the word as it's used, let's start also considering your bandwidth isn't "free" and so these apps aren't free in that sense either. How about the electricity you paid to charge your phone? The calories you ingested that help you operate the phone?

The common and almost universally accepted understanding of "free" is "no exchange of money". Saying those who don't adopt an extreme viewpoint are lying is dishonest.

The common usage of the word "free" is something like "without cost" (yours doesn't work and I actually couldn't find a definition that explicitly says "money"). Placing ads in an app has various costs, just not usually monetary. I don't think you need to redefine anything or go to this odd extreme you're trying to straw-man into the argument.

"There's no such thing as a free lunch" agrees with you - things described as free often have some cost, even if not monetary

Does Apple have a feature in their app store that allows developers to mark their apps as "Monetarily free but you have to sign in with Google"? If not, how exactly do you expect developers to comply with your demands when Apple provides no way to do so?

Your "they're stealing my emails!" outrage is hard to sympathize with.

If they are developing for iOS, they are already “forced to use Apple’s tools”.

Sure, but would you agree that open source tools and being able to choose the tools we want is better? We should have that same freedom when it comes to building authentication into our applications

It’s standard OATH. There are libraries for every language that I’m aware of that let you integrate with OATH providers. You don’t have to use Apple’s tools to do it. You could use “sign in with Apple” from any platform.

But what good would “open source tools” do overall if you still have to integrate with Apple’s services/APIs to do anything useful - the same is true with Android/Google Play Services.

Reading and replying to this comment was not free then.....

Free in the colloquial sense means "no money required", otherwise nothing is free since there is always some cost, if not an opportunity cost. What are you going to do, complain that an app required bandwidth to download?

"Suggested" by virtue of being part of the HIG. I and I'm sure many others have experienced app review rejections by virtue of HIG violations.

I can kind of see your point regarding paid apps, but for free apps, you aren't really losing anything, besides maybe a few seconds of your time. If you don't like the authentication options the app offers, you can just uninstall it, and for 99% of the apps in the app store there's multiple alternatives that will offer a different set of options.

Unless I don’t have a google or fb account, in which case having an app listed in the store that I can’t use is hostile - and I bet it would be even more problematic if they elevated the rank of apps that supported Apple sign in over those that didn’t, even if it did reflect the value proposition for the user

Why are you then purchasing installing the app if you think they invade your privacy. Just dont use those apps.

I think that's pretty well established that free means free with ads.

Ok, so add a "Sign In with Apple" icon to the App Store page.

I think that if "downloading apps users can't log into wastes their time" was the problem Apple was trying to solve, this would be a good (maybe better?) solution.

But the problem they're going after is bigger: how do you allow users to keep using their favorite apps (because most people aren't super privacy-conscious) while at the same time making sure those apps don't track users or sell their data? And, like it or not (and many people won't), I think forcing developers' hand is the only real way to make this happen.

I know what you're saying but I'm okay with it. In this case Apple chose users over developers. iOS developers have to do a little more work (Apple has made it very easy from what I've seen of the framework) and have a little less freedom but users signing in to apps using 3rd party auth are guaranteed the privacy protections Apple is promising. They drew a line in the sand by making their solution mandatory but I think they had to to deliver what they're promising to users (which I think is great).

That privacy seems a bit overboard though. This is fine if a user can create his account directly inside the app. But it's not very clear how to support a workflow where you have an organization with multiple users authorized by an admin to use the app. How can the admin add a user to his organization, if he doesn't know in advance the user randomly generated email? I guess you could send an invitation code, and let the user enter that code after the apple sign in, to associate the account to the authorized user. This sounds more complex for the user than a workflow where the admin can directly authorize specific emails.

Does this apply to enterprise apps distributed outside the normal App Store? I bet it doesn’t.

Also I think you’re given the choice of using your real email address instead if the anonymizes one. At least that was my understanding.

App Store guidelines have no bearing on enterprise apps.

The randomly generated email is a user choice, they can also provide their real email. The randomly generated one would not work for things like slack sso etc.

