Seems a bit petty to me. As a developer I empathize with the possible lack of documentation (I don’t know, I never tried to integrate Sign In with Apple) but as a user I actually am super happy with it. Nowadays any iOS app that doesn’t support logging in with Apple makes me think twice about whether I really need the app.
Protest is an important form of participation in a democracy, it's not petty at all. Forcing developers to add Apple ID as a sign-in method is the petty thing. The developers have no power unless they unionize in some form which seems absolutely impossible. So it seems to me that it's all a developer can really do to make a statement and I think it's brave.
Nobody is forced to add Apple ID login if they don't have any other social logins. Personally I stick to direct signup but if I were forced to do social login, Sign in with Apple would be my first preference as it's the most privacy-preserving compared to Google, Facebook, Twitter, etc.
I wonder what it would take to "force" me into doing a social login? It would have to be something drastic, like a website that provides me with needed oxygen.
Anything else that would ‘force’ you to Have an Account somewhere, combined with that somewhere happening to outsource their identity framework to “social” of any kind. Or: the same things that would ‘force’ you to have a social network account to start with, potentially.
To get on my hobbyhorse some: what about a platform that your employer uses to distribute relevant documents and updates which you need for your job, which has become sufficiently well-known and implicitly available that hesitating about the dependency is perceived as bizarre?
Note that the response of “don't deal with them then” runs into market information and churn amplification¹ issues when it is a social assumption that picking up a ‘tool’ (which is actually a relationship with a third party, but where this is close to invisible in the steady state) is essentially a free action which requires no consideration, because the information about “does this employer require me to use this tool” neither propagates efficiently nor stays stable.
Past source: wound up changing the email address on one of my Google accounts recently for exactly that reason. They actually asked me up-front whether I had a GMail account they could use instead, which turned out to be because they use restricted Google Docs for critical material. Not naming them, but in a broad sense, this is one of the more ethical companies I've ever dealt with, by the way.
Future source: I should probably be considering digging into LinkedIn soon despite their past abusive behaviors, because as it turns out, if I want to dig myself out of this hole…
¹ I assume there's a ‘real’ term for what I'm thinking of, but I don't know what it is, so I cobbled that one together out of the most relevant-seeming bits.
Apple is extremely restrictive to developers. As a developer, I hate it. As a consumer, I love it.
Apple has never shown me hostility. On the contrary, I found Apple to offer reasons why they do things and how to work around them. Have they sometimes forced me to do things I don't want (and felt were worse)? Yes. But it was obvious what I needed to do to comply.
For example, this whole forcing devs to use "sign in with Apple" is not about imposing restrictions as you can decide to not use a third party sign in (on a new app).
Apple is saying "hey if your users can sign in with Facebook they should be able to sign in with Apple, we want a piece of the pie". Some iOS users are happy about the privacy aspect of this but fundamentally (IMO) this is not about privacy or restrictions, it's about making users and devs more dependent on the Apple ecosystem.
What's the "pie"? FB makes money off their data. Apple seems to be providing me the service I paid for.
If they made it optional, a large percentage of apps would force you to use Google/FB to login. That's not acceptable to me.
One of the major reasons I give Apple money is to because they can stand up against the privacy invading FB/Google and I, as an individual, cannot. So they are very much doing what I want in this instance.
If a dev uses a Facebook login on an app then it will never be able to remove it again as users won't be able to log in. Similarly, if it uses Facebook comments, these cannot be removed from a website as the content would be lost.
Apple does the same thing. As a dev once you open the door to using Apple you're forever stuck with that. As a user, it entrenches you further into the Apple ecosystem which is ultimately the whole Apple product strategy.
I don't really think lock in is Apple's primary goal. I think they are opposed to Google/FB spying on us, and therefore there has to be an alternative. You don't have to implement Apple SSO, you just cannot use any other SSO without adding it as an alternative.
Again, the point that you as a developer are missing is that your behavior is atleast as, if not more abusive towards your end user than Apple are being. Why should your user have to use an anti-privacy 3rd party like Facebook to use your app or service? Where is the users choice other than to not use your product?
I have to be honest here and say that I amazed, but sadly not surprised by the level of entitlement on display from a very small but extremely vocal set of developers.
It is not "petty", it is a way to ensure all users get access to a privacy-conscious method of logging in without giving up your privacy to Google or Facebook.
Being this angry at having to give users the option of better privacy really isn't a great look.
That is definitely not true for every app. There was never any clause in the App Store guidelines that you must provide traditional email signup. At least this way, the social-only apps will be forced to provide you a more privacy-preserving alternative, and for ones that don't use social logins anyway, nothing changes.
Of course, my comment was related to the app of the post Groups specifically
Which used to offer both social sign-up (FB and Google) and a traditional email sign-up option
You probably don't know that in this case, Groups was also forced to include AppleID or risk being removed from the App Store
Removing all social logins from this point to ensure compliance would have definitely affected all users who had originally signed in with FB/Google, way before AppleID ever existed
>Removing all social logins from this point to ensure compliance would have definitely affected all users who had originally signed in with FB/Google, way before AppleID ever existed
Yet it would have been more consistent! What is the point of going to war against Apple while embracing the private-data-broker model at the same time?
Just send a warning e-mail requiring password change because you decided to remove all social login as a protest.
And provide a password reset mechanism for formerly social-login users that haven't defined a password in time.
But Apple is forcing devs to include Apple ID and that's what's wrong here. They could have made it optional. Given how Apple users can be it likely would have ended up being in demand and devs would have included it out of their free will
There is basically no benefit to app developer in including it. It is more work, and you may get only an anonymised address. However, there is massive benefit to actual users.
Apple decided to prioritise users over developers here.
Trust me, I say this as a developer, if there is any indication that I am losing out on users because I don't have Apple ID, I will make sure to add it asap. That is pretty much the reason why I first included FB and Google. I first only had Google, then some people aksed for FB. The natural course would have been that then some other guys ask for Apple and I add it. But Apple decided to abuse its position and force it on us developers
Yes. It is important that more developers stand up to this kind of bullying. Apple needs to respect developers more and, if it wants them to integrate Apple services they should instead offer incentives rather than threats to them. As both a developer and an Apple user, I don't care about Apple ID and so why would I wish to waste my precious time adding features I am not interested in? (I use Apple products but I never use Apple ID anywhere because I believe it weakens my privacy - why would I want to share more personal data with Apple, a company that was part of PRISM and used to sell user data to the government?)
Equally, developers need to respect their users. I don't want to have to have a Facebook or Google account to use your product. Why should I be interested in your app if you force me you use either of those options? They were also involved in PRISM and both have far worse track records with privacy than Apple. More importantly, why should I trust you with PII?
Having your email address boils down to password recovery. For instance, I only ever send 3 types of emails:
1 - Activation email with activation code to ensure the person actually owns the email address (non-OAUTH sign-up)
2 - Password recovery for when they have forgotten their password. Yes, a user doesn't need this with OAUTH but sometimes they will have forgotten that they used OAUTH to start with and need to sign in with email & pss
3 - When push is turned off and someone has messaged you
I don't think this is beyond reasonable but I'm willing to take criticism
> Having your email address boils down to password recovery. For instance, I only ever send 3 types of emails
I don't care. I don't trust you. I don't trust any of modern devs, I see every other new shiny crap on the internet only as an attempt to extort me of data and/or money (subscription) now. Before Apple introduced that feature I was using email aliases in my Fastmail. Need to register in new service - go to Fastmail, generate an alias for some weird domain they've got, setup filter for it to go to "dodgy" folder and then register.
Now I don't need to do that anymore, Apple automated that for me.
And thank's Apple it also forced guys like you to allow me to use that automation. At least on their platform.
For same reason the only way I buy a subscription is through an in-app-purchase - because I can just to go App Store and cancel it and don't need to deal with people like you. I remember like an year ago I was waiting for a refund for a cancelled subscription and my emails were ignored and the only way to get the attention was to open a dispute in PayPal. Yet another supplier-hostile but consumer-friendly company. Thanks god they exist.
I think some smaller-time devs don't appreciate that if they "win" against Apple and make them significantly loosen restrictions, users' wallets will tighten, especially for small developers and companies that no-one's heard of. Keeping the App Store low-friction, low-risk, and UX consistent, is a huge benefit for those kinds of devs (the ones selling software or subscriptions, anyway).
The messages sent to the "anonymous" Apple id mail are just forwarded to the user's inbox, aren't they? How is that any different from any other email address.
There is an email origin restriction- that's how they keep devs from selling them, emails can only come from the right domain. That still shouldn't be a problem though.
It isn't. My problem with AppleID is nothing more than that they forced AppleID on me. I would have voluntarily added it otherwise. But now because of this, I really really dislike it to the point that I will refuse to implement it in other platforms where it is not mandatory
And I think Apple's behavior should change so I am making this public
Asking an honest question: if Apple didn’t force this, would you really add this voluntarily?
Because this response tells me you’re willing to compromise your user’s experience because of your personal issues with Apple.
As a user, this does not give me confidence in your decision making.
It’s somewhat understandable to be annoyed, even angry at Apple. But the moment you decide to pass that on to your users is the moment you’ve forgotten the most important humans in this story.
Of course, it’s your right to do what you want, and if that means taking a stance against Apple ranks higher than your user base, I suppose that’s your prerogative.
But that definitely would make me hesitate to use the app.
I don't even hold a grudge against Apple. This is just me trying to make the world a better place. It's in everyone's interest that Apple doesn't gain authority to force us to do things (don't forget, devs also are Apple customers)
On the other hand, I absolutely trust Apple - my relationship with them spans over a decade and countless products/experiences.
I’m happy that they’re forcing devs to offer Apple Sign On as an option when other social logins are also offered. As a user, I trust Apple far more than any 3rd party dev.
I pay a premium to Apple because of their platform and the types of things they enforce.
I want you to understand that as a user, this is exactly what I want Apple to do and I pay extra for it.
But what you're telling me is that your opinion about Apple here supersedes my own wishes/wants/goals as an end-user.
This reads like "I know what's best, despite what Apple users say they want, and I'm going to make the world a better place by ignoring my users and telling them what they want is actually bad for them", despite the fact that this is actually a beneficial feature to users, even if it could be construed as a benefit to Apple as well (arguments can certainly be made).
> It's in everyone's interest that Apple doesn't gain authority to force us to do things
The rulebook to participate in this ecosystem is a mile thick. Why is this the issue that you choose to make a fuss over? There are a a myriad of other rules that are even more heavy handed, that actually are to the detriment of end users to protect Apple's walled-garden.
Picking a feature that arguably makes user's lives better seems tone deaf at best, and actively harmful to a broader message about openness at worst.
The thing is, Apple only 'force' you to add their option if you have an app on the store and offer another form of public federated identity provider. If you don't want to offer Apple as an option, then don't offer anyone else. Look at the context of why they have enforced it. Privacy is hard. The concern is that that the majority identity providers/brokers in use are Facebook and Google. I'll happy listen to the 'competition' argument as it does have a little merit. However, when weighed up against the notion that these two are the only real choice for a significant volume of apps, it is extremely worrisome from a privacy point of view. Neither have a reason to respect end users, or you as a developers privacy because that's how they make money.
Petulance does not become a developer. The last time I saw a tantrum thrown this much was when my kid was 5 and had a major meltdown over a lack of chocolate ice-cream.
He didn't get any ice-cream for a week, a response that taught him meltdowns don't work.
You can judge my post as a tantrum, and I won't even take offense, friend
Now I ask you this: how far are you willing to go to further a good cause? Watching from the sides feels more comfortable, but we are being decimated and doing nothing won't change a thing. We need to act now, or watch our profession/hobby/passion be used to fatten the already morbidly overweight big tech companies
> how far are you willing to go to further a good cause?
But what, exactly is the "good cause" here? Is the good cause to force Apple to stop delivering an experience that we've already established throughout this thread is an experience Apple users want?
There are so many problems and battles to be fought in tech, so much abusive behavior, so many dark patterns. This is not that. If this is the cause you're fighting, I fear you've missed the forest through the trees.
Unless you had something else in mind, in which case I'm genuinely curious.
What is the “good cause” here? You’re just being user hostile and fighting a feature that is highly beneficial for users! If anything, it is Apple that’s fighting a good cause here.
Does something being beneficial for users justify anything?
Enslaving the entire Uber driver or deliveroo poor sod population is arguably beneficial for users. But, is it right? Plenty of jurisdictions have already spoken that these workers have rights. Nobody has made a ruling regarding developers yet
The "iMentality" can't possibly extend to wishing that Apple treats other human beings like **. Can it? If so, we may have gone back in time to even before the 1860s
You're underestimating email. People reuse their email address, so it's not as benign as you think.
Just googling someone's email is a start. But worse actors can find your email on a combolist or figure out what other services you use. Just knowing someone's email is the first step to social engineering a customer service backdoor, for example.
AppleID specifically helps users avoid all this with trivial per-app email address generation, and that's something our tools should have given us a decade ago.
Yes, developers need to respect users too. But that should be between the developers and the user. If a user asks me to add Apple Id as an option in an app I make, that is something that I would seriously consider as I care about my users. Why should a developer care about something no user has requested but Apple is forcing them to use?
Apple could be considered a genuine neutral arbitrator if it didn't take money from both the developers and its users. What it has done instead is to force itself between the user and the developer, and exploiting both in the name of the users (developers lose money to Apple's extortion, and the money it extorts from the developers is ultimately passed to the user, and thus they end up exploited too).
The bizarre thing is the ignorance here that this whole thing is a matter of choice! I am glad that there are developers who recognize that they do not have to accept unfair, and even unethical, practices from corporates. And are willing to speak about it and fight it.
Like minded developers are not just fighting Apple, but the whole attempt by "big tech" to move to the business model of exploiting developers by controlling distribution of softwares, and dictating terms that favour them. This ends up harming both developers, as they earn less, and users, as ultimately it the user who ends up paying the share of profits that Apple (and others) extort from the developers.
It doesn't work like that. Users can't ask about options they don't know about.
And even if they do, too many developers couldn't give two shits. Great example is how users overwhelmingly opt-out of tracking when the OS warns them about it (because "developers thinking about users" never even considered not tracking)
I'm the opposite.
I NEVER use a third party login, my it be Apple, Google, Facebook or whatnot.
If your website/app doesn't offer their own independent login, I don't even think once whether I really need it.
Agreed. I find the mere sight of the Facebook or Google logo off-putting and resent the implication that it is a higher-priority login mechanism than email, a sort of act of fealty of the app/web developer to the big platform middlemen.
I run my own mail server so it's easy for me to implement vendor-specific email addresses that cannot be correlated with other vendors', but more and more companies are offering that as a service nowadays, DuckDuckGo most recently:
I use them as a developer to offer it to users, not Apple though and not for apps.
But I wouldn't want any of those companies know which services I use. I am fine with using Auth0 or other third party providers, but only if I have to.
You don't even need to verify the mail in my cases, you could even use a completely fictious one. Clean, easy, anonymous.
Not really sure about smartphone hell, but most identity providers offer up the mail of the user anyway. Maybe that is different in phoneland though.
I think preferring to use the website/app's own login makes initial sense, but distributing your personal information around opens you up to more opportunities to get tracked/pwned/leaked/whatever.
I used to prioritize the domain's own login, but now I'm starting to mix in some logins with Apple... I just prefer to have _less_ people have my personally identifiable information.
Agreed, it screams two things to me. First that the company is supremely interested in collecting my personal information beyond what I would normally expect to provide. Second that they’re just too lazy to implement their own user system.
To the average user, social login is about convenience. I see a large number of responses in this thread that seem to have forgotten about the most important person in this whole conversation: the end-user.
Users want
- Easy access
- A familiar experience
- A consistent experience
- To avoid more passwords
They generally are not aware of the privacy tradeoffs they're making by using social login.
I'd argue that if the developer truly wants to fight the good fight, they should remove social login altogether.
I find it odd that the options they support willingly are the options that are most user-hostile from a privacy perspective while the option they begrudgingly support (while making a big fuss about it) is the one option that actually tries to protect the user.
You clearly don't understand how social logins work, nor their benefits for users and site owners. Both of your assertions are wrong, and both "bad" things are exactly the opposite.
You don't get anything beyond what you ask for AND are granted access to by the user.
FB login gives email and name AFAIK, but you can ask for lots of other stuff and be denied. Google defaults to email, not sure about name, and has separate requests and grants for any additional information. They don't have nearly as much of a profile as FB does, but can give address and some other details. Apparently Apple doesn't even provide a real email, so that seems even better for "collecting [your] personal information" than using... your personal email address!
Social login is much better than storing passwords in any form (plaintext, encrypted, hashed), and gives both the user and site owner the benefit of FAANG security.
The part where the developer puts the word 'privacy' in scare quotes is a bit of a red flag for me. Suggesting that "accept[ing] two "social logins": Google and Facebook. All was well." does not fill me with confidence that the developer respects privacy concerns.
The reason "privacy" is in quotes is that some of us have started seeing through what Apple really means every time they use the word. As the EU's Executive Vice-President Margrethe Vestager has recently said regarding their Apple probe, privacy can't be an excuse to stifle competition.
All was well because nobody was forcing me (the developer) to include anything I didn't want. Users could still use traditional email signup. You are free to choose whom you trust. If your choice is Apple, well, that is your choice
Indeed it is. And I would choose to trust Apple over some nobody on the internet with a seeming chip on their shoulder (seriously, that post is just cringe) over anyone who promoted Facebook and (to a lesser extent, obviously) Google as sign-in methods.
In. A. Heartbeat.
You claim (elsewhere) that you only send responsible-sounding emails, but the level of invective in your screed leads me to disbelieve you. Personally, I think HME seems to have been created exactly to cope with people like you - and I’m failing to see this “hype” you talk about.
HME makes the value of an email address tend to zero, gives me the ability to cut you off without your agreement (and prevents you from selling my email on afterwards), and places all the control in my domain not yours. That’s simply the truth of the matter, and it’s not hype.
I distrust anyone who tries to downplay privacy as important.
I distrust anyone who tries to brand a genuine privacy upgrade as "hype"
And, frankly, signing in (with AppleID or not) doesn't prove a thing one way or another. The OP could be simply harvesting email addresses and selling them off later[+]. (S)he could be upset that HME and SIWA are a threat to that business. Far-fetched ? Sure. More far-fetched than an adult throwing the tantrum on the website ? Not so sure...
Or another option along the same lines. Perhaps OP has another more-public site that (s)he doesn't want to take this stand on for PR reasons, so they're doing it here, and getting "awareness" out there by submitting to places like HN. In that case, sure, there'd be no email abuse on the <don't care about> site...
There's a few other options that are possible. None of these get around the basic premise that privacy on the net is important (at least to me, YMMV) and I don't trust those who decry it.
[+] Tesla does this, for example. All of a sudden, a couple of years after buying power walls, I'm getting emails to Tesla@<my-domain> and texts containing Tesla@<my-domain> to my phone number (which I usually obscure using google-voice) asking if they can give me mortgage offers (for example). Tesla sold my details when I stopped buying expensive stuff from them - this is why I set up a catch-all address, and used <company>@<my-domain> whenever I signed up for stuff. Now I use HME.
>I distrust anyone who tries to brand a genuine privacy upgrade as "hype"
I particularly like this Apple fanboi argument - that having a third party (Apple) needlessly involved is somehow more "private" than only just the 2 primary parties being involved.
>I'm a Brit
Well I guess that explains a lot then - you're probably one of those that also voted for brexit, but now completely denies it - right?
It's funny - it always seems those who use "fanboiz" or other collective terms akin, always seem to be projecting...
They don't seem to be able to grasp that maybe there are different viewpoints in this world. Maybe that's even a good thing, and perhaps denigrating entire swathes of people as "fanboiz" says more about the person doing it than about the people they're complaining about.
Offering Apple as a choice does not remove the customer's ability to use the two biggest names in surveillance capitalism as the "protector" of their privacy.
Only the naive and the ignorant believe that Apple cares about users privacy. All their "privacy" features are just designed to collect more and more data about its users. Even unnecessary data. And they get away with it because of marketing that leads people like you to believe that they can be "trusted" with your data - the same data they use, and will use, to make more money. They have already restarted their advertising network again, like before. They claim they are no longer part of PRISM, a US government program that allowed big tech to sell user data to government agencies.
>“We specifically don’t collect data, even from point A to point B,” notes Cue. “We collect data — when we do it — in an anonymous fashion, in subsections of the whole, so we couldn’t even say that there is a person that went from point A to point B. We’re collecting the segments of it.
The segments that he is referring to are sliced out of any given person’s navigation session. Neither the beginning or the end of any trip is ever transmitted to Apple. Rotating identifiers, not personal information, are assigned to any data or requests sent to Apple and it augments the “ground truth” data provided by its own mapping vehicles with this “probe data” sent back from iPhones.
>An Associated Press investigation found that many Google services on Android devices and iPhones store your location data even if you’ve used a privacy setting that says it will prevent Google from doing so.
"The iPhone continues to store location data even when location services are disabled, contrary to Apple’s previous claims. The Wall Street Journal did independent testing on an iPhone and found that even after turning off location services, the device was still collecting information on nearby cell towers and Wi-Fi access points."
"The best way to keep something secret is not to capture and store it in the first place. And that’s the crux of the privacy versus convenience debate now redefining our applications and software-based services ... Yes, maybe what happens on an iPhone stays on an iPhone, but some data should not be captured in the first place. Nothing more so than the significant invasiveness of Apple’s significant locations concept—a perfect illustration of just because you can, doesn’t mean you should. This is a continually building data repository of the locations you visit, along with times and dates, detailed maps, even the mode of transport to get you there and how long it took."
“Both iOS and Google Android transmit telemetry, despite the user explicitly opting out of this,” wrote researcher Douglas Leith from Trinity College in Ireland, in a recently published academic report ... “To date, Apple have responded only with silence (we sent three emails to Apple’s director of user privacy, who declined even to acknowledge receipt of an email,” Leith wrote. Since then, Apple has made public statements critical of Leith’s research and insisting privacy and opt-out measures do exist.
"And there’s also a more fundamental issue with this technology. Its euphemistic description as a “crowdsourced” way to recover lost items belies the reality of how these items are tracked. What you won’t find highlighted in the polished marketing statements is the fact that AirTags can only work by tapping into an Apple-operated surveillance network in which millions of us are unwitting participants."
As for "anonymising" user data, Apple has enough data points on its users from various services and sources it collects its user data from to make it meaningless.
They implemented end to end encryption in iMessage to collect more data? There's a vast array of technical instances where apple has gone above and beyond to implement privacy preserving technology, even when they weren't talking about it. This is, like the OP, hysteria without any basis in fact.
Well, kind of. Apparently Messages in iCloud is still E2E encrypted, but not if you have full-device iCloud Backup enabled. Though I've often been prompted for my previous passcode to restore data from an iCloud backup, so not sure if anything has changed on that front.
Apple is a capitalistic company, they are not saints. But part of their business model selling hardware and software is partly based on at least maintaining a minimal level of decency, far above what Google and Facebook practice.
I don't agree with that view point. As both a user of Apple's products and as a worried citizen about privacy rights, to me it looks like Apple is just using a different approach to collect the same user data that Google and Facebook desire. It is just using the hindsight of how Google and Facebook went about it, and the negative PR they faced, to refine both its data collection process and PR strategy to convey they are saints. (It's a classic Apple way - they observe their competitors and their product for a while, before refining it and launching their own).
There is a lot of profit in collecting and monetising user's data - Apple's shareholder will not allow them to leave it on the table. Apple knows that as it was part of the PRISM program and earned a lot of money by supplying the US government it's users data. (Apple also dropped plan for encrypting backups after FBI complained - https://www.reuters.com/article/us-apple-fbi-icloud-exclusiv... ). And on a different note, in the early years, Google too begin it's spying and data collection by convincing its users that it is a "decent" company.
> Nowadays any iOS app that doesn’t support logging in with Apple makes me think twice about whether I really need the app.
I agree. I only create accounts for things reluctantly. Because 1. Why do you want my email address, or DOB, or whatever else? I don't want your marketing, and 2. I can't be bothered, I downloaded your app because I have something I want to get done.
Because Apple's SSO will not be eternal and nobody wants to have a tier as a proxy on an important account credential.
Apple SSO is ok for throwaway account where your account has no "sentimental value" that you can't recreate easily. But the author of this post maintains a social network : nobody wants to be locked out a social network.
I have active accounts on websites that existed back when Apple was fighting not to die and I would have totally lost access to them if I had to sign-in to them through my Lycos account.
Sign In with Apple allows you to share your email so you are incorrect. If I decide to hide my email and be locked out - my choice. Developers and companies are greedy for data. Why do we have the expectation that emails should be shared? I constantly say don’t send me marketing and some services send. On my part I report them as spam every time so that algos start blocking them as they are breaking our contract and are malicious.
For every service I’ve built allow the user to create an account with email, Google, Microsoft, Apple, Twitter, Facebook and to later untie their account and move to email. Also if they ever get locked out from their oauth account they can use the email to create a password and login via the normal way.
> Also if they ever get locked out from their oauth account they can use the email to create a password and login via the normal way.
This is exactly my point ! You can't recover your account if you don't know the mail used for registration. Even if you remembered it, no check could be made if Apple stopped to proxy the mails for one or another reason.
With other providers, you could always recover an account because your email address would let you prove the ownership of the account.
You can look up any private relay email address you've had provisioned in iCloud settings. It shows what service it was used or and the email, also allowing you to disable the address. This is also available from the Apple ID manager:
Is that not the same with if Google block my account? I won't be even able to login to my email for simple password reset or to verify I'm the actual owner of the email.
This is the problem with one click account vs email entering. It is a risk users should be made aware of but it is still their choice. And for some critical services I'll use my email, for other like the app in question, or most apps on the App Store I'll use one-click install, also most of the time there is no need for me to have an account. Most data can be stored on device without the need for user authentication.
I was under the impression that the Apple email that you get is not a real email address with an inbox? Is it? How can you verify a user the real owner of the email?
If they are locked out of the oauth account, presumably they can't check their inbox.
edit: Oh, do you mean you ask for an email address after they already flow through the oauth process - because that's the worst of all :)
The Apple-provided e-mail address forwards to their real email, so you can still use it for e-mail verification and communications. It just means the user can deactivate the alias at any time and stop further spam.
Don't forget in your threat model that Apple can cancel your account at any time for any reason whatsoever. They've even done it to security researchers using Apple's own bug bounty program. If that happens, you are stranded with those accounts effectively inaccessible to you forever.
So? Google can also cancel your account at any time for any reason whatsoever, and good luck getting it back unless you're a celebrity with connections or manage to make a big enough fuss about it on social media. Using the same logic, you should not use Gmail then.
> So? Google can also cancel your account at any time for any reason whatsoever
Right, that's why. Don't ever use "sign in with XXX" for any value of XXX, whether apple or google. Any of them can erase you off their site on a whim and you've lost all unrelated accounts where you made the mistake to "sign in with XXX".
Create accounts with your own email, control your future destiny.
> Google can also cancel your account at any time for any reason whatsoever [...] Using the same logic, you should not use Gmail then.
Actually, under that logic it's only that you shouldn't use the @gmail.com domain; it should be fine to use Gmail with your own domain, since that allows you to recover if your Google account is canceled (just change the MX to another email provider).
Another thing you can do is to never use your Google account for anything other than email; that should reduce the chances of the account being canceled for no obvious reason. For instance, it's been reported that, if you used your Google account for Youtube, and Google decided your real name was not your real name (which it wanted due to the Google Plus integration with Youtube), your whole Google account could be canceled; that risk could be avoided by just never logging into Youtube with your Google account.
Google isn’t worth the trouble.
I pay for my email, you remember paying for stuff you use, an antiquated idea, I know, but restores the balance in the equation.
Apple's SSO may not be eternal but it's also very unlikely to disappear overnight. If it is indeed going to be phased out you will have advance notice of this and a transition period.
I agree that in a perfect world you'd provide your real email address and solve this problem. But developers and companies have repeatedly proven themselves to not be trustworthy and the majority will misuse any contact details for spam which users do not want. In fact there wouldn't be a business case (nor appeal to end-users) for Sign in with Apple if this wasn't a real problem.
> Apple's SSO may not be eternal but it's also very unlikely to disappear overnight. If it is indeed going to be phased out you will have advance notice of this and a transition period.
They may well offer notice and time when they cancel the service in some future.
They won't offer any of that if they happen to erase your account just because though, as has happened to many people.
Don’t use apple SSO because apple might not exist one day?
You may as well argue not signup to anything using gmail because, heck, google might go out of business.
There is no benefit to users in giving your “real” details to service providers; the benefit is entirely on their side.
You can argue that Apple is harming the opportunities for 3rd party developers, sure, taking advantage of them? Sure.
…but let’s not try to frame this as somehow “pro consumer” to give your email away so people can spam you with notifications and offers to lift their engagement rates.
I don't think your tone is warranted and in the spirit of this community.
I don't agree with GP's fear of Apple SSO vanishing without a transition period to something else, but the general premise that this form of login is not eternal but rather short lived in the grand scheme of things is reasonable and doesn't warrant your aggressiveness.
Also you might get locked out of your Apple account for a number of reasons and will then lose access to much more than just Apple services.
It is also not really a valid argument here, given that the service we are talking about was offering Facebook and Google login options, which share the exact same issue, but with the added privacy violations of those platforms.
From what I understood from these discussions, that is not an issue with Facebook and Google logins because they reveal the true user email address, so even if they no longer exist one day, that email address could be used to recover the user accounts (using a password recovery flow through email); while Apple SSO does not reveal the true user email address, only a proxy through Apple's systems, so if it no longer exists one day, there's no way to use the email address to recover the user accounts.
Apple asks the user whether they want to reveal their email or not. If you do not receive a real email address for Sign in with Apple, it is because the user did not want to give it to you.
>Don’t use apple SSO because apple might not exist one day?
>You may as well argue not signup to anything using gmail because, heck, google might go out of business.
I assume OP point is that Apple or Google could still exists but your accounts might not exist, maybe you get banned or just decide you don't want to use Apple/Google/FB anymore.
> Don’t use apple SSO because apple might not exist one day?
There might be a day when Apple is not _my_ cell phone platform. Even now I have an Android phone and iPad and I prefer to have access to same services from both.
Yes, or at least not with a @gmail.com domain. Running Google Apps with a custom domain you own and Google can't snatch away is fine (well, apart from the privacy implications of giving Google free rein to read your emails, of course). That means not using Google as your registrar, obviously.
> You may as well argue not signup to anything using gmail because, heck, google might go out of business.
I personally avoid to do it, but that's not the point.
Every other third party allows account recovery by mail : if you want to stop using FB or Google's SSO, you can ask the website to send you a mail to prove the account ownership.
If Apple's SSO stopped working (because Apple stopped it, banned you, because you dont have Apple devices anymore so you are locked out of their proprietary 2FA), none of those websites could send you a recovery email.
> That is pure BS.
I don't feel like I've been insulting, so please don't be either.
> because you dont have Apple devices anymore so you are locked out of their proprietary 2FA
They have SMS as a fallback. I know it's insecure and I'd rather they support TOTP, but let's not pretend having an Apple device is the only way to receive 2FA codes for your Apple ID.
> Don’t use apple SSO because apple might not exist one day?
Yes. And more to the point, because that Apple service may not exist in the future. Or Apple may determine that a particular app or service can no longer use its service for whatever reason, and you as a user will not have any choice in that manner. It's all been done before.
And it makes me think : what happens to the "proxy emails" affected to your application when Apple decides to ban your app from the App Store ? Are your users still reachable ? Is there any information on this ?
Given an alternative storyline where Epic Games allowed users to create account with relayed apple mails, wouldn't all those accounts suddenly became unusable today ?
Epic actually did allow users to use SWA since they have about 5 other IdPs they allow. Apple didn't suspend their access to SWA at any point, though there were stories about it at the time.
Then your issue isn't with Apple's SSO, it is with all SSO providers. Facebook/Google login are not eternal. The only difference is the proxy, which can be disabled.
Any website offering SSO options would have a sunset period to move it over if a provider went under...and if they don't, they are likely defunct at that point anyways...
Apple may not be eternal, but probably will still be around for many decades after your app is completely forgotten. I still have the same IBM and Oracle accounts from the 90's. Big enterprises tend to stick around for a friggin long time.
Agreed, Sign In with Apple is a fantastic feature from a user point of view and I also think twice about signing up for an app which does not support it
Before apple introduced apple id, there was a annoying tendency of applications offering only third-party authentication from either google or facebook.
Compared to Google or Facebook, Apple is definitely the lesser evil and an acceptable compromise between trusting Google or Facebook and the inconvenience of creating a login for every app.
Forcing the implementation of Apple ID on applications that use other providers is actually increasing customer choice for me.
There's a market for being anti-Apple that's not always based on reasonable ideas. It's popular especially among Web technologists, so maybe if your product targets them it could be a growth hack to "take revenge" and attack the Goliath, then create a literature around that "brave endeavour" that promotes your product.
Apple is the most petty entity that I have to deal with on a regular basis. They refuse to automatically capitalize the words Linux or Windows but they'll practically force you to capitalize the phrase "app store" even though they don't have a real trademark on it. They'll try to change your vocabulary from "installing" to "side loading" just to protect their business model. They'll reject your app for looking too different. They're so petty that I think there's probably another word that I should be using to describe the level of pettiness that they've reached. Machiavellian perhaps.
The autocorrect dictionary contains the name of every app on your device. It’ll learn Linux organically eventually, maybe Windows depending on how much home improvement you do….
No, not at all petty. Kudos to the developer for standing up to the bullies that Apple and Google (and other tech companies) often are. Apple really needs to be reminded harshly that it is the developers that add value to their platform. And to share another perspective, I never use login from another service as it means you are sharing more data with them, and you become hostage to their whims and fancies they call their "terms and conditions". So if one day they don't like the app / service you have been using for whatever reason, they can bar you from logging into it without giving you any choice for it.
I like the angle of "Sorry, Apple ID only works on Apple devices." The rest of the popup seems unprofessional and would make me reconsider using the software, out of fear for what other unprofessional things may end up happening.
But the bit I highlight is a nice jab at Apple and something I think you can get away with professionally in a web app. It mars their login brand a bit by showing that it isn't useful everywhere.
Yep but that should be made clear and not just implied, because at the end of the day, their users who signup with Apple will be unable to use their web app because of the developer choice not to implement it (which is definitely their right not to do so, they can handle the support), and not Apple not giving them the APIs.
Yeah, this is the part that makes the developer not just petty, but actually quite disingenuous and actively hostile to their own users.
It's one thing to argue against the policy and there's nothing wrong with that. But it's unacceptable and close to outright lying to imply that the policy decision makes the user's account only usable with Apple devices.
The really puzzling thing about all of this is that the developer's primary issue - he believes Apple is being hostile to developers - is exactly what he's doing to his end users.
Apple took away his choice, so he's taking away his users' choice to use the feature as they desire.
For a more professional notice, I'd try something more like "Apple required us to choose between either supporting Sign-in with Apple in the iOS app, or disabling the logins of all existing users who had signed in with Google and Facebook. In protest of these abusive requirements, sign-in with Apple will not be supported online."
Judging by the language used in the post (e.g. "prisoner" or "Give them your money, your will, your worship") it seems like a reasonable assumption that this developer doesn't care about Apple customers.
That's not true, I care about them at a personal level. I would probably have heated discussions about the benevolence of Apple with (some) of them, but it would be in a similar spirit to that of a discussion about football
I keep regular correspondence with many of my iOS users and I consider them to be my friends. They've helped me shape Groups' current form in many ways. I am thankful
Apple is making it impossible to have real customers and real businesses. They're turning us into serfs of their unfair ecosystem.
It's one thing to build interconnected products, but to grow the pie so large that all commerce and communication with 50% of Americans goes through their polished gates, to be stripped, taxed, and even cloned, is an abuse of power and position. It's a strip mining of our industry. An over fishing that has greatly decreased the probability of success for small, independent players.
Until the DOJ forces them to open up (or break up), we're stuck in this war zone.
I'm going to follow in your footsteps. Hopefully many more do as well.
Thanks mate, I will gladly join you in being downvoted and add that in the long term it would really help if us developers got more organized. We need collective action. I have a few thoughts on this, anyone who wishes to join forces in carrying this baby can get in touch at javierantonf@hotmail.com
Do not mistake the sentiment here for Apple boot licking. It is possible to be both critical of Apple's policies while also recognizing the value they provide to users.
What exactly is "the good fight" here, and how is forcing this fight onto an app's user base something that should be applauded?
I'm no Apple fanboy, but I do think they've managed to implement features that are genuinely helpful to users. Whether that's benevolent or self-serving is not necessarily as relevant as the net benefit to end-users.
Personally, I find it refreshing when a policy like this actually results in better privacy for the user and not worse. If the developer truly has such philosophical issues with Apple, they should remove all social login options as the transgressions of the other two are arguably and demonstrably worse for users than Apple Sign In.
The author's revenge seems to be against his users who opted to used Sign In with Apple. Since they will be the one suffering because they trusted to use the particular app.
I can find merit in complaining about apple's restriction in accessing payments. But SignIn with Apple, as a user I will always opt for that given my email won't be available with a third party forever for them to spam or sell.
I have integrated SignIn with Apple both in an app and backend. I never felt it was particularly difficult or under-documented.
Apple forced Groups to choose between having AppleID, or losing Sign in with Google/FB. That would have been equally bad for existing users who had chosen Google/FB before Apple ID was even a thing. Perhaps Groups would have happily adopted Apple ID if it hadn't been forced on it
At the end of the day Groups is a passion project. So it can be used to contribute to a world where developers aren't taken for granted
Apple ID was buggy as hell when it first came out.
Apple users will have to understand that Apple's policies can have an impact in what they get from developers. Apple only cares about $ and PR, wish it weren't this way
From your post I get that you don’t particularly care about the users who use you it app as you are not offering any way to transition users.
I think apple cares about their users and platform, they just care about your passion project and I can understand how that triggers you. But the users belong to the apple ecosystem. You are essentially a guest there and more importantly the user has a choice to privacy. Most of my friends buy iPhone because of ApplePay, Sign in, and now throwaway emails. Apple just caters to them and forces all developers to respect that.
As an engineer I never experienced any issues when integrating with Sign in. I’ve used it in 3 apps already in the past 2 years. There was also a very long grace period.
I do care about my users. That's pretty much all I think of all day. Send me a support request? You will have my undivided attention, for free!
But please tell me, how else can I push back on Apple's bad behavior? In war, there are collateral victims. And I, a dude who's almost a nobody, is willing to take on Apple by any means necessary when they do this kind of stuff
Respect is earned, and it is high time Apple learns to respect developers. We should all be doing this kind of thing. I'd go as far as supporting a general app strike where services become unavailable. That's pretty much how workers have gained any rights and we desperately need rights
If you think that random deflection and taunting is going to distract me, or anyone else here, from the fact that you failed to support your argument, you are mistaken.
You have to clear your mind, the don't care about you, they care about your money only. This is why they want you to be captive but they pretend that it is for your own good. And you buy it...
From what I've seen and experienced that is not true. Apple support is great and help me always, Apple store is great and I always get treated nicely. So I guess they care about me and my experience which translates into the platform they have built for ME - the user. I doubt they built a platform for the sake of building something.
As for Apple owning the user - elaborate pls. I don't see how they try to even own me. I made an educated decision to use that software and hardware BECAUSE of things like ApplePay, SignIn, App Store, etc.
More like a prisoner, rather. As an Apple user, I would like to be treated as the owner of a device I have paid for - not like a "guest" or as a "prisoner".
A trillion dollar publicly traded company sure care about money and PR.
I understand being a developer who does a passion project or an app. But I can't buy into, Apple forcing any developer to make a decision in a very short term.
Almost all new guidelines comes with a 3 months interval before being enforced. And most times the deadlines get extended https://developer.apple.com/news/?id=03262020b
Apple waits a year or more before removing the Apps that don't follow a newly enforced guideline. The restriction is a problem with app submissions that comes in after a deadline
I am fucking happy that apple didn't allow you to force the choice between Google/Facebook or annoying account creating down the throats of your users.
That's exactly the reason I pay more for apple hardware: UX consistency.
If I didn't want it, I would be saving money using android and windows for equivalent hardware.
> The best way to convince Apple prisoners is to tell them what they need. Trust must only belong to Apple. Give them your money, your will, your worship, your everything. Apple will keep you safe
> Perhaps Apple customers deserve the luxury of "choice" (between different Apple devices, of course)
I don't understand the tone. Do these people actually not understand that different people have different preferences and priorities? Or is it a pose of some kind? I mean, it's 2021, Apple has been on fire pretty much continuously since 2007, they're making a killing everywhere they go and they're, as we speak, pulling off the biggest and smoothest on-the-fly architecture transition ever.
Is it still not clear to some people that Apple users genuinely enjoy using Apple devices and that the company clearly does something right?
Your second quote conveniently chops out the main point of the article, which is that Apple abuse their dominance to force developers into having no choice.
Because dev experience isn't what my post was about. I don't agree with some of the ways Apple treats developers, but I mostly agree with how they treat users and I genuinely like (MacBook) or at least understand and respect (iPhone) their products.
What happens when Apple stops being on fire, and you are trapped in their ecosystem and can't get out? I won't argue that Apple makes the nicest and most comfortable golden cuffs, but in the end they're still chains.
> What happens when Apple stops being on fire, and you are trapped in their ecosystem and can't get out? I won't argue that Apple makes the nicest and most comfortable golden cuffs, but in the end they're still chains.
What are the options in the smartphone landscape? Please elaborate in a way that my elderly mother could use without 24h tech support from family members.
Android? And have instead of golden handcuffs a straight-out chain to serve the ads landlord? Yeah there's only a "choice" between the comfortable golden cuff of Apple and the being actively exploited by google. I know what to choose.
Obs. For anyone suggesting giving a de-googled lineage phone to my mother, just, please, don't.
> For anyone suggesting giving a de-googled lineage phone to anybody who isn’t a technologist or doesn’t have days and days to spend tweaking a poorly-supported-outside-certain-jurisdictions device, just, please, don't.
ftfy. I get a bit fed up with seeing these things promoted. I’m from New Zealand, not the US or Europe. Where do I get one? Who fixes it when it buggers up? Why does it cost so dang much? Why is it such a slow piece of crap compared to my iPhone 11? etc.
You are the one to judge what’s right for you. Now your grandmother would probably be fine with a Pixel phone, you are the one opposing it on principle. Same as how Chromebooks work well if basic tasks are your bread and butter.
To me Apple stopped being on fire for a while now, in particular as we switched from broken keyboard laptops to wonderful ARM laptops only available in small sizes with 2 usb ports. Also on principle Apple barring third party browser engines and game streaming are two huge no-go, in continuation to the selective ban on interpreted code which almost kills the editor ecosystem. Those handcuffs are not that golden, really.
I think I could easily pull all my data out. Files are, well, files; contacts and calendars can be exported in standard formats; photos are stored as JPEG or raw; music is MPEG-4; e-books are epubs; whatever.
Sure, I'll lose some features, but that's because other platforms don't offer those features, not because Apple is heinously putting extra effort into locking up my data.
Not sure actually, I realised I have never bought a book from Apple. The books I have in Apple Books are all epubs though. So, the program can deal with that format, but not sure what format purchased books have.
That's an easy one. To answer your question you need to do to things.
- Try to export your photos from Google Photos
- Try to export you photos from Apple Photos
Let us compare those two, shall we?
Google Photos:
- stored in cloud
- no _synchronisation option_
- export exists but you loose metadata unless if you do it through API so third-party sync is not possible as well
Options to get your data back:
- Manually select all the photos in web ui and click download.
- Use google takeout option.
Apple Photos:
- Synchronisation. Go to settings and click checkbox "download everything to this Mac". Same for iPhone. Offline ready, your data is on your device.
- Export - just go menu and click "Export originals". It will conveniently organise your photos into files and folders. No internet connection required because the data _is already on your computer under your control_.
So, to answer your question. If Apple stops being on fire, I export my data in a single click and move it somewhere else if there's any option. But it will be sad day because I'm afraid that there will be no option, besides Apple the market is filled with liquid shit that treats users as cattle.
P.S.
The example of photos works for everything else - my music library is synchronised and downloaded locally on multiple machines. If you've got Apple Music subscription you can drop anything in there and it'll upload it. Basically dropbox with UI of iTunes and Spotify on a side.
Same for iCloud Drive - it is downloaded locally.
Heck, everything is downloaded locally, stored on my Macs and backed up with time machine. My data is under _my_ control when I go with Apple.
I don’t see the abuse here. Sign In with Apple is only required if you already support Facebook or Google or another third-party social sign in. If you support only email and password, that’s fine. If you do support social sign in, presumably you do so because then you don’t have to worry about passwords and stuff. Well, this is exactly the same. I don’t see why it makes a difference.
The abuse is that Facebook won't refuse updates to your customers' devices if you choose not to opt into their SSO, but Apple most certainly will.
The problem is not the social sign in aspect, but that fact Apple forces you to implement it if you use their competitors' service.
Had Sign in with Apple not been mandatory, but merely something customers would ask developers for, then I'd consider the framework to be fair game. This simply isn't that.
the rule seems somewhat orthogonal to developers getting emails. Developers can still request login by the old school email-and-password with (or without) sign-up verification by email. On the other hand, some third-party logins don't give developers their users' contact information (just a token to verify that they're on their platform with no authentication permissions, or a dev can request that this be so else the third-party will inform the user that the dev is requesting their contact info).
They are using their app store monopoly to gain a foothold in the single sign-on business. You could try to claim that there's no business there but look at how Microsoft got spanked for giving away a free browser. Now the Apple has over half the phones in the United States, I'm looking forward to them getting spanked very soon hopefully.
Oh? Microsoft got in trouble for using the Windows monopoly to 1.) gain market share for their free browser and 2.) forcing OEMs to not sell alternative operating systems so they could keep their Windows monopoly. You can read all about that here [0]
That's exactly the kind of behavior that Apple is exhibiting here.
It's pretty easy to come along and say that I'm "ignoring the basic facts of the case" though without presenting any facts of your own to back that up. So let's hear your take now.
They got in trouble for lock in. Their integration of Internet Explorer practically made out the de facto implementation and made Windows the de facto operating system on machines.
But again, Sign In with Apple sits in addition to the other offerings, it doesn’t replace them, and in no case are developers expected to be unable to offer regular sign in with email.
To my mind, you’re not wrong, but making a rather different argument.
If Apple is perfectly happy with other sign on, then privacy is certainly off the table. Otherwise, they wouldn't allow apps in their store offering any other sign on (extreme analogy would be apps with virus in it). Then why force developers to add Apple sign on even they don't want to, instead of just encouraging? They can easily do so by telling developers that "apps with no Apple sign on are allowed, but are placed low priority queue so the review process will take longer".
It is pretty standard "embrace, extend, and extinguish" strategy. Similar to what's happening in the browser market. They are waiting for majority of the apps to have their sign on and majority of users use Apple sign on, then update the policy to disallow other methods.
I mean I don't have any issue of Apple doing these in their own ecosystem, but at least don't be so hypocritical or naive when defending them.
> Why then should Apple have monopoly on harvesting emails?
They don't, and aren't trying to. They are trying to disrupt the Google/Facebook duopoly in the SSO space. Devs are free to require new accounts that they have the email for, just not outsource it to FB/Google.
I would have agreed with you if Apple had <10% of the market share they enjoy today. The reliance society and businesses have on smartphone apps combined with Apple's closing off of APIs, their market share, and their anti-competitive behavior, make things like this extra problematic in ways they wouldn't be under freer market conditions for users and developers.
> they're, as we speak, pulling off the biggest and smoothest on-the-fly architecture transition ever.
I think Microsoft's architecture transitions between OSes were far smoother, in terms of ensuring backwards compatibility and giving developers far more advance notice. Of course, they stayed within the same chip family (well, except increasing the N in N-bit), so it was a smaller transition, but it worked well.
So the creator/developer of "The King of Organigrams and Family Trees" (that's the title of the app's website (https://www.groupsapp.online)) is complaining that Apple is giving its users the ability to hide their email information, am I right? So isn't this a good thing? For me, it is. I don't want to give away my actual email address. I get too much spam already. So I thank Apple for this feature.
And of course, it's terrible Apple doesn't allow their login button image to be altered so that an average user could quickly identify it as "oh yes, this is Apple". However, I don't see why this could be not good. Also, as an end-user, I don't care if the Apple button is black, the Facebook button is blue, etc.
The guy complains about those login buttons but the app is very much possibly the worst design I may have ever seen when I looked on his site. It harkens back to bad knockoff Metro UI text designs where the designer failed to read any form of typographic guidelines.
The author seems a little in need of therapy and to walk away from this for a little while with just how angry, sarcastic, and tonedeaf it all reads and to be clear, I'm in therapy, it's great and helps.
Honestly, I don't know why he is offering social login on an app that advertises E2E chat anyways, you are just giving them all the Keys to the Kingdom.
Frankly, I couldn't care less about whether you trust the app or not
The fact is, I send 0 emails and privacy and security are top priorities. I am passionate about E2E encryption so I have integrated loads of that in the app too
The only purpose an email address serves is password recovery. Period
TBH I am a bit tired of people trusting big tech so much. They are businesses, meant to make money. I make no money and don't intend to cash out because I am passionate about what I do. It's so frustrating to see how people blindly favor big tech
I feel like you’re getting personally offended here. And I get it, you’re likely a responsible person who will be respectful with my information.
However… when looking at apps and signing up for them, can you tell me how I would differentiate someone like you (who I can probably trust) with someone who will sell my information, or send me a ton of emails?
Even with good developers, some will make mistakes and lose data. Some will get sold and the new owner will do different things. As a user, not only can I not pick out the bad from the good, but I don’t know that the good will be good forever.
(I say this as someone who has been burned a few time. Always using a different email address when signing up allows me to track who is doing bad things. It happens far too often)
If you want to make sure, check who is behind the app before you sign up and make an informed decision from there
Of course it is easier when you can relate the app to a physical person (as in my case). How can you make sure the physical person has good morals? That is a lot harder
I did dislike implementing AppleID purely because I was told to do it and even how to make it look which went against the design I'd already nailed for the app. It just put me off. I just wish Apple treated developers with more respect but it seems even Apple users are happy that they mistreat us. It seems Apple users enjoy the "power" Apple has over us. I think that this is just evil. It's like enjoying the "power" Uber has over the taxi market, or the "power" Deliveroo has over the miserable sods that do the deliveries. I don't know what the solution is, but Apple needs to change this behavior and the only way might be to "convince" their users somehow. Strikes are never a pretty sight
Again, I guess you could draw an analogy with Uber. We used to depend on our luck to find a clean/respectful/honest taxi driver and now we rely on Uber to manage this for us (with reviews etc). But Uber never really had their drivers in mind, and it took collective action for Uber to start respecting them a bit. I think that something similar needs to happen in the app space. We need rights
"It seems Apple users enjoy the "power" Apple has over us." --> Absolutely yes. But it just goes back to my main point - I am unable to vet app developers. And even if I do, there is no way to ensure data is handled well long-term. What if Facebook makes you an offer you can't resist?
Basically, I have had many experiences with developers abusing my information. Now I have someone fighting back for me (don't get me wrong, I'm not an idiot. I know they are doing it because I pay them an obscene amount of money).
The way to convince people is for developers, as a whole, to behave responsibly. If developers had never abused my information, I'd likely have no issues ever giving them some of my information.
Edit: I'd just like to say again that I am in no way saying that you are doing anything bad. You seem like a good fellow. And perhaps the curse of being one of the few good people in a room of bad people.
I also noticed that you created your HN user to post just this, and the telegrap.ph link doesn't allow comments (nor show who you are). Given that you've decided to publish this without asking first if it's correct, I'd appreciate that you either make a reference to this item on HN or amend the specific points I mentioned.
I noticed some E2E error messages coming from the trace which means that you (I assume it was you) have been tinkering with it/trying to break it. This is fine, and if you manage to do that, power to you. But if you fail to compromise the encryption then please also consider being a bit less harsh in your conclusion (considering what I've told you)
Finally, I am happy to let you have a peek at the source code if you want to know more about it. I want to OS it but can't get around my paranoia of doing so. You'd just have to make your identity known and offer an email address or similar
First of all, thank you for taking your time to do this. I still wish you'd told me before so that I could help you understand a few points before publishing, but I totally get it, good effort. A bit unfortunate that your post got flagged and taken down
A few comments:
> chat keys are ever changed or when (forward secrecy)
Yes, this can be done anytime by any user. Chats -> Settings -> Renew RSA Keys
The Windows client doesn't include any chat capability, it's not just that it isn't E2EE, you simply can't send/receive messages on it. I plan on replacing the Windows client entirely with a web version, it's only there for some few users who really need it
>it's legal to have a directory of all registered users and email addresses accessible to all users
This is not the case. Users can only see other people's contact details when they are in the same "Group". Otherwise, both email address and name is hidden
>On Android, the standard `Random` is not entirely[5] based on current system time, but it does not seem like Codename One uses that. The documentation says it's purely time-based.
I think you may have missed that every message is encrypted with the ChatKey but also with a different IV each time. This ensures each message originates from a different seed
Don't know if you can update your post with this info? Anyway, thanks again and happy to discuss! I might have missed some points. Tbh the E2EE chat isn't really used by loads of people and in retrospective I should have made it non-E2E since most users use the app for its organigrams and not for secure comms. I just did it this way for fun
Edit: One last note
>If you're going to use a closed-source E2EE chat application, you might as well use WhatsApp
The problem with Whatsapp is backups. They kind of make E2E pointless
Edit 2: feel free to reply directly to javierantonf@hotmail.com I can't guarantee I will see your msg here
Edit 3: Isn't 2048 valid until 2023 and possibly beyond?
I am going to assume you haven't read/understood everything I wrote
I don't force users to use Google/FB. They can use traditional email signup just fine
Emails could be masked before Apple ID came along. Namely, gmail addresses let you do this. So it's not anything new or revolutionary. Users could use that to sign up for Groups before
I would have probably ended up implementing Apple ID, but the fact that they forced it in a most discorteous manner frankly p**d me off. When someone does this kind of stuff you need to remember and try to curb their behavior where possible. That's what I'm doing
Gmail has the `+` trick and ignores any `.`s in the name area. E.g. `foo@gmail.com`, `foo+bar@gmail.com` and `f.o.o@gmail.com` will all deliver to the same gmail inbox.
It's not nothing (I tend to use it to track how my email address is being sold), but not a real level of masking, since anyone in the know could regenerate the "standard" address easily.
The author is writing as if the two players in the game are developers and Apple; but there are three players in the game: developers, users, and Apple. Most of the readers of this piece are users, because developers are users just as much as they're developers.
Privacy-preserving federated login options are a good thing. Knowing that the app, which may or may not have security or data protection, has less access to my information is good. I don't necessarily like Facebook, Google, or Apple having access to my information, but if they're the only ones, it's still better than having the app developer have it. Moreover, Apple's login is presented to the user as a user-positive feature: I can obfuscate my personal information conveniently. I like that.
If an app didn't have federated login, I'd make a judgment call about whether or not I want to create an account. Maybe I would, maybe I wouldn't. But if it does have a federated login option, I'd like them to support a variety of options, including Apple.
I'm not sure Apple should mandate it in the way they do, I can appreciate that the developer feels strongarmed... in the same way that I'm sure credit card processors engage in shady strongarming behavior of retailers. But I'd still rather go to stores that take credit in addition to (or instead of) cash, and I don't find it noble that the developer is writing that being forced to do something that his users would benefit from is bad for him.
I then read the second post the author wrote about getting his app removed from the Play store for not including a link to the privacy policy and it kinda comes off the same way. I don't necessarily like Google arbitrarily removing stuff with no notice, but I do like that Google has decided that a privacy policy should be a requirement of an app, and I sort of resent the guy complaining that he shouldn't have to follow that rule, which benefits me. He characterizes this as a "bad experience for users". I don't really agree.
I agree with pretty much everything you said. My only concern is that by forcing devs to support Apple ID, Apple has effectively eliminated all incentive they have to make it a compelling experience for users and developers. Whatever Apple decides to do with Apple ID from here, everyone else just has to deal with it.
I really like the idea that an SSO can also server as the single point of trust for personal information like an email address. I just wish Apple let that feature speak for itself. I wish they put in the effort to make Apple ID a popular auth solution because both devs and users actually want it - not because they're forced to have it.
Similar to how in-app purchase/subscription fees of 30% just _does not work_ for certain kinds of business with certain kinds of margin, Sign in with Apple has limitations far beyond other social sign-in systems that mean it is a complete non-starter for certain businesses.
Like us. We have Facebook sign in (appropriate for our market), but couldn't integrate Sign in with Apple because the email private relay limits how you can send email to it so much, and we use the email address as a fraud signal for some payment providers.
It comes down to the fact that we share email addresses and Apple have stopped that from working. They see it as stopping advertising and spam, but in our case they're preventing certain payment options, delivery notifications, refund notifications, all the sorts of emails that users tell us again and again are very important to them. We're not sharing emails without consent, we're doing it where users know what's being shared and why, and want these features.
> we use the email address as a fraud signal for some payment providers
This is not in the interest of the user. As a user I do not want yet another company getting my details and assembling a profile on me under the excuse of fraud prevention, especially when my bank offers 3D-Secure which shifts all fraud liability back to the bank.
> all the sorts of emails that users tell us again and again are very important to them
According to every company every single one of their spams is important. It's not up to you to decide. If the users want your notifications they will find a way to receive them (as far as I know the Apple relay email address does just forward emails, so unless you're breaking a - presumably reasonable - rate limit it shouldn't be a problem).
> As a user I do not want yet another company getting my details and assembling a profile on me under the excuse of fraud prevention
This is only done after an explicit opt-in when using just that payment method. It's actually done as part of a credit check and those have to be very explicit.
That’s when you explicitly ask the user for their real email address. This is not difficult unless you want to make it so for the purpose of raging at apple.
There are unfortunately a lot of problems with this – some that matter for the user and some that are more business concerns, but it's sadly not this easy.
- Do users understand the fact that they have not given us their email address? Our email turns up in their inbox after all. Our customers are not necessarily tech-savvy of even that comfortable with email.
- Do users know, months after signing up, that they didn't give us their email address.
- Many users don't actually read information longer than ~5 words unless they're seeking out FAQs or something. They mostly pattern-match to things they know and/or expect.
- Interrupting a checkout flow to explain all of this and capture a real email address will significantly reduce conversion. Is it overall better accounting for the hopeful improvement from Sign in with Apple? Very hard to say, even with testing, and we've tested things like this in the past.
- Will Apple allow it? Open question, they don't explicitly say either way but there's plenty of evidence to suggest they don't want it being done.
> This is not difficult unless you want to make it so for the purpose of raging at apple
There's a difference between raging and critique. I'm critical of what I see as poorly designed systems and policies, particularly where it seems like there are industries/business models that are blind spots to Apple, intentional or otherwise.
Saying that I'm raging at Apple is funny to me because I lead our project to introduce an iOS app at my current company, I've worked at an indie Mac software company, I have used macOS for many years. Hell, I even liked Objective-C. In many ways I'm just yet another Apple fanboy.
Constructive criticism is important in moving platforms forward. Right now, Apple SSO doesn't work for us for well defined UX and business reasons. If those are solved then it will likely align well with how we want to treat our users and we'll likely introduce it.
If the user already has to manually opt-in to it, could you throw in an extra “we need your real email” step for Apple ID users? Then users still get privacy-by-default and you still get the email needed for this feature.
> we use the email address as a fraud signal for some payment providers.
I'm sorry, I understand that that is not your point, but an email address is a terrible fraud signal.
Also, if anything having the email go through an Apple relay, means that the user have an iCloud account, which seem no more risky that a random Gmail account.
I'm over-simplifying "fraud signal" here, but it's a component of one of our payment provider's signal, mostly around "friendly fraud" where people might just have lots of overdue payments or not be responding to payment requests. It's less about signal about addresses and more about the same address being re-used on multiple stores.
Edit: being super clear...
The payment method is a pay-later service, it's literally a loan. The email is used to look up to see if the person has paid their loan balances off late before and other factors like that. "Fraud" was probably the wrong term to use here.
I agree. If you use an email address as a fraud signal, you need to seriously reevaluate your decisions. I've met a site that blocked my Gmail address as "spam" once, but another Gmail address works just fine.
In my case it was just a nickname, but using an email as fraud signal also feeds into racism. People who don't have an average white American-looking name will suddenly be flagged for fraud.
Can you present your users with explanation that "increased privacy provided by Apple" comes with a price in the form of degraded customer experience? Sorry, but you can't both have your cake and eat it, too?
I might believe your intentions are noble, but for one of you there are hundreds if not thousands of bad apples, so to speak, and the controls Apple is giving me as the user help mitigate it somewhat. And there are initially good apples that turn bad after a while — as their authors are desperately seeking ways to get into black, or just sell their apps to some unscrupulous businesses.
But you can still ask the user to provide the email address (and I think I've seen this already in some apps), even if the user signs in with Apple w/ hidden email, right? Since you say you are already asking for permission to share the email address, why would this be a problem? You now have to ask for the email and the permission to share it. A negative answer from the user would mean you are not allowed to share it anyway, so why have the email address in the first place then?
> So here is my small revenge: I am refusing to port Apple ID to the web version. Apple users who logged into Groups via the app with Apple ID will need to create a second account. Am I hurting myself? Am I shooting myself in the foot? Probably. But this is war
So in the headline you call it "revenge on Apple". Apple is hurting, supposedly.
In the content you say the above thing. You're hurting supposedly.
The only option that's missing is the correct one. You're not hurting Apple, and you're not hurting yourself. You're hurting your users.
As an iPhone/Mac user, we don't need developers who lead these confusing, petty ideological battles with Apple at our expense.
Wanna win your tiny, tiny "war"? Good, remove your app from the AppStore, we need less garbage in there, and if Apple did their job right they'd have done this for you already.
> So here is my small revenge: I am refusing to port Apple ID to the web version. Apple users who logged into Groups via the app with Apple ID will need to create a second account. Am I hurting myself? Am I shooting myself in the foot? Probably. But this is war
So, help me understand here -- the revenge is punishing their users that signed up with Apple ID? In what way is this revenge against Apple?
> The best way to convince Apple prisoners is to tell them what they need. Trust must only belong to Apple. Give them your money, your will, your worship, your everything. Apple will keep you safe
While I firmly believe anyone's data can be breached, and Apple ain't no exception, it's more likely for a Joe Random Developer to make his unauthenticated document-based database listen on a public IP address than Apple. I say that even taking into account my firm opinion that Apple is very inept at clouds among their peers, evidenced by the atrocious quality of practically all their network-based offerings.
> But Apple developers must be told, threatened, shut down if necessary.
All developers, not only Apple's! At least Apple has some leverage over its paying developers. I wish it started harassing them over unreasonable memory/CPU usage too, but it's hard to do if your own platform is guilty as charged.
> Am I hurting myself? Am I shooting myself in the foot? Probably. But this is war
Petty and reminds me of scaring a hedgehog with a naked butt.
As someone who owns multiple Apple devices and is generally pretty happy with their hardware and services, I agree. I wish there was at least a third option, if not more competition in this space.
RIP Windows Phone, WebOS, Meego, Firefox OS, et al
Competition is no longer possible these days, as banks, towns, etc. start to require an _unrooted_ Android/iOS device for basic operations (e.g. authorization of credit card operations, paying taxes and fines, COVID stuff, etc.).
Agreed. I tried to get a hardware-based TAN generator from my bank because that's the official alternative, but they indicated as long as I don't do 10k transactions a day I "don't need one". But I did need one, lacking an up-to-date smartphone and a Windows/Mac PC.
They were also baffled that I wanted more than 5 digits as login PIN (without username) for the banking app.
At least here in Germany, there are many banks that work fine on rooted devices. And outside of banking and Google Pay, I haven’t seen anything that won’t work on rooted devices.
Up until a couple weeks ago, my French bank's program worked on rooted devices. No longer. Same thing happened with my previous bank a year or so ago. They removed SMS 2FA as an alternative at the same time.
FfOS would have been a great alternative. I kinda still hope that a similar software setup (boot to browser, sandbox all the things to there) will one day be flashable to any generic handheld device, like older Android phones or the Pinephone.
In fact I use it daily in my 3310, buttons and all, as a replacement for my <model forgotten> FFOs phone from a few years back.
From that experience I can tell you it has nothing in common from the user point of view.
Actually Windows Phone was pretty much killed by Microsoft's lack of marketing, developer incentives and general incompetence, the OSes (7 and 8 mainly, 10 was weird) were incredibly smooth, fast and well designed. For a short while (in between most popular apps gaining WP support and then dropping it) it was IMO the best mobile experience available. You could get a dirt-cheap low-end phone like the Lumia 520 and it just worked. Then there were the AMOLED Lumias (Windows Phone was almost all black!), good cameras, the future looked really promising. Well. Good times were had.
Never forget how MS decided to prop up their WP app store numbers by running classes that ended up in the projects being submitted (and approved) to the store.
The amount of utter shit in the WP store was astounding. It was like if every single 0 star GitHub project had been submitted to a store for everyone to download.
My father wanted a smartphone but didn't want to pay Apple premiums, so I told him to get a Windows Phone because they guaranteed software updates, unlike Android's dismal situation.
He was very happy with it, then it was EOL-ed and WhatsApp stopped working on it (I consider that a feature, not a bug, but for some odd reason he disagrees). So I set him up with a LineageOS Pocophone F1. He still misses the simplicity of the Windows Phone UI, though.
I don't remember any WP8 phones actually being a good experience. The high end Lumias had good cameras...once the camera app eventually launched. The low end Lumias were absolutely terrible in every respect. They were dirt cheap because they were garbage. The App Store was a joke and what little software it had was awful.
The Metro/Modern/Whatever UI looked good in screen shots. In actual use the tiles just ate up a lot of screen real estate and rarely refreshed their content when expected. The UI inside apps was equally brain dead with touch elements often lacking borders. So you'd have to hope you aimed your finger perfectly on an icon. Because the UI could become unresponsive for unexpected reasons, especially on garbage phones, even if you hit an element it wasn't clear if the app was actually responding.
Windows Phone 8 and up was a dumpster fire. The highest end phones were just okay and didn't really hold a candle to the Apple and Android flagships of the time.
And they trashed themselves. Microsoft was late to the party, but Windows Phone 7 was genuinely innovative and good. Unfortunately, when WP7 started to get some traction, they reset the entire ecosystem with Windows Phone 8, which could not be installed on existing Windows Phone devices. And Windows Phone 8 applications could not be installed on Windows Phone 7.
That is still one of the most mind boggling decisions I've seen. You launch a new smartphone platform to compete with two rivals that already have a head start, and then you intentionally wipe away all your progress so you can start even further behind again. Any interest in it evaporated overnight
On the contrary. Starting from the release of the original iPhone SDK in 2008, developers gained more capabilities and app entitlements than they lost.
There are lots of open mobile distros. I'd say postmarketOS is the best option for installing on random devices. Or for devices with preinstalled OSes, PinePhone or Librem 5.
This is a perfect example of why Sign in with Apple is so great: it hides my e-mail and real name from people like the author who are clearly intent on using this information to sell me stuff I don't want.
To this date, I have sent 0 marketing emails trying to sell stuff. Heck, I don't even try to sell anything, I develop out of love and passion. The only reason email is needed is for password recovery
But yes, Apple is great. Again, Apple is great. Apple good, good good good
>To this date, I have sent 0 marketing emails trying to sell stuff. Heck, I don't even try to sell anything, I develop out of love and passion. The only reason email is needed is for password recovery
And your other reply in the thread:
>Frankly, I couldn't care less about whether you trust the app or not
The fact is, I send 0 emails and privacy and security are top priorities.
[...] TBH I am a bit tired of people trusting big tech so much.
Some constructive criticism about your replies... You come across as tone deaf.
Trust is not granted to you just because _you_ self-report that you're honest. Your comments will be perceived as another variation of, "Hey trust me, I'm an honest guy! Really!"
If you're tired of people "trusting big tech" so much, why would that have anything to do with you being "small tech" (e.g. Javier Antons's small company Collaborative Groups)?
The implicit cognitive consumer heuristic is not "He's a small unknown company -- therefore I trust him _more_ with my email address than a big company like Apple Inc."
You're focused more on your needs from a perspective of a developer instead of a perspective of an untrusting user.
That said, you definitely should remove Apple as an option if they make life as a developer not worth the time.
EDIT to add a link that may help your public relations strategy:
To be fair, Apple users only care about privacy when it suits them - 5-6 years ago, it was not a priority of any apple user and many mocked non-apple people for caring about it. If apples handing it to you, it must be important, or so the thinking seems to go
Apple has cared about user privacy a lot longer than 5 or 6 years. I've has Apple equipment for over 20 years and at no time have they sold my info to a third party or forced invasive 3rd party software to be installed on a new machine.
> Privacy means people know what they’re signing up for, in plain English, and repeatedly. That’s what it means. I’m an optimist, I believe people are smart. And some people want to share more data than other people do. Ask them. Ask them every time. Make them tell you to stop asking them if they get tired of your asking them. Let them know precisely what you’re going to do with their data. That’s what we think.
Some Apple users may not have cared as much about privacy until Cambridge Analytica and related issues, but it’s always been talked about at Apple.
> I have sent 0 marketing emails trying to sell stuff.
"I", "I", "I". It's not you. It's me. I don't care what you say you're going to do with it. I don't want to give you my email address to store in another database. I'm sure you're very nice, but sorry not sorry.
> The only reason email is needed is for password recovery
You don't need my email at all if I can use Apple ID.
The fourth sentence on the page says "sending personalized emails" as if it's no big deal. I don't care what you think the purpose or value of your emails is. I don't want emails from any app unless it's a support response to an email I sent first.
And in support of this comment, Apple ID users DO have the option of sharing their email addresses if they want to. So, from the receiving end, if you see somerandomstring@appleid.apple.com as the email address, it should be pretty clear what your users want.
Now you CAN choose to say, "I don't want those users", if they do not fit into your grand plan of things.
Apple does forward emails, so you can even contact those users for your password recovery use case you mentioned in other comments. I think your problem is not the fact that you do not have an email ID, your problem is, your users have the option of pulling the carpet from under you.
Not objecting. I don't need email addresses for the case of AppleID users. 100% true
I do need them for everyone else who comes from traditional signup
However, you seem to have missed the point. My problem is not AppleID, my problem is that Apple forced it on my app and threatened to shut me down if I didn't include it
You don't want to understand. Apple users are happy that they forced you. They like the AppleID experience and nobody would care to implement it if they didn't force developers.
I know it's frustrating for you, but this is the core of why Apple users stick to Apple. They decided to trust and share their data with one single company (Apple) instead of an overwhelming amount of small companies.
And it's not just about data; Apple users trust Apple to design a competiting device and a refined user experience and they don't have to do the work for themselves. They just buy the next Apple device and they trust Apple to do the work for them.
I know it's not for everyone, but if a subset of people like it and they decide to buy into it.... why are people getting mad?
Apple is the result of what Apple users want. If you don't like them you can develop your app for Android users or whatever else you like.
> As an Apple user I'm not happy they forced this.
As an Apply user I'm quite happy that they keep devs on their toes. The industry as a whole went super user-hostile. Forced updates in Docker unless you pay, other apps doing bait-and-switch all the time.
Apply is like an island with cool shade from trees in the ocean filled with hungry sharks.
As an Apple user I'm not happy they forced this. It's manipulative forcing even more platform lock-in for the average joe which empowers other anti-trust practices too.
You're argument that an Apple user is happy at the point of use doesn't justify anti-trust behaviour which is to the overall detriment of people.
Apple seem to get away with far too much just because they're 'Apple'.
Imagine the mess we would be in if every auth provider had the same policy.
Your position would make sense if besides forcing the implementation of Apple Id, Apple forbade the use of any other authentication method.
This is not the case. You can even offer google authentication in your app. You can also move to android and authenticate to the same app still using apple id, the developer can also offer the chance to link this existing account with another credential. So, there's absolutely no lock-in.
And indeed most apple users are happy with that, as it gave me the choice not to have to keep using google or facebook authentication.
I understand your anti-trust point and I agree to some extent.
But this is not something you can blame on Apple. You need to go to your politicians. You can't expect a company to self-regulate its dominance position.
In general I believe a much better way of dealing with this form of dominance is taxing the dominant companies agressively and use that money to fund open source competition.
Isn't this how it works though...?
Company 'X' abuses the trust it's given to self regulate it's dominant position and forces 'Y' application on all it's 'Z' platform users.
X, Y, Z could be Apple, AppleID, and iPhone or Microsoft, Internet Explorer, and Windows.
Microsoft received a $611 fine in the EU for abusing it's
Monopoly of control with Windows back in 2004 but it took many years to get there.
> Apple users are happy that they forced you. They like the AppleID experience and nobody would care to implement it if they didn't force developers.
Are there any statistics on this? Apple never asked me if I wanted or liked the AppleID experience.
When AppleID came out, I thought it only worked on Apple devices so my use was limited to non-cross platform applications. With developers removing AppleID from Android applications, my initial misperception turned out to be justified.
I don't have any and it's my opinion.
It's more a general consideration and AppleID is just one specific instance.
I would still be happy they tried even if something like AppleID would turn out to be a bad idea, provided enough of these efforts turn into something valuable to me.
They're not forcing you to use it. They're only forcing developers to give you the option. For you as a user there are only positives and no negatives.
>However, you seem to have missed the point. My problem is not AppleID, my problem is that Apple forced it on my app and threatened to shut me down if I didn't include it
My understanding is that Apple only force you to include this if you provide other third-party login options.
This is a consumer-friendly feature that Apple is forcing you to implement so that your users on Apple platforms can choose to use your app's one-click third party login functionality whist still retaining control about what personal data they share with you.
Apple's platforms require a variety of consumer- and privacy-friendly features from developers who choose to release apps on them, and you could make your same argument against any of them (e.g. not tracking the user without their permission)
That Apple does this and holds third-party developers to standards for privacy and consumer-friendliness is why I (and many others) use their platforms.
Yes, It keeps app developers from forcing you to use google or facebook, giving you at least the option to use Apple Id, which frankly, for all practical purposes, is definitelly a lesser evil.
Right, except that your “problem” is also the relationship Apple has with its customers. You did nothing to build the trust and loyalty that you mock in your snarky write-up. Apple did, to the point that their users would prefer to trust them with their personal information over someone else (you).
The tone of your whole piece is sophomoric- you essentially suggest that all of Apple’s customers are uninformed and lacking agency (unlike you).
All of this because you could no longer automatically glom some people’s emails for whatever future use you dream up? I hope you realize how you’re coming off.
Frankly, I wouldn’t be keen on you having my email. You might accuse me of “sitting on my butt” or worse if you decide I’m not a good customer or whatever.
For what it's worth I'd like to apologize to anyone who identifies as an Apple user and has been offended by my tone. I intended to add a bit of humor but I know that perspective can make things feel a lot different
Please replace every mention of "Apple user" with "Apple". It really is the only wrong party here
Nah, I just feel sorry for any Apple user out there that was offended by my words. It happens everywhere. I generally don't place a lot of importance on these things, but it's rude to make fun of people's (core) beliefs
I don't dispute that it is a good thing. I object to the method of implementing it by force
I am an Apple customer as much as an iPhone user is. But Apple chooses to treat me as an employee, after having charged me (and paid me nothing). Do I have the right to be upset? Could they not have sweetened AppleID by encouraging users to ask devs to implement it or even by reducing our dev annual fee by some $? I think it would also have worked
You can remove the other third-party login options and offer only email+password.
Part of the reason people pay the Apple premium (which is definitely a fact) is because of platform consistency. We are paying more so things are consistent, I expect to not being forced to use a google or facebook account, I expect to have a single place to manage my subscriptions.
If I didn't like that, why in hell would I pay more to be in the apple ecosystem???
Here there is a conflict of interest. Who gets to choose to "expect" more? Arguably, I pay more $ to Apple than you (on top of the value I add). Let's see:
1 dev subscription
4 iPhones to test
2 iPads to test
2 macs to develop
Why do you get to "expect" things from me, and why does Apple get to force me to serve you in a certain way that keeps changing over time and then threatens to hide my work if I don't comply?
I don't know, it just doesn't seem fair. I am happy to work for free because I like what I do, but then being told to do things or risk being banned is just too much for my taste
I think I will just leave the App Store when my web version is finished. Too much trouble for nothing
You don't understand, do you?
The average apple customer values the consistency of experience in the platform far more than your application.
In the grand scheme of things, I am pretty sure you removing your application from the apple store would be an objective loss for customers, but that loss pales in the sight of the benefit of not being compelled to use google or facebook as the only way to login into an application as it is so common in android.
The average apple customer values consistency and is far less tolerant of deviations from that than the average microsoft or google customer. The whole point in paying more for apple is because we value order, predictability and consistency.
Windows customers are not used to that. Windows Hello may be a good thing for them, but they don't expect the same degree of consistency, if your windows Application doesn't use it, they don't complain, this is life.
But apple customers, like you it or not, expect IOS features to be widely available on IOS applications. We literally pay for that, and as there are vastly more consumers like me, than developers like, it doesn't matter if we bought half the hardware you buy, because as a customer class, end users absolutely dwarf developers.
I completely understand your personal frustration. But this is on you, your choices of providing your work for free deliberately.
Most customers don't want to be back on the situation where you either choose between facebook login or tedious manual account creation, just because it will inconvenience some developers. The whole, raw point is exactly that. It may sound cruel, but we WANT you to be forced to implement stuff that is consistent with IOS guidelines, best practices or even features. Customers can be cruel like that.
Password recovery is for all other authentication methods. Although there is a case where it still would be valid there: if a user signs up with AppleID but chooses to use an unmasked email address, and then logs out, and tries to log in again but this time forgets that they used AppleID and they try using normal sing-in, then Password reset would also work to reset their "password" (the definition of an AppleID user's password is a bit tricky here and don't want to write something that's too long)
The point is that many developers would prefer to have a “real” email address. If you’re using Google or Facebook ads the email data point allows them to track you across apps and target advertising that data goes back into your personalized profiles.
Apples solution of an anonymous email breaks this personalized tracking which is good for privacy concerned users but potentially “harmful” for app developers, particularly those that are ad supported.
There are many who wouldn’t see the value in adding Apple Auth and may actually see it as harmful to their businesses model and chose not to implement it which would deprive users of that choice.
This isn’t about a large section of app developers who just use social auth in a benign way, like the author, to ease app sign ups it’a about those that use social auth more insidiously to track users, frequently without their knowledge.
There’s not a feasible way for Apple to enforce this selectively so used a heavy hand. I feel for author with respect to the button guidelines but as a privacy minded user I’m glad he’s being forced to add the option.
Thank you! That makes sense. A malicious dev would be okay with implementing Google's and Facebook's SSO solution because it allows them to continue accessing the user's email.
However, Apple's policy gives malicious devs an obvious way out: just don't support any SSO solutions. So this policy doesn't really do anything to stop malicious devs at the end of the day. It stops them from taking advantage of alternative SSOs, but I wouldn't expect that to have much effect.
I guess maybe the policy is intended to mitigate the potential damage caused by negligent devs? As in devs who are not malicious, but risk allowing malicious actors to access user data through negligent design? That feels more like stretch to me, though.
That is because the motivation is different. Google and Facebook allow you to profile your users and get their real identity. Apple only has upsides for users, not developers.
That's my point, though. mikeryan argued that if Apple didn't force devs to support their auth solution, devs would just ignore it. But both Google and Facebook have created similar solutions and have been very successful without forcing devs to support them. If you make something good that users want, devs will typically support it of their own accord.
And to be clear, Apple's policy does not require all apps to support Apple ID - only those which support another SSO solution like Google's or Facebook's. A malicious dev who wants to collect user data has no incentive to support SSOs in the first place. By not supporting SSOs, they can still collect user emails and abuse them however they'd like.
I wish there were more established patterns around progressive disclosure of personal information. I want to use an app for a while before I start inviting them into my inbox and text messages.
Android (from v10 I think?) does that - deferring the request for permission X until it's actually used.
No more giving Camera permission to an app just because it supports sharing photos, which you know you never want to do, or whatever.
(Yes, this was possible beforehand by manually refusing specific permissions after granting all, or vice versa. But it could be unpredictable and cause app crashes etc.)
> ...people like the author who are clearly intent on using this information to sell me stuff I don't want.
Where was that made clear? My best guess is when the author said:
> We are denied customer interaction, freedom to offer any non-Apple payment methods, etc. For example, I am absolutely sure that Groups would have had loads of more IAPs had I been allowed to offer Paypal on top of Apple Pay and what not.
Offering a non-Apple payment method is selling you stuff you don't want?
The post appears to be a thinly veiled attempt to cajole people into giving app developers access to their email inboxes as a general rule by throwing insults at Apple for daring to hide email addresses from app developers. Even if this person never tries to sell me things, that rule is clearly meant to enable other people to do so.
It frames "sending personalized emails" as though:
1) The only reason to send personalized emails is for "offering alternative payment methods".
I don't get that impression at all. The author is annoyed at being strong armed into using Apple ID, on Apple's terms.
They speculate about why Apple are so keen on people to adopt Apple ID - not say they actually want to do those things. I think they're probably correct about why Apple wants more control by sucking tech into it's ecosystem.
Caught me. I thought I was close to getting away with this, but alas, you've found that I am a saboteur from the International Brigades of Devious Developers and all I am hoping for is for public opinion to change so I can get my fellow criminals more email addresses
Now seriously, I have said time and time again that I have no issues with Apple ID. I have a problem with how Apple forced it on me. Not nice
> I have a problem with how Apple forced it on me. Not nice
Every single point you bring up is about you and not your users. All of your complaints in your post and in your comments in this thread ignore the fact that what Apple is doing is better for the humans on the other side from you.
And your stinger at the end?
> Apple users who logged into Groups via the app with Apple ID will need to create a second account. Am I hurting myself? Am I shooting myself in the foot? Probably. But this is war.
You're not hurting Apple. At best you're hurting your users, but you're so focused on your own petty brigade that you don't see it or care. The war that you've just started is not against Apple but against the human users using Apple devices. They're the ones who would suffer from your decisions.
Making the button uniform across domains so that it's instantly recognizeable is user-positive.
Offering Apple ID as a sign-up option instead of making me give you my email address is user-positive.
If you don't care about being user-positive, if you're going to vociferously argue against it, why should users trust you?
Well, what can I say, I am sorry. I am sorry for having to do this and wish things were different
But it is the only way I can shed light on Apple's behavior. I promise to add a transition mechanism, happy? I will still make sure users get to read some "Apple bad" message to highlight the reason behind Apple ID not being straightforward on the web
> But it is the only way I can shed light on Apple's behavior.
It still sounds like Apple's behavior is 100% good for users and your behavior is not. You wanting to circumvent things that are positive for users makes you as a developer look extremely bad (user-hostile). I don't know what else I can say if you don't want to hear it.
Sure, I don't expect you to empathize with me as a developer. The point is, if you let this go unchecked for developers, it will spread to as many areas as they can get away with, in the name of what is "good for users". The EU's anti-trust probe is already looking into this. Have a good day
> I'm a user and I wouldn't touch "signin with Apple" with a 10 foot pole.
For Apple device owners there's significant upside and little-to-no downside. You not wanting to use it doesn't mean that it isn't 100% good for Apple device users.
> That's waaaay too much lock-in.
If the app developer cared, they'd give you a way to migrate your credentials.
Anyway, you don't have to use it if you don't want to. Apple just makes it so that you have the _option_ to. But you should at least recognize that it's the only given option that allows people to use the service without giving away their email address to random app developers. That's a huge privacy win for users.
> Anyway, you don't have to use it if you don't want to.
As a developer? Oh yes I do! That's exactly what we're talking about.
And it's not going to fly for very long because Apple has over half of the smart phone users in the United States. This is the reason we have anti-trust laws. They're going to be knocked down a few notches soon in my opinion.
That I can't build an app business in the United States without going through Apple is a problem.
This comment is pointlessly accusatory and misses the whole point.
The problem wasn't that the author couldn't access your precious email. The problem was that Apple used their power to force their auth solution onto the author, which means Apple has no incentive to make their solution good. It caused this developer enough grief that they intentionally removed support for Apple ID on other platforms as a small protest.
Please do not accuse people of malicious intent without evidence. You can discuss the merits of Apple ID without being a jerk.
This seems a bit trashy and tone deaf. Apple does have plenty of problems, and shouldn't be as rich as it is, but that doesn't justify ignoring the legitimate complaints that lead to apple's work to hide email addresses and personal information from vendors.
I might want to use app Foo, I might even want to have an account on app Foo for syncing purposes, but that doesn't mean I want marketing emails, and spam, and all sorts of other crap from the makers of app Foo.
Or, just as often, anyone that has picked up my address from lists originally obtained via a hack of some sort because one of those entities has had lax security.
Yeah, shame on Apple for protecting their user’s privacy. So evil of them to not allow 3rd party developers to harvest user’s e-mail addresses for no reason whatsoever.
At the end of the day you've made your choice. You believe the reason Apple does this is to protect your privacy. You can't see that they want to close you in and make sure they are the only contact you ever have with anyone. This is to get your $. You're in fact paying a premium because they artificially inflate the price of every software you buy (think fees)
I don't "harvest" (fancy word) emails for anything other than basic password recovery, but just so you know, spam filters are pretty good these days
You can keep trumpeting this, but as long as Sign in With Apple still works for password recovery (it does), then this is a straw man.
I don’t know you personally. Maybe you had a bad day, maybe you were still pissed about Google removing your app (wonder what that was about), maybe you just really love email addresses.
I don’t know why you did this, but your choice to punish apple users, to mislead them with that pop-up (it implies that it can’t be done, not that you chose not to implement 5 lines of code for personal reasons), and then chose to write a completely tone-deaf blog post about it, all tell me you are likely one of those devs I can’t trust. So I won’t.
This is the pettiness I'd feel embarrassed about if I'd ever let it come to fruition.
Restricting Apple ID to the mobile app seems more than enough, the snarky popup goes too far. As a user, I don't care about your personal beef with Apple. Simply explaining that the button was added because of Apple's restrictions in the first place and that you never wished to support it in the first place should suffice.
I appreciate your willingness to lose customers to make a point against Apple. A little more... nuance would probably make it a lot easier to gather support from others.
>3 Weeks ago Google temporarily removed Groups from their Google Play store with no warning. This has led me to start working on a "web" version that will withstand the whims of big tech. So here is my small revenge: I am refusing to port Apple ID to the web version. Apple users who logged into Groups via the app with Apple ID will need to create a second account.
I think he took his revenge from the wrong company...
You put those 2 sentences together but they actually belong in separate paragraphs. The latter is a closing statement to the entire post. And the former says that a web version is in the works
But nevermind, it sounds more funny the way you put it
Time to admit, tech giants don't want any further important players in the field than those large ones existing today. Probably will never see a Netflix or Facebook banned from different ecosystems/app stores but if you are a medium/smaller or even a larger one you are seen as a threat.
None of this makes any sense. All players, big and small, are required to follow App Store rules. Those rules say that if you offer third-party sign in, you have to also offer Sign in with Apple. Nothing to do with how big or small you are, and nothing to do with being seen as a threat.
This is also something what happens to Apple Music. My friend recently got family and he had extra logins so I join his group with my iphone but my wife has android. Lo and behold they actually have an Apple music app on android. Try as I may i cannot get her logged into it. What i had to do is use another iPhone, sign in and accept the Apple music sub on the iPhone before it would work on the Android. Luckily I still have a collection of iPhones or no Apple music for android ppl.
I had to integrate apple sign-in and it was pretty straightforward implementation. I don’t know what’s so difficult and why the author has opted to create a sub par experience for the users of his product…
Does "sign in with X" not lock you into X's ecosystem? That is, if I lose my Apple account or my Google account due to their judgement of my actions, have I lost access to the services I authed via those accounts? That is, if I change my email, most services allow that data to migrate to the new username. Do the "sign in with X" allow the same capabilities? (I ask from ignorance, not from sarcasm, I really don't know.)
Theoretically a service could allow you to convert an externally authenticated account to one protected by a password. In practice, I haven't found any services that allow it. I've found plenty that support conversion in the other direction.
Anyone who puts privacy in quotes has totally lost the plot.
Is it really so inconceivable to some two-bit developer that I absolutely do trust Apple more than I trust them?
Hell, I trust Apple more than I trust Facebook and Google. Apple ID is my go to SSO these days. Is Apple perfect? No. But this is a game of lesser of evils.
It’s really adorable to watch people embarrass themselves by not reading/comprehending the entire comment.
As I said: lesser of evils. I don’t care if Apple truly cares about privacy. I just care whether they will trample on it less than the others will, which I do believe, not because they care but because it might be profitable for them.
Imagine thinking that a whole 3 lines of comment are anything to ponder over very deeply.
We get it. Love Apple, trust Apple! There's not much else there.
Clearly the greater evil though is to enshrine one corporation to rule them all in the digital landscape. If we don't know that, then we haven't thought about the problem at all because we're trading short term security for long term insecurity. Read some Orwell or Huxley. Or just look at human history and how this plays out... what do we know about that? Anything?
Enjoy that! (Got 'em!)
Oh but we can go to Android! Gee, but we're talking about developers… You don't build a successful app business in the United States without going through Apple because they have over half the customers here.
To be clear: I'm fine with Apple signin existing. I am not fine with Apple being able to force every developer to dance to their tune just to be able to get at over half the smart phone users. There's a reason we have antitrust laws for this and not laws against two bit developers gaining your email and that's because one of them is the greater evil, but it's not the one you think it is...
You don't need to choose between Apple, FB, or Google. You can sign up with your email address, which means these companies get no analytics on your behavior
The reason "privacy" is in quotes is that some of us have started seeing through what Apple really means every time they use the word. As the EU's Executive Vice-President Margrethe Vestager has recently said regarding their Apple probe, privacy can't be an excuse to stifle competition.
You’re still missing it - we don’t trust YOU with our email address.
Before today we didn’t know who you are or what you stand for, and we didn’t trust you with our email address. After today, I’m sure I wouldn’t trust you with my private relay address, as you clearly care very little about your users.
On the contrary, I care very much about my users. Precisely because of this I am campaigning against Apple because they seek to extend their powers beyond reasonable measure. It is in everyone's interest, mine and the interest of my users, that Apple doesn't get to dictate us what we can and cannot do on their platform. But even worse is that Apple gets to dictate to us what we MUST do, which is the case in contention and a serious fault in my view
I get it, you trust Apple. But are you Apple? If not, then why do you defend what is clearly very unreasonable and anti-competitive behavior?
Please, just listen, because you’re clearly not getting it. Nobody knows you or trusts you. Many people, including myself, trust Apple far more than we trust you. This is because Apple has tens of billions of dollars in revenue from hardware sales. Selling some email addresses is going to bring a relatively paltry amount. I can’t say for certain they wouldn’t do it, but it would be really dumb. You on the other hand are much more likely to violate your users privacy because you don’t have another revenue stream at risk.
Wow. Artificially creating a limitation, specifically to get revenge against users that chose Sign In With Apple, is a really, really @ick move.
For those who don’t know, SIWA is fully supported for web logins, and it’s implementation is pretty easy.
As the author seems to be active here, let me add my voice to those who are saying I will never choose to use an app written by someone with this level of disdain for me.
I liked the part where the author says Google and Facebook are good, but Apple is bad, and then two paragraphs later says Google betrayed him, but still prefers to make war on Apple.
I don't think Apple will notice or care. No one is going to drop their iPhone for "Groups".
Revenge against Apple users, not Apple. Apple users who are also users of his product.
If he actually wants to help users, he can let users click through via Apple login on his site, then ask those users to also authenticate via one of the other methods (e-mail, Google or Facebook) and link the two. That way, he would be able to let his users still log in to their accounts via e-mail if Apple tries to shut him down (like Google did temporarily).
I think his focus should be on limiting potential damage to his users, not exacting revenge against large companies.
I wouldn't obsess over the design of Apple's "Sign up with Apple" button, if the default darkmode just applies an inverted filter (inverting Google's and Facebook's logo in addition to the UI), and paddings and margins are all over the place.
Someone else was complaining about Apple rejecting their app, over the Sign In With Apple feature. They cast it as “kafkaesque.”
They showed a screengrab of their app, and they had altered the design of the button, by filling it with gray (I agree that Apple’s choices are fugly). The writer couldn’t understand why Apple kept rejecting their app, and Apple’s rejection reason was not helpful at all (we often need to read tea leaves to figure out why our apps were rejected. It’s because they have a limited selection of canned responses).
Recoloring a branding element will definitely trigger a rejection. The Apple Brand is the most valuable brand in the world, and they won’t brook having it reinterpreted. No corporation would allow this, if they had a choice.
I remember Facebook doing the same if you wanted their stuff on your website. You can't make the Facebook button the same color as all of your other buttons.
The rejection reason was that the option did not exist. It was the very first option. Calling that Kafkaesque is fine, and there is no reason for you to act so smug.
I'm not smug. I'm battle-scarred. I'll lay odds that I've had a lot more rejections than you have, and probably gotten a lot more pissed off at Apple.
Being an experienced Apple developer (since 1986), means that I have been incandescent with rage at Apple -many times. All of us have. Apple can be a real pain to work with.
I still develop for Apple, but I am not a "fanboi."
BTW: The rejection reason says that, because it's canned. It covers a lot of areas. I have received many such vaguely-worded rejections, and had to figure out why they bounced the app. In a couple of cases, I have been able to get people on the horn (PROTIP: Don't be calling them "smug," and be polite, even though you want to throttle them), where they have explained the issue.
[EDIT]: Also, branding is something that a lot of geeks don't understand, but it is very important (and valuable). Many of the seemingly insane moves by Apple are because they are building and/or protecting their brand. That "smugness" is actually a deliberate part of their brand. I don't think that it's a good idea for their fans to reflect it.
In terms of branding, a corrupted branding element is exactly the same as no branding element (except it's legally actionable).
Speaking of which, did anyone see this week's John Oliver show? I get the feeling that HBO is a bit peeved with Disney.
> In a couple of cases, I have been able to get people on the horn (PROTIP: Don't be calling them "smug," and be polite, even though you want to throttle them), where they have explained the issue.
> That "smugness" is actually a deliberate part of their brand.
I wasn't calling Apple smug, though?
I was calling your comment smug, because of 1. implying it's unreasonable to say "kafkaesque" despite Apple setting up a system where you need to "read tea leaves" instead of believing what they tell you, and 2. phrasing it as that they "couldn't understand" the problem.
Your advice, as far as saying they use canned messages that merely resemble the actual problem, is very useful. But don't be mean to someone that doesn't know that. It's a major failing on Apple's part.
Then I'd gently suggest doing a bit of research on what type of person I am, before immediately assuming that I am being mean. I'm a pretty decent chap.
I understand that you are one of the most senior members of this community, and I certainly appreciate the work that y'all have done, trying to keep this from turning into an ugly community.
I really (truly) appreciate the decorum here, and sincerely do my best to respect that. It is my goal to be a positive, contributing member here. I may be mistaken, but I do believe that I have some contributions to make, here.
I may come across as a stuffy old fart, but that is a deliberate departure from my earlier days, when I was ... not that way.
off-topic:- We use only SMS. Our family owns a grocery chain in NorthEast India, Last I built a ecommerce app where only login method is through SMS (OTP). Initially we thought this will be very bad. But now we have a significant amount of revenue coming from the app (Native and Web). In india most of the Govt and Private apps use only SMS as login method.
But it is the only method where people understand and use. And social engineering / account take over from MNO are something that is non-existent in many countries.
I just wish we'd move on, skip the next 10 years of this and end up where this will likely go, an "open" standards of sort where you have a unified ID system that allows you to connect your different accounts with different providers.
Working in academia where OAuth2 is now (finally) being pushed heavily by certain converts who look upto "big tech" as having all the answers. It's annoying obvious to the people having to work this however that big-tech in this case is way behind where they could be in this regard.
It's not "simple" there's always money and power which the article alludes to, but as a user, I just want my account of "me" where I can use secure tokens issued from each authority once they've accepted that I'm probably me.
Until this is all resolved and unified a lot of this song and dance just reminds me I'm more and more the paying product for most systems.
Not saying I don't see where you are coming from, but will echo what other people have said here and can say the message sounds a bit unprofessional. I would also encourage you to look at this from a users point of view. They generally care about none of this stuff. They don't want to know about your "war" with apple, and just want to use what you built. It is a bad look.
Edit: It seems that 2 weeks ago you had a beef with Google as well. Maybe this blog is your way of venting the sorts of frustrations that come with developing your app. To offer some unsolicited advice. Take the time to learn and fully understand how the social logins work, and focus on providing the best experience possible. Badmouthing Google and Apple(and is Facebook next?) is not the way to get traction.
Honestly the whole app could probably use a UI overhaul. The button looking different than other social logins isn’t the problem; the app looking completely alien to any version of iOS released in the last 10 years is the problem.
Unbelievably unprofessional. If I was a user, even if I was unaffected, I wouldn’t be using any of your software anymore. Treating your users with contempt because of your personal feelings towards a company is bizarre.
Do you guys not understand that Apple doesn’t really care about developers? You all are just a replaceable means to an ends. Everything they do is either for the benefit of Apple or it’s users. Stop whining about it.
While I agree that Apple is evil and all, war would be convincing others to quit Apple or to stop developing for it and make a significant dent in their XXXbn. A small message and loss of users probably won't do it.
Maybe make your app a Progressive Web App, make it with Flutter and available everywhere besides iOS, stop (or don't if you haven't yet) buying any Apple devices, sell the ones you can't root and put Linux on the ones where it's possible, start or join an anti-Apple group that pushes against it spreading, etc. Maybe that'll be more effective.
There are plenty of reasons to be unhappy with Apple's policies, or lack of documentation, or undocumented API changes, or even the dismissive tone they can take when talking about 3rd party developers (especially when defending against various anti-trust inquiries), but that's a very weird thing to be angry about.
Apple mandates changes all the time, and mandating Apple ID if you already use 3rd party logins is about the least controversial thing I can think of, and the most uncontroversially pro-privacy, pro-user, with incredibly small drawbacks and requirements feature I can think of. iCloud Private relay comes a close second on real user benefits (there are certainly way more drawbacks for the web at large).
At least it's decently documented (try Homekit documentation for a counter point), it's really not a huge job to implement, and there's a clearly stated purpose, force developers to give a "social" sign up that won't harvest their data.
That's exactly the kind of leaning on devs that's a 100% win for end users and that I, as a user and dev expects and wants to see from them. Less unannounced/undocumented screen saver api changes please, though, but I wouldn't cry a tear either on a ban on 3rd party "SDKs" that harvest any data.
Personally, I think adding a Facebook login to an app is a terrible thing to do, and the excuses of "just because it's convenient for users/will increase my signups" just don't fly with me, but that's just my strongly biased opinion.
Ranting (so inaccurately) to your users like that though? I think we can come to a broad consensus that it won't achieve a thing and doesn't exactly will fill your users with confidence about what you do with their data?
I want to thank you on behalf of Google, Facebook and all third party ad aggregators you selling client tracking and data (including emails). The more app developers will be hostile to their clients, the more profits we can squeeze from our platforms keeping it old new norm. Keep the classy work, don’t forget, it is your app, your rules! Fck users! Fck them hard!
Something that I haven’t seen mentioned anywhere else in this thread is what to me is the killer feature of Signin with Apple: I now don’t need to remember which of the (sometimes >6) SSOs I used to log into an app. If SSO is present, it’s Apple, if it’s not, it’s in my pw manager.
Privacy is a nice plus but for me, the best part is precisely what is pissing this guy off.
Dude, apps small and large still send personalized emails. If you want your users’ names so bad, just ask. It seems like you would just prefer to do name = google_data_json.name rather than ask your users for their name and let them decide if they want to give it to you. This is exactly why I love that Apple introduced Sign In with Apple; it gives the user more control over what they want to give out since it’s their data.
Also your revenge is not on Apple. They’re a behemoth and won’t notice. You pointed this out in your post so you are obviously aware of it but the only people you are hurting are yourself and your users. If you know this and willingly charge along, all I can say is that says a lot more about you than it does about Apple. Good luck.
I stopped reading here, at "who cares!” That was where I started to agree. Most of the language and tone is so negative I lost interest during the first paragraph. I’ve probably already read a constructive version elsewhere, but if I haven’t so be it.
I'm perfectly happy with Apple helping me keep my email address out of the author's hands. If he wants it that badly, it's probably not anything that's in my best interest.
Interesting the comments here, rather than addressing the issue of "is it okay for Apple to force implementation of their own services in addition to others" the discussion is more "well, nobody's _forcing_ you to do this".
When does it stop then? If Spotify releases their app to the store, do they have to include Apple music functionality in their app? If I have an app with a "listen to this on spotify" button, do I also have to have a "listen to this on Apple music" button?
The tech community has loved operating system flamewars since at least the usenet days. This blog post serves as pretty good bait to draw in contestants so I assume that people wanting to engage have upvoted it.
TIL that login through Apple ID shields my data from the service that I’m logging in. Idk about the dev side, but as a user I like it. I may start using this feature after all.
I think what the author is missing here is context. Some (many it would seem) prefer the curated walled garden approach that the Apple ecosystem has. Not for hype, not because we're brainwashed, but rather because we enjoy the consistency and overall experience more than the "Linux Desktop on my phone" experience you get with other platforms.
There appear to be multiple threads to the backstory explaining some of the bitterness that the developer is clearly feeling, and I can understand the frustration at the ever-changing table stakes required to get a seat at the mobile app table, but this is an appalling attitude to what is an entirely valid and useful privacy feature.
But it isn't a privacy feature. A privacy feature would be to create an account with a password without mail validation.
I you use Apple ID, Apple gets the info which services you are using. The service might request additional infos about your person. Most people will always confirm that in reality. This way many services will end up with more user information. Many people will just share everything but might think about it if they needed to provide this info manually.
It is maybe a privacy feature because Apple might be better than Google or Facebook. Well...
Privacy , like security , has its own “threat models” and compromises depending on who you’re trying to get privacy from. So this is absolutely a privacy feature and it astonishes me that amount of people who don’t get this and try a No True Scotsman.
My mail provider would need to parse my mails to get info about what services I use. Identity providers have those apps registered and grand token for specific services. They know exactly when a user is logging to specific services. This data doesn't even need to be evaluated further, Apple would have a neat list about the services you use.
Still, the usual mail registration offers more flexibility and gives the user more control. So, email registration is a privacy feature if you argue like this.
Security wise it is a decent solution, but also a single point of failure. It is hard to argue this to be a privacy feature. It is only one if you trust Apple more than the other services and different forms of auth isn't possible.
While the grudge against Apple is real and has been discussed time and time again, the revenge described here is a joke: no-one will seriously use a web version when an app is available, the experience is really not as good, the findability is not there and for many apps device-features will be missing.
When given the possibility, I always use the web version over a native app. I do not want to install as few software as possible on my device, and (at least for the time being) the security model of the browser is well-known and customizable (to an extent).
I used to agree with this. That was before I developed the web version and was able to compare real performance. Web (WASM) beats both Android and iOS native apps. Only downside is initial data transfer (1.2MB). A bit funny since the iOS app is 20MB and the Android one is 5MB
I'm confused about the "revenge" aspect of this. Seems like you're doing what Apple is asking you to do -- implementing Apple Sign-In -- and then going the extra mile to make sure your users have a worse experience than they should otherwise have. How is that revenge on Apple?
This is one of the reasons why I tend to avoid public-facing mobile app development, the developer ecosystem just feels so restrictive. The alternative here is that I forego publishing on the app store, drastically reducing the audience outreach.
Looks more like a revenge on the users to me. If he put it on the app why not put it in the web version too? I'm not a fan of Apple's guidelines, but this won't change a thing on the guidelines.
I'm usually exposing my email address while using Apple ID. When I'm logging from non Apple devices I want to be able to log using Facebook or Google and recover my account for this very reason.
This guy is taking revenge on his users not Apple. I trust Apple with my login details and I like their option to let me hide my real email. I’m not logging in with Facebook or Google.
I don’t get these kind of posts. Apple ID is mandated for a reason. If OP can declare war the least they can do is provide technical reasons about why they are declaring war, instead of a couple UI buttons and lot of anti-apple prose. I was looking for atleast a link to the technical reasons.
Wow. What an ideologically loaded article. I distrust right away anyone who writes like this. You just lack any credibility to build a structured and constructive discourse.
> "Hate to break it to you, your app is already ugly, the thin black border around the Apple sign in doesn’t change the fact the rest of the app looks awful. Also you’re not getting “revenge” on Apple, you are just fucking over your users who use Apple."
What's going on with this entire awful thread? A bunch of Apple fanboys crucifying the developer for refusing to play by Apple's rules? The developer has every right to do what they did, they don't own you or Apple a thing. Stop acting so entitled and just fuck off.
> What's going on with this entire awful thread? A bunch of Apple fanboys crucifying the developer for refusing to play by Apple's rules?
I mean they are playing by Apple's rules (they support Apple ID on iOS), all they are "refusing" is refusing to allow users to login to their Groups account using Apple ID on a different platform that supports it. That's their prerogative but they aren't sticking to Apple, they are sticking it to their users all while pretending they are standing up to "the man".
> The developer has every right to do what they did, they don't own you or Apple a thing.
This is true, that doesn't mean they are immune from criticism from their decision, especially a decision they took the time to blog about and post to HN.
> Stop acting so entitled and just fuck off.
There is nothing entitled in the comment you are responding to, just facts about what they are doing to their own users.
The app is genuinely ugly and inconsistent though - I don’t think it’s really a matter of opinion. It is what it is - awfully designed.
Not only that, the E2EE that’s advertised is awful - he’s literally using Java’s standard random function. A second year CS student would know not to do that.
I did not call their app ugly out of the blue, they are the ones who brought that up on their own. This small thing called context might be lost on you.
This isn't cleverly anti-Apple, it's just petty. I have plenty a gripe against some things Apple does, but the piece here makes a net zero good points.
It is hilarious how for a site which is populated by "educated" and "experienced" people, when the subject becomes Apple and how they are not perfect, the very same ones become a herd where they protect their shepherd.
I would be most happy if Apple was the only one out of Big Tech to get regulated.
Let them have their Microsoft moment, and for the wolf to lose it's fangs.
