Apple Wants Emails Hashed

aeric · May 22, 2023

If the email is hashed during user registration then how I can read it and store it into my database? The system needs the email matched when users want to reset or change their password.

JohnC · May 22, 2023

When the user provides their email address to your app, you just store the hash value of it for privacy reasons in a database.

Then when the user wants to reset/change their password, your app will ask for their email. If the hash of their email matches the hash in your database, then that means that is the correct email address for that account and it is then OK to send a password reset email to the just-provided email address (and without storing it in a database).

aeric · May 22, 2023

When someone says ‘including but not limited to’ they are saying that a situation may include certain things but these are not the only things included. For example, you might say something like ‘the alphabet includes but is not limited to the letters A, B, and C.’
meaning

So it means my app can transfer plain text email (too) to my server? I hate legal terms.

aeric · May 22, 2023

JohnC said:
When the user provides their email address to your app, you just store the hash value of it for privacy reasons in a database.

Then when the user wants to reset/change their password, your app will ask for their email. If the hash of their email matches the hash in your database, then that means that is the correct email address for that account and it is then OK to send a password reset email to the just-provided email address (and without storing it in a database).

Meaning our database will never contain any email addresses including inside our Logs table.

JohnC · May 22, 2023

"Including, but not limited to [thing]..." means it has to have at least that "thing", but it can also have more.

Also, it's not clear from that screen shot if Apple is requiring all email addresses to be hashed or not.

aeric · May 22, 2023

My question is during user registration, I need to generate a random salt from my app and send the salt together? How can I compare this salted-hashed email with my server hashed emails which was hashed with different salt, to see the user already registered with the same email?

aeric · May 22, 2023

JohnC said:
Also, it's not clear from that screen shot if Apple is requiring all email addresses to be hashed or not.

You can read here: https://developer.apple.com/app-store/app-privacy-details/

What do you mean by all email addresses? My concern is one user would send only one email address.

I used to only get the user id and password to register a user in my app. But without an email address, user cannot reset their password if they have forgotten. When I start collecting email addresses, there comes the privacy issue.

JohnC · May 22, 2023

aeric said:
What do you mean by all email addresses? My concern is one user would send only one email address.

When I said "all emails", I meant one email from "all" your customers.

aeric · May 22, 2023

JohnC said:
When I said "all emails", I meant one email from "all" your customers.

I think yes. All users email should be hashed. No reason for selective users.
However, I have stated in privacy policy that I am not sharing the data to third party for marketing or whatever purpose. So I think it should be fine not to hash the emails.

Daestrum · May 22, 2023

Maybe Apple are thinking data breach, which is why they want emails hashed.

Apple Wants Emails Hashed

aeric

Expert

JohnC

Expert

aeric

Expert

aeric

Expert

JohnC

Expert

aeric

Expert

aeric

Expert

JohnC

Expert

aeric

Expert

Daestrum

Expert

Apple Wants Emails Hashed

Expert

Expert

Expert

Expert

Expert

Expert

Expert

Expert

Expert

Expert

Privacy & Transparency

Privacy & Transparency