If you read my earlier piece on Google account permissions and went away to check your list, well done. But Google isn’t the only door you may have left open.
Most people who’ve been online for more than a few years have also clicked “Sign in with Facebook” on things they’ve long since stopped using. And more recently, if you’re in the Apple ecosystem, you’ve probably used “Sign in with Apple” too — possibly without fully understanding how it works, or where to find the list of everything you’ve connected.
They’re worth looking at together, because they represent opposite ends of a spectrum. One of them is genuinely well-designed with your privacy in mind. The other is not. Can you guess which ?
Sign in with Facebook — the long tail of a decision you made in 2014
Facebook’s OAuth implementation works the same way Google’s does. You authorise a third-party app to access your Facebook account, it receives a token, and that token stays live until you revoke it.
In practice, that token acts like a standing permission slip: the app can continue interacting with your account without asking you to log in again each time.
The difference is timing and context. “Sign in with Facebook” was enormously popular between roughly 2010 and 2018 — a period when Facebook had close to universal adoption and the social login trend was at its peak. Games, news sites, shopping apps, comment platforms, quiz tools, dating apps, productivity software — enormous numbers of them used Facebook login as their primary authentication method.
Many of those apps no longer exist. Many have been acquired, pivoted, or quietