Hacker News new | ask | show | jobs
by sudoit 2174 days ago
Not necessarily. I have an app with 1,000 users, and about 99% of them choose to obfuscate.

My app isn’t untrustworthy at all either. It’s an experimental app which attempts to let users create an iOS app on iOS. My suspicion is that people choose to obfuscate because it’s what’s selected by default.
11 comments
c3534l 2174 days ago
It's also likely that 99% of users have no reason to share their email with you. Also, your app is extremely untrustworthy. It sounds like a random app you find by searching for key words. You're not Microsoft or Google, you have no reputation or credibility. They have no relationship with you, they don't know you, they likely have never interacted with your company before this.

If I need an email to verify I'm not a bot, that's fine. But if a trusted 3rd party can verify I'm not a bot, then the only reason you would want my email is to do something unethical with it: namely, use my data in a way that I never intended gave you permission to use it.

Being default probably helps, because most people don't know they're doing with software and just accept the defaults assuming they're best practices. If the default were to share the email, you might see more people sharing email, but I would argue it's because people don't know they can and should obfuscate it.

link
undreren 2173 days ago
> If I need an email to verify I'm not a bot, that's fine. But if a trusted 3rd party can verify I'm not a bot, then the only reason you would want my email is to do something unethical with it: namely, use my data in a way that I never intended gave you permission to use it.

This was addressed in the article. If the service provider does not have your email address, they are severely hampered with regards to customer support.

link
_b8r0 2173 days ago
> If the service provider does not have your email address, they are severely hampered with regards to customer support.

No, they're not. They're just relying on email as a user verification methods as it's the easiest approach. Other methods are possible.

link
thomaslord 2173 days ago
> No, they're not.

Did you read the article? It seemed very clear to me that they had significant issues with customer support past just verification.

And what would you suggest as an alternative way to identify the user, anyway? Any alternative method of authentication seems doomed to fail - using a real name runs into issues with duplication, requiring users to set a username would likely require significant changes to the platform to support it and lots of people would forget it when they couldn't get their preferred username, and having a customer support code inside the app wouldn't help when the user loses access to their account.

It seems like there are alternatives, but none that the average user who signs in with Apple and needs to contact support will be able to get past on a consistent basis.

link
basch 2173 days ago
A simple "let me email a 6 digit alphanumeric code to your icloud email" 2fa style identification would cover anybody who is able to open their mailbox. Not perfect, but gets around some of the problem.

I actually think the customer experience of "I switched from apple to android and now I dont know any of my usernames" is a bigger issue. If apple wants Sign in with Apple to work, it needs to behave a bit more like an agnostic 3rd party password manager, work on every platform, and have ways to interact with it on any device. They should release Keychain as an Android app and Chrome extension, and allow you to use it to see your Sign in with Apple data.

link
indymike 2173 days ago
Verification is only one part of the problem. The other is communication.

If I can't contact my customers, how do I support them (e.g. report a security problem)? If my customers can't communicate which account is theirs, how do we help solve problems? Email addresses and/or phone numbers make this a lot easier.

link
zchrykng 2173 days ago
Simple, have them create a user id, and/or expose a "support id" somewhere in the system that lets you tell the support person which account record is yours.

I never want "communication" from an app developer unless I initiate it.

link
thomaslord 2173 days ago
What about when you lose access to the account and don't remember what string of numbers you had to use after your preferred username because it's not a universal identifier that only you can use? In the case of the support ID, you'd need to be able to access the account to even view it.
link
c3534l 2173 days ago
tl;dr email isn't needed, people are just used to it.

It's a fair point, and perhaps its one that the likes of Apple SignIn should solve. On the one hand, even Microsoft and Apple send me heaps of spam under the guise of "communication" and I don't want them to have my email address if I can avoid it. The OP says they have trouble with support, but they can (and it sounds like do) tell people to just check their Apple email. Most places that I contact for support require me to put in a contact email for that ticket because people use throw-aways anyway. As for security problems, well I'm glad you're one of the few companies to actually disclose security breaches. But if the information on the website is actually sensitive, then there should be additional checks to begin with. If it's CC info, you should contact the CC company, there should be 2FA, there should be more than an SSO service, which already prevents the biggest and worst security breach of leaked passwords. In short, I doubt the need to contact a customer unsolicited is so great, common, or difficult as to require that a user disclose a non-obfuscated email address, which people already commonly have throwaways for. And the reason they have throwaway accounts is because 99% of the time, when I give someone a ...@spamgourmet account or whatever, that address gets spammed, even though I told them not to put them on the mailing list (because they share the email with third parties, or just plain ignore it).

The tradeoff is a bad one. I do not have sensitive information on Reddit that is not public. A private investigator could probably deduce who I am by looking at my Reddit posts, figuring out where I live, where I went to school, what family members I have, what my job is. They don't need to contact me urgently about a security breach. You can say when I sign on and lock my account until I acknowledge it, but it's not urgent. Even a website that might need sensitive information and, for some reason, doesn't want to require I actually verify my identity for real to upload that sensitive information, that doesn't mean I'm using the website in that capacity and should give up identifying information in case I need to give up identifying information later and you need to contact me that my information has been leaked.

The perspective is worth thinking about, but I'm unmoved that it amounts to pushing the needle to "you need my real, primary email address." I believe the tiny, tiny minority of companies that actually need that and shouldn't just rejigger their system to better security and privacy practices to start with can find reasonable workarounds or resort to mild inconveniences like requiring a callback number on support.

link
indymike 2164 days ago
Call us back when you get the entire internet to stop using emails and phone numbers for communication. There really isn't a reasonable other option right now.
link
moksly 2174 days ago
This is anecdotal but if I could chose not to share my email with things I sign up for, I wouldn’t have a gmail address used solely for signing up to things. I can’t think of a single thing that I’ve ever signed up for that I actually wanted to have my email.

So sure, it’s default, but unless I’m unique some people will see the default and go “why isn’t every 3rd party login like that?”.

link
lilyball 2174 days ago
My recollection is the first time I used Sign In With Apple it forced me to choose (no default), and after that it defaulted to my last choice.

I expect 99% are obfuscating because that’s the sensible choice to make. Giving an app my real email should only be done if there’s an explicit need for this, such as being able to log in from non-Apple devices.

link
L3viathan 2173 days ago
You make a good point, and in general I agree, but it introduces additional headaches if I think about logging in from a non-Apple device later.
link
lilyball 2171 days ago
You actually can support Sign In With Apple from arbitrary platforms, using the JS API.

https://developer.apple.com/documentation/sign_in_with_apple...

This is obviously the most useful for websites, but Apple’s developer site links to this with the descriptor “for web and apps on other platforms” so clearly they’re ok with Android apps using it too.

link
vladvasiliu 2174 days ago
I agree with the sibling in that defaults are powerful.

However, I've never built anything directly used "by the public", nor am I very familiar with how Apple Sign in works.

So I'm wondering, as the developer of a trustworthy app, what's the drawback in the user giving an obfuscated address?

Is it not possible for you to contact the user using this address? Does the user have to manually allow getting mail to this address or somehow jump through some hoops to read it?

link
tigershark 2174 days ago
As explained in the article a lot of people use the iCloud mail for their apple account and they don’t check it because they use another provider main mail address. Furthermore if they contact them from their email for support they have no way to associate it with the mail registered in the system, so they can’t help them. If you ask me they seem both very valid points.
link
aflag 2173 days ago
Can't they just ask the user to open the app and send them some identifying number they can find in the ui?
link
thomaslord 2173 days ago
Not if they have no ability to reply to the user in the first place. The user may also be contacting support because they lost access to their account and not be able to access the identifying number.
link
aflag 2173 days ago
If the user emails them they can certainly reply. It's just a matter of showing their email somewhere. The ID can be shown before the user logs in. That would not be less secure then relying on the email to reset the password. If someone is able to access the user's unlocked phone, they probably can access their email account too.
link
vladvasiliu 2174 days ago
> if they contact them from their email for support they have no way to associate it with the mail registered in the system, so they can’t help them.

Thanks for the clarification, I didn't think of this scenario.

This looks like a pretty big problem, as I can imagine a situation where the user doesn't have access at all to the app and may not have kept the initial email with any identifying info.

Isn't there an easy way for the user to know which obfuscated address was used for which app?

link
morberg 2174 days ago
Do you have a number for “a lot of people”? I am very skeptical of this data point.

This email address is used for a lot of communication with Apple, e.g. receipts from App Store.

link
sam_goody 2173 days ago
Receipts from the app store go to my gmail account.

I bought my iMac on the Apple store, and the receipt was also sent to my personal account.

link
tguedes 2173 days ago
Why do you need my email address? I wouldn't give it to you just so you can have bad database security and then have my email dumped somewhere.
link
msh 2174 days ago
Why is it a problem for you?
link
sudoit 2160 days ago
Isn’t a problem. I chose to use Apple sign in because I didn’t need email other than for having a way to later setup billable accounts. I plan to introduce a subscription option in a month or 2 and thought there’d be less friction if people already signed up.
link
sudoit 2149 days ago
update: I've now removed the login entirely until it's absolutely needed. This change will go live in the next few weeks
link
meristem 2174 days ago
Most likely. Never underestimate the power of defaults
link
coldtea 2173 days ago
>My app isn’t untrustworthy at all either.

That's up to the user to decide. For me trustworthy = something like Basecamp, Amazon, etc, not some random small app.

link
zeepzeep 2173 days ago
> That's up to the user to decide.

> trustworthy = [...] Amazon

Good point, because your example includes one of the few companies I don't trust at all.

link
basch 2173 days ago
different types of trust.

Trust not to misuse.

Trust not to leak in a breach.

Realistically, my email address is something I trust Amazon with both of, because email isnt how they spam me, they are smart enough they can identify me without my email address, and I expect their security to be more hardened and battle tested.

link
chrischen 2173 days ago
Yes i obfuscate by default but as a user it’s also not immediately apparent to me that this would cause unintended side-effects. It’s really up to both the app developer and Apple to enable good user experience by designing around human behavior, rather than trusting the user can always make those decisions.
link
mrbrianhinton 2172 days ago
I choose to obfuscate because I don't want every app I download to have my email address.
link
mlang23 2173 days ago
"My app isn’t untrustworthy at all either. It’s an experimental ..."

There is a big contradiction in there...

Everything experimental is by definition untrustworthy.

link