Flaws in Apple sign-in, Upgrading to Android 10, and Core Web Vitals

June 5, 2020 by
Flaws in Apple sign-in, Upgrading to Android 10, and Core Web Vitals
Lighthouse IT Solutions, Matthew Almendinger

The Lighthouse IT Podcast - June 5th, 2020

Matt and Griffin are back as they discuss how Sign-in with Apple was much easier than we all thought, why it may be a good reason to upgrade to the dreaded Android 10, and what updates Google has been making to the world of SEO.

Listen here!

Security News

Apple Security News

We've all used the log-in service on a website or app by supplying our Facebook or Google credentials. Just like these providers, the sign-in with Apple allows site visitors to use their Apple ID credentials to sign-in to other websites.

A security research from Delhi, India has discovered an account takeover flaw in Apple's Sign-in with Apple system. These systems work by allowing you to login to a popular service and receiving a "token" that authorizes you access to the websites that use the login service.

The security researcher discovered if he could identify a valid email address of an Apple ID (which was openly contained in an initial login request), he could pass the email address to a publicly accessible web service and retrieve a valid token. No password was required to do this.

Luckily, because of the bug report being completed properly, Apple was able to very quickly patch the open flaw and states that its investigations did not show any misuse or compromise. Which is good news for services such as Adobe, Airbnb, Dropbox, eBay, Grindr, Medium, Strava, Tik Tok, and even WordPress that utilize this log-in method.


Android 10 Operating System

Even with all the negative reviews of Android 10 OS, maybe there is a good reason to be on upgrade...

Late last year, a cybersecurity research team discovered a security vulnerability that attackers were already using to steal users banking and login credentials, and to spy on user activities.

The flaw, called Strandhogg, lived in the multitasking feature within Android and could hijack a task to display a fake interface, leaving users to believe that they were authorizing a legitimate app or logging into a well-known service.

Well, it is back with a much cooler logo and even more dangerous capability. Version 2 of Strandhogg doesn't just reside in the multitasking space any longer. It runs as an elevated user, meaning it has access to pretty much anything on the device. While Strandhogg 1 was limited to intercepting a single app for nefarious purposes, Strandhogg 2 can dynamically overtake any app on a device simultaneously without pre-configuration.

It's scary because the attack:

  • Is nearly impossible for targeted users to determine and spot
  • It hijacks a legitimate application's interface without intervention
  • Can request any device permission from the user fraudulently
  • Does not need any special permissions to run
  • Does not require root access
  • And works everywhere except Android 10.

Luckily, there is a patch released to manufacturers from Google in April, but it does exploit how corporate-y the process becomes.

1. Google develops a patch and releases it to manufacturers.

2. Manufacturer's incorporate and test.

3. Carriers get final approval.

That means it could be months before this patch is live. In the meantime, keep an eye out for odd behavior on your phone.

What to be cautious of:

  • If an app you've logged into before is asking for login again
  • Permission requests that don't contain the proper application name
  • Permission requests that don't match what an application does
  • Buttons or links that appear broken or do nothing
  • The back button does not work properly


Marketing/Sales News

Core Web Vitals update

We all know that user experience is how Google ranks websites now-a-days. Well in early May, Google Chrome released the Core Web Vitals, which are a set of metrics that help site owners measure user experience. But this week, they built on this even further and are incorporating those Core Web Vitals into the existing signals for page experience. In other words, things like interactivity, visual stability, and page loading will all be a part of how your site is ranked.

You might be saying, "that sounds a lot like what they were doing before, since Mobile Responsive-ness, page performance and security sound similar."

Let's review them! Core Web Vitals are a set of real-world, user-centered metrics that quantify key aspects of the user experience. They measure web usability such as load time, interactivity, and the stability of content as it loads (so you don't accidentally tap a button when it shifts under your finger).

Three New SEO Metrics:

  • Largest Contentful Paint measures perceived load speed and marks the point in the page load timeline when the page's main content has likely loaded.
  • First Input Delay measures responsiveness and quantifies the experience users feel when trying to first interact with the page.
  • Cumulative Layout Shift measures visual stability and quantifies the amount of unexpected layout shift of visible page content.

Google stated that, "We are combining the signals derived from Core Web Vitals with our existing Search signals for page experience to provide a holistic picture of page experience." For anyone unsure, the earlier ones are mobile-friendliness, safe-browsing, HTTPS-security, and intrusive interstitial guidelines. So, Google Chrome's tools like Lighthouse and PageSpeed Insights will be using the Core Web Vitals information and recommendations and the Google Search Console to provide a dedicated report with this information.

The news that came out this week means that these are now officially changing how your site is getting ranked. That means you should be reevaluating your site to ensure these new rules are being met! Great page experiences enable people to get more done and engage more deeply; in contrast, a bad page experience could stand in the way of a person being able to find the information they want on a page.