Sign in with Apple and more: How iOS 14 warns of data leaks

Apple has been dedicated to password security on its mobile systems for some time. With iOS 11, Apple introduced its own password manager in iOS and integrated it into the QuickType keyboard. Since then he has been helping to enter user names and passwords on websites or in apps.

For this purpose, the iOS keyboard tries to recognize whether the user is asked for his user name / password and offers this as a QuickType. If no password is available, but such a field is identified, the user can access all user names and passwords in his password manager and select the appropriate combination.

Since iOS 12, third-party apps such as 1Password can also be registered as a password safe – these can then be selected from the corresponding dialogs. Websites and apps enter into a relationship of trust so that the passwords are automatically suggested as a fill-in aid. This is achieved by linking the app and website. For this purpose, the developer stores the respective domain in the project settings in xCode (Associated Domains). The website stored here still needs a special JSON file (“apple-app-site-association”) which in

must be deposited. This JSON file then also contains a reference to the released app, namely:

This “apple-app-site-association” file corresponds to the JSON file known since iOS 8 for the exchange of passwords between apps and websites (via Safari). With iOS 13, all associated domain configurations can also be set via MDM:

Website trust for the app – storing a JSON file (“apple-app-site-association”, website must comply with ATS (App Transport Security))

However, after some users no longer use the suggested function for secure passwords, Apple now extends the Password Manager with iOS 14: Users are now automatically informed if their self-assigned password has been compromised (over time), i.e. via a data leak fell into the wrong hands and your account has become unsafe. The system also notifies users of weak passwords such as 1234.

According to Apple, if a password became publicly visible in the event of such a data leak, all accounts that use the password are at risk. The data leak does not automatically mean that the user’s user account has appeared there. According to statements from the WWDC session from Apple, it is enough that the password itself could be included in the password databases of the “bad guys”. If this is the case, the user is informed of this by a push message and a password manager dialog. However, the message is a bit cryptic – a little more transparency would be desirable here so that the user does not immediately panic.