User profile for user: tomfer
tomfer Author
User level: Level 1
4 points

App allowing login in with unknown credentials

I've an iOS app where I used the in app delete account function, then logged out of the app and deleted the app from my iPhone. I was not signed into the app anywhere else.


I had used the Apple iCloud "hide my email" function to generate a random email account to sign up for the app, so I went to the iCloud settings and removed the email address associated with the app.


I then believed that all traces of the app have been removed from my iPhone and that I can re-download the app and sign up again. - Wrong.


I re-download the app, and start the sign up process and as soon as I generate another iCloud "hide my email" and click next, the app asks me if I want to reactivate my account!

Like what the heck, how does the app know that I previously had the app installed on my iPhone yet alone how would it know what my previous account was?

After I click okay, and allow it to reactivate (because there is no other option to continue) I am then back inside my old account even though I provided the new app with different login credentials as though I was setting up a new account.


This seems like a huge security failing, were my login credentials linked to the device ID? If so done this mean if I sell or pass on the iPhone and someone else downloads the app that they will then get logged into my account. Can a device ID be spoofed etc...


The app is Tiktok,


Thanks anyone who can shed light on this.


Edit, I have gone through the above steps a few times incase something had broken and was now working again, no change, and I also deleted the Capcut app as this is owned by the same developer and I thought maybe somewhere on my phone there is a file shared between them that was holding onto the credentials for one of both, deleting Capcut had no effect either.

Posted on Jan 12, 2023 12:49 PM

Reply

Similar questions

2 replies
User profile for user: tomfer
tomfer Author
User level: Level 1
4 points

Jan 15, 2023 12:29 PM in response to justinb2603

Hi Justin,


Thanks, I understand that a 3rd party company who Apple allows place apps on the App Store might keep my data even if I've already requested in App for my data to be deleted. Besides this and that I'd expect Apple to have a way to police Apps not complying with terms that they laid out to Apple users, the 3rd party holding my data is not was not the main concern that I was trying to raise.


My main concern is that if I have logged out of the App, deleted it from my phone, and then reinstalled that same App, how can that App know that it is me trying to set up an account again?


As I already said, not only did the app know it was me again, it actually logged me in without me having credentials, it seems to have done it by the Apple allowing it to collect my device ID, again something very worrying if I was to pass the device on to someone else.


I've no intention to seek clarity from Tiktok a data mining company who have no obligation to be honest to me.


I would expect that security flaws that I as an Apple customer highlight regarding Apps which have been approved by Apple for use on Apple devices would be taken seriously by Apple and investigated as such.


I think that most people are under the impression that the App Store is there to screen Apps so that Apple customers can safely download and use these apps without worrying about issues like this where people other than legitimate account holders can access other users accounts.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

App allowing login in with unknown credentials

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up