Apple knows that for most people (unlike this website's audience), the privacy concern is not as important as using That Cool New App, and if this was just another option developers could, but didn't have to implement, many apps would choose not to -- and most people would still download them. The only way to make sure that most users' email/login/usage isn't being sold or used to track them is to force developers to offer Apple's auth option, and make it as easy to use as choosing to log in with Facebook or Google.

> I can't even imagine what would happen if Google did the same thing with Google Sign In and the Play store.

If Apple made its money by mining its users' data, there would be a big uproar about this announcement, too. But Apple made it very clear that they will not be doing that with this data, and is moving more and more towards establishing itself as the privacy-focused alternative to Google... So this is by and large (and obviously there are many people with reservations, whether about Apple forcing developers' hands, or about trusting a big company in general) being seen as more of a Good Thing.

Google should just add a similar requirement in response. With this rule Apple is forcing their signup method to be taken up across all platforms (web, Android, iOS) because you can't only enable logging in with Apple on one platform.

If Google were to implement the same requirement, any cross platform app with Apple's login would also now have a Log in with Google button, making sure that Apple won't be getting any Oauth monopoly any time soon just to keep them in check.

I am very uneasy with this as well.

Apple has just leveraged their position as the iOS gatekeepers in order to obtain a huge marketshare of the SSO market.

The SSO "market" is only a market if the SSO providers are monetizing your data at the expense of your privacy. Private authentication is not a "market" almost any of us needs or wants, but rather a right that we deserve.

Not sure why you've put "market" in quotes there. Okta is literally a SSOaaS that has a $14 billion market cap.

Does anyone use Okta outside of the Enterprise? No enterprise focused app is going to allow any random third party credentials. Okta is also not by any definition a “social network”.

It's also a "market" if you happen to run one of the largest payment networks in the world (Apple Pay) and if having users signed in with your service gives you the ability to let them easily provide payment information through you to the exclusion of your competitors (Amazon Pay, Google Pay, etc).

Apple Pay is a feature of the iOS SDK and Safari browser, not a feature of the login system. Which method you used to login doesn't change the friction of paying with it.

But it easily could in the future.

My understanding is that putting SIWA first is in their Human Interface Guidelines, which (nominally) are not mandatory. Some apps have been rejected for HIG violations, however, so maybe they'd enforce that (but I doubt it). Plenty of HIG-violating apps make it into the App Store, so they definitely don't enforce all HIG violations.

To me this is a fair rule and benefetial for the end users, it will give more options to them. It simply says "if there are competitors, you must include us".

I'm not an Apple user, but I would expect Apple to provide and guarantee that you can log in any app with your Apple login. Seems fair to me.

Also, I'm pretty confident that Google offering a privacy-oriented SSO on Google Play would be appreciated by everyone. Privacy on Android is such a joke : any app can freely read the accounts present on your phone, they don't even need you to sign in to identify you

Well, maybe if Google didn’t do stuff like trick users into installing privacy invasive apps by using developer certificates that were only suppose to be used for internal apps you might have a leg to stand on....

Can you point to anyone who was tricked? I signed up for that program myself. It was very clear what I had signed up for. I wasn't tricked into it any more than a Nielsen family is tricked into getting paid to use a Nielsen box.

You’re comparing a Neilson box with installing spyware on your phone that can intercept every piece of information you send across the internet?

Not to mention that Google knew that the certificates were meant for internal use only and agreed to the terms.

> that can intercept every piece of information you send across the internet?

Just like a Nielsen box, the app collected clearly specified data, and users were paid for it.

From the link you posted it wasn’t clear that it could intercept anything. Can a Neilson box intercept my emails? My account details and drain my account?

> From the link you posted it wasn’t clear that it could intercept anything.

That's Apple's fault if the permission screen didn't show that. What the app actually collected was different from what it had OS permission to collect and was clearly described to the user.

The whole idea of a development certificate is that it is suppose to be used for internal use where a corporation can deploy an app to employees that can do all sort of weirdness.

And employees should also be informed, just like Android informs them.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact