Normally I'd just post an update as a comment in one of the existing threads, but I think this development is important enough to justify a new thread. This is the first time I've seen Single Sign...
Normally I'd just post an update as a comment in one of the existing threads, but I think this development is important enough to justify a new thread.
This is the first time I've seen Single Sign On (SSO) disabled for a political reason. Even with their current pissing match, I wasn't expecting Apple to cross this line. While it does of course hurt Epic, it also hurts Apple.
Websites and services that were considering adding a "Sign in with Apple" button now have a very good reason to reconsider. Apple has shown they're willing to break site logins for users and force developers to scramble to implement a workaround.
I'm not at all a fan of the precedent they're setting. This may even hurt faith in SSO beyond just Apple logins, as now we've seen how easily it can be disrupted.
I mean, to be fair, Apple still forces you to support "Sign in with Apple" on any iOS app that supports other OAuth solutions, so many platforms still don't have a choice. OAuth2 support for...
Websites and services that were considering adding a "Sign in with Apple" button now have a very good reason to reconsider.
I mean, to be fair, Apple still forces you to support "Sign in with Apple" on any iOS app that supports other OAuth solutions, so many platforms still don't have a choice. OAuth2 support for different providers (Google, Facebook, Github... Apple) is not particularly difficult after you've decided to support OAuth, so I unfortunately don't expect much to change.
"Sign in with Apple" is only valuable to end users if third party apps are forced to support it. The whole point of it is to provide an alternative to Facebook or Google oauth that actually...
"Sign in with Apple" is only valuable to end users if third party apps are forced to support it. The whole point of it is to provide an alternative to Facebook or Google oauth that actually protects your personal details from the app developer. If app devs had a choice, they would never bother with it because it limits their ability to collect email addresses and other personal information normally acquired through oauth.
If this kills faith in SSO in general, then that is a net positive in my opinion. It was a cool idea, but it ultimately just gets used to harvest user data. I've actively avoided a number of services purely because they require me to sign in with Google or Facebook. Just recently threw away all my Nest equipment and bought Ecobee stuff because Nest now requires a Google account.
Your points are valid but also I would rather let google handle my authentication than random website #78058. I get sign in alerts, session listings and invalidation, 2fa, etc instead of ......
Your points are valid but also I would rather let google handle my authentication than random website #78058. I get sign in alerts, session listings and invalidation, 2fa, etc instead of ... Probably plaintext passwords.
If my oauth token gets compromised that is easier to deal with.
That's why I prefer keeping Sign in With Apple around (and mandatory on iOS), because it maintains my privacy while still delegating my authentication to someone who knows what they're doing.
That's why I prefer keeping Sign in With Apple around (and mandatory on iOS), because it maintains my privacy while still delegating my authentication to someone who knows what they're doing.
When a user clicks "Sign in with Apple", they are asked which information they are willing to share with the developer. If, for example, they choose not to give them their email address, then...
When a user clicks "Sign in with Apple", they are asked which information they are willing to share with the developer. If, for example, they choose not to give them their email address, then Apple gives the developer a "fake" iCloud email address unique to them that forwards to the real email. This makes it easy for the user to shut off spam from that company or any "partners" they "shared" that email address with.
Interesting, is this only limited to Apple's SSO? I tend to not use them in general as I thought it makes me more restricted to a single ecosystem, e.g. Apple or Google.
Interesting, is this only limited to Apple's SSO? I tend to not use them in general as I thought it makes me more restricted to a single ecosystem, e.g. Apple or Google.
So, I’m not 100% confident, but based on the past record of Epic/Tencent in this kerfuffle, it looks like Epic may have been full of shit. This Verge article indicates that Epic is now saying...
So, I’m not 100% confident, but based on the past record of Epic/Tencent in this kerfuffle, it looks like Epic may have been full of shit. This Verge article indicates that Epic is now saying Apple is giving them an extension. I can’t find any official announcement from Apple saying they were revoking Apple SSO for Epic, nor that they reverted this. I think this may be Epic/Tencent trying to sow FUD. I’ve seen a lot of credulous people take it on its face that Apple would do this. If Apple did threaten this and revert it, that would look really bad, but it’s not clear that Apple ever threatened this action in the first place, and the Verge is claiming Apple told them as much. The waters have been muddied on this now, and whether Apple did anything worthy of outrage, Epic sure has made a lot of people who never liked Apple to begin like them even less. It’ll be interesting to see if Epic fabricated all this, if it’ll have any bearing on the lawsuit or countersuit.
Part of the point of SSO is that the you’re offloading some responsibility for who is worth trusting with login credentials to the SSO vendor. The whole pitch with sign-in with Apple was that...
Part of the point of SSO is that the you’re offloading some responsibility for who is worth trusting with login credentials to the SSO vendor. The whole pitch with sign-in with Apple was that developers are shady and can’t be trusted with your private information, so just let Apple handle it. If Epic violates Apple’s rules then they’ve implicitly violated that trust.
Take Epic out of it for a second. Suppose this was a random app that violated App Store guidelines by running through a dodgy payment processor that exposes users to risk of identity theft. Would you want Apple to continue providing supporting features for them?
Well, there’s the issue. Policing the web seems like a good thing when it’s going after spammers or malware but not when this power is used illegitimately. Just because it’s an Apple policy...
Well, there’s the issue. Policing the web seems like a good thing when it’s going after spammers or malware but not when this power is used illegitimately. Just because it’s an Apple policy doesn’t mean people are going to accept it as being for the good of users.
Of course, everything is political to some extent, but some actions are accepted as more legitimate than others.
It's up for debate how illegitimate this is. Epic violated the App Store's guidelines in some kind of "civil disobedience" effort, but their argument seems to be "We deserve to be able to run our...
Policing the web seems like a good thing when it’s going after spammers or malware but not when this power is used illegitimately.
It's up for debate how illegitimate this is. Epic violated the App Store's guidelines in some kind of "civil disobedience" effort, but their argument seems to be "We deserve to be able to run our own payment processing and customer management and want you to be a dumb pipe to connect us to people in your platform." But there's no concern for the overall health or security of the platform itself or the people in it.
We're expected to just trust Epic to be a good steward of their customer data, and that might be fine. But as far as a guideline for the whole App Store it's unclear how that's generalizable. Part of the reason the App Store has been successful at actually creating a market where people are willing to pay money for software from no-name, independent developers is largely because Apple makes a first-pass attempt at vetting them instead of letting it be an unregulated environment. Without those guidelines then maybe Epic, Microsoft, and Google tier companies could have their own independent app stores within the platform, but everyone else would be gutted because there would just be too much uncertainty and friction before trying their stuff out.
I'd put a lot more stock in that argument if Apple allowed users to run apps downloaded from outside the app store. It's less asking Apple themselves to be a dumb pipe, more asking them to at...
I'd put a lot more stock in that argument if Apple allowed users to run apps downloaded from outside the app store.
It's less asking Apple themselves to be a dumb pipe, more asking them to at least give users the choice to use the internet at large for that if they so choose. Obviously Epic's doing it from pure self interest, but that doesn't necessarily make them wrong.
The choice is the exact thing at issue. From Apple's perspective Epic is saying "People should be permitted to shoot themselves in the foot." Apple is saying "Creating an environment where people...
The choice is the exact thing at issue. From Apple's perspective Epic is saying "People should be permitted to shoot themselves in the foot." Apple is saying "Creating an environment where people often get holes blown in their feet will discourage people from using it."
Most people don't associate ecosystem effects with the things they do. It's like those parental control apps that were privacy and security nightmares for demanding way more elevated privileges than most people were expecting. Regular users aren't going to recognize the dangers they're opening themselves up to by doing this. They're just going to follow whatever instructions for installation are given to them, get burned, and just not bother doing stuff in general. Usually environments where the rule of the day is "buyer beware" what ends up doing is most potential buyers beware themselves out of wanting to bother entirely. This doesn't help users OR developers.
I'm struggling here. I do see where you're coming from, and I'm trying my hardest to consider it with an open mind, but I can't bring myself to believe that a monopoly will ever end up being a net...
I'm struggling here. I do see where you're coming from, and I'm trying my hardest to consider it with an open mind, but I can't bring myself to believe that a monopoly will ever end up being a net benefit for the consumer.
Apple's a large, amoral corporation. Even if they're more or less fine today (and I'm not even touching on whether or not they are), I don't trust them so much that I'll bet on them being fine tomorrow, and the day after, and the day after that. I don't trust any company that much, which is why I want to be the one with the final say over what happens on the hardware I bought.
They don’t have a meaningful monopoly though. Their products constitute a minority of smartphone sales, not even close to 50%. There’s plenty of space for people to go elsewhere if the rules are...
They don’t have a meaningful monopoly though. Their products constitute a minority of smartphone sales, not even close to 50%. There’s plenty of space for people to go elsewhere if the rules are too onerous but, tellingly, nobody spends money on apps in any of the other app stores. Apple has almost all the profit share despite everyone else having the same 30% cut.
The reason iOS is valuable is because something about the ecosystem inclines people to spend money on software in ways that they don’t elsewhere.
To put some numbers on that, in 2019, gross revenue for the Apple's app store was apparently $14.2 billion versus $7.7 billion for Google Play. (Source) So, Apple app store users spend more money,...
To put some numbers on that, in 2019, gross revenue for the Apple's app store was apparently $14.2 billion versus $7.7 billion for Google Play. (Source)
So, Apple app store users spend more money, but it seems harder to argue that spending more money is unambiguously good. Upscale stores aren't unambiguously better than cheaper stores, they just serve different markets. Higher revenue benefits Apple and app vendors, but there is an argument that spending less money might be better for consumers, particularly if they don't have a lot of money to spend.
(Also, a duopoly isn't that much better than a monopoly.)
It’s already tenuous how sustainable the economics of app stores are for most developers. People’s unwillingness to pay for software is already a big disincentive to be in that line of work. It is...
but there is an argument that spending less money might be better for consumers
It’s already tenuous how sustainable the economics of app stores are for most developers. People’s unwillingness to pay for software is already a big disincentive to be in that line of work. It is legitimately hard to make ends meet as an independent app developer. I’m not sure arguing it’s good for consumers to have fewer things to do is going to be a compelling case for anyone involved. Even in the case of gaming, this is a recipe for even MORE exploitative, freemium business models.
There are other reasons people might not be buying apps though. Personally, Google’s apps provide most of what I need, and I try to avoid installing other apps when websites are available. Reddit...
There are other reasons people might not be buying apps though. Personally, Google’s apps provide most of what I need, and I try to avoid installing other apps when websites are available. Reddit keeps pushing their app, for example, and I just keep using their website. There are a lot of apps that have little reason to exist.
I did subscribe to DarkSky for weather, but Apple bought them and shut them down.
I see no reason to think this effect would differ significantly between the Android and iOS ecosystems.
There are other reasons people might not be buying apps though. Personally, Google’s apps provide most of what I need, and I try to avoid installing other apps when websites are available.
I see no reason to think this effect would differ significantly between the Android and iOS ecosystems.
Well, I'm an outlier so judging by my experience probably isn't going to tell us much anyway. We should look at demographics instead. There are various websites about the differences between...
Well, I'm an outlier so judging by my experience probably isn't going to tell us much anyway. We should look at demographics instead. There are various websites about the differences between Android and iPhone users. I don't know who has the best data, but their popularity varies by income, country, rural versus urban, age, gender, number of texts sent, introvert versus extrovert, and so on.
Sure, I was just making the meta-point that you (or someone) needs to actually make the argument about what Epic is doing wrong and how that relates to the policy. I haven't used Epic or really...
Sure, I was just making the meta-point that you (or someone) needs to actually make the argument about what Epic is doing wrong and how that relates to the policy. I haven't used Epic or really paid attention and I don't know why they would be considered a bad actor by some. (The dispute over money only matters to Apple and Epic, not the rest of us.)
I don't see how this hurts Epic at all. It's a really weird strategy to take. All it does is make every Apple user that experiences this less likely to ever use "sign in with Apple" ever again.
I don't see how this hurts Epic at all. It's a really weird strategy to take. All it does is make every Apple user that experiences this less likely to ever use "sign in with Apple" ever again.
Normally I'd just post an update as a comment in one of the existing threads, but I think this development is important enough to justify a new thread.
This is the first time I've seen Single Sign On (SSO) disabled for a political reason. Even with their current pissing match, I wasn't expecting Apple to cross this line. While it does of course hurt Epic, it also hurts Apple.
Websites and services that were considering adding a "Sign in with Apple" button now have a very good reason to reconsider. Apple has shown they're willing to break site logins for users and force developers to scramble to implement a workaround.
I'm not at all a fan of the precedent they're setting. This may even hurt faith in SSO beyond just Apple logins, as now we've seen how easily it can be disrupted.
I mean, to be fair, Apple still forces you to support "Sign in with Apple" on any iOS app that supports other OAuth solutions, so many platforms still don't have a choice. OAuth2 support for different providers (Google, Facebook, Github... Apple) is not particularly difficult after you've decided to support OAuth, so I unfortunately don't expect much to change.
"Sign in with Apple" is only valuable to end users if third party apps are forced to support it. The whole point of it is to provide an alternative to Facebook or Google oauth that actually protects your personal details from the app developer. If app devs had a choice, they would never bother with it because it limits their ability to collect email addresses and other personal information normally acquired through oauth.
If this kills faith in SSO in general, then that is a net positive in my opinion. It was a cool idea, but it ultimately just gets used to harvest user data. I've actively avoided a number of services purely because they require me to sign in with Google or Facebook. Just recently threw away all my Nest equipment and bought Ecobee stuff because Nest now requires a Google account.
Your points are valid but also I would rather let google handle my authentication than random website #78058. I get sign in alerts, session listings and invalidation, 2fa, etc instead of ... Probably plaintext passwords.
If my oauth token gets compromised that is easier to deal with.
That's why I prefer keeping Sign in With Apple around (and mandatory on iOS), because it maintains my privacy while still delegating my authentication to someone who knows what they're doing.
Could you explain in more detail how this protection works?
When a user clicks "Sign in with Apple", they are asked which information they are willing to share with the developer. If, for example, they choose not to give them their email address, then Apple gives the developer a "fake" iCloud email address unique to them that forwards to the real email. This makes it easy for the user to shut off spam from that company or any "partners" they "shared" that email address with.
Interesting, is this only limited to Apple's SSO? I tend to not use them in general as I thought it makes me more restricted to a single ecosystem, e.g. Apple or Google.
Yeah, only Apple does this right now.
It proxies the email address with a private one, among other things. Kind of like using apple pay or google pay generates a proxy card number.
So, I’m not 100% confident, but based on the past record of Epic/Tencent in this kerfuffle, it looks like Epic may have been full of shit. This Verge article indicates that Epic is now saying Apple is giving them an extension. I can’t find any official announcement from Apple saying they were revoking Apple SSO for Epic, nor that they reverted this. I think this may be Epic/Tencent trying to sow FUD. I’ve seen a lot of credulous people take it on its face that Apple would do this. If Apple did threaten this and revert it, that would look really bad, but it’s not clear that Apple ever threatened this action in the first place, and the Verge is claiming Apple told them as much. The waters have been muddied on this now, and whether Apple did anything worthy of outrage, Epic sure has made a lot of people who never liked Apple to begin like them even less. It’ll be interesting to see if Epic fabricated all this, if it’ll have any bearing on the lawsuit or countersuit.
Part of the point of SSO is that the you’re offloading some responsibility for who is worth trusting with login credentials to the SSO vendor. The whole pitch with sign-in with Apple was that developers are shady and can’t be trusted with your private information, so just let Apple handle it. If Epic violates Apple’s rules then they’ve implicitly violated that trust.
Take Epic out of it for a second. Suppose this was a random app that violated App Store guidelines by running through a dodgy payment processor that exposes users to risk of identity theft. Would you want Apple to continue providing supporting features for them?
Well, there’s the issue. Policing the web seems like a good thing when it’s going after spammers or malware but not when this power is used illegitimately. Just because it’s an Apple policy doesn’t mean people are going to accept it as being for the good of users.
Of course, everything is political to some extent, but some actions are accepted as more legitimate than others.
It's up for debate how illegitimate this is. Epic violated the App Store's guidelines in some kind of "civil disobedience" effort, but their argument seems to be "We deserve to be able to run our own payment processing and customer management and want you to be a dumb pipe to connect us to people in your platform." But there's no concern for the overall health or security of the platform itself or the people in it.
We're expected to just trust Epic to be a good steward of their customer data, and that might be fine. But as far as a guideline for the whole App Store it's unclear how that's generalizable. Part of the reason the App Store has been successful at actually creating a market where people are willing to pay money for software from no-name, independent developers is largely because Apple makes a first-pass attempt at vetting them instead of letting it be an unregulated environment. Without those guidelines then maybe Epic, Microsoft, and Google tier companies could have their own independent app stores within the platform, but everyone else would be gutted because there would just be too much uncertainty and friction before trying their stuff out.
I'd put a lot more stock in that argument if Apple allowed users to run apps downloaded from outside the app store.
It's less asking Apple themselves to be a dumb pipe, more asking them to at least give users the choice to use the internet at large for that if they so choose. Obviously Epic's doing it from pure self interest, but that doesn't necessarily make them wrong.
The choice is the exact thing at issue. From Apple's perspective Epic is saying "People should be permitted to shoot themselves in the foot." Apple is saying "Creating an environment where people often get holes blown in their feet will discourage people from using it."
Most people don't associate ecosystem effects with the things they do. It's like those parental control apps that were privacy and security nightmares for demanding way more elevated privileges than most people were expecting. Regular users aren't going to recognize the dangers they're opening themselves up to by doing this. They're just going to follow whatever instructions for installation are given to them, get burned, and just not bother doing stuff in general. Usually environments where the rule of the day is "buyer beware" what ends up doing is most potential buyers beware themselves out of wanting to bother entirely. This doesn't help users OR developers.
I'm struggling here. I do see where you're coming from, and I'm trying my hardest to consider it with an open mind, but I can't bring myself to believe that a monopoly will ever end up being a net benefit for the consumer.
Apple's a large, amoral corporation. Even if they're more or less fine today (and I'm not even touching on whether or not they are), I don't trust them so much that I'll bet on them being fine tomorrow, and the day after, and the day after that. I don't trust any company that much, which is why I want to be the one with the final say over what happens on the hardware I bought.
They don’t have a meaningful monopoly though. Their products constitute a minority of smartphone sales, not even close to 50%. There’s plenty of space for people to go elsewhere if the rules are too onerous but, tellingly, nobody spends money on apps in any of the other app stores. Apple has almost all the profit share despite everyone else having the same 30% cut.
The reason iOS is valuable is because something about the ecosystem inclines people to spend money on software in ways that they don’t elsewhere.
To put some numbers on that, in 2019, gross revenue for the Apple's app store was apparently $14.2 billion versus $7.7 billion for Google Play. (Source)
So, Apple app store users spend more money, but it seems harder to argue that spending more money is unambiguously good. Upscale stores aren't unambiguously better than cheaper stores, they just serve different markets. Higher revenue benefits Apple and app vendors, but there is an argument that spending less money might be better for consumers, particularly if they don't have a lot of money to spend.
(Also, a duopoly isn't that much better than a monopoly.)
It’s already tenuous how sustainable the economics of app stores are for most developers. People’s unwillingness to pay for software is already a big disincentive to be in that line of work. It is legitimately hard to make ends meet as an independent app developer. I’m not sure arguing it’s good for consumers to have fewer things to do is going to be a compelling case for anyone involved. Even in the case of gaming, this is a recipe for even MORE exploitative, freemium business models.
There are other reasons people might not be buying apps though. Personally, Google’s apps provide most of what I need, and I try to avoid installing other apps when websites are available. Reddit keeps pushing their app, for example, and I just keep using their website. There are a lot of apps that have little reason to exist.
I did subscribe to DarkSky for weather, but Apple bought them and shut them down.
I see no reason to think this effect would differ significantly between the Android and iOS ecosystems.
Well, I'm an outlier so judging by my experience probably isn't going to tell us much anyway. We should look at demographics instead. There are various websites about the differences between Android and iPhone users. I don't know who has the best data, but their popularity varies by income, country, rural versus urban, age, gender, number of texts sent, introvert versus extrovert, and so on.
One statistic that sticks out (source):
If you are selling to rich people, maybe it shouldn't be surprising that they spend more money?
This is nothing like a randomized controlled trial; there seem to be systemic differences in many areas.
Sure, I was just making the meta-point that you (or someone) needs to actually make the argument about what Epic is doing wrong and how that relates to the policy. I haven't used Epic or really paid attention and I don't know why they would be considered a bad actor by some. (The dispute over money only matters to Apple and Epic, not the rest of us.)
This is one of the myriad of reasons that I never use the "Sign in with Facebook, Google, etc" option. I'd rather just deal directly with a website.
I don't see how this hurts Epic at all. It's a really weird strategy to take. All it does is make every Apple user that experiences this less likely to ever use "sign in with Apple" ever again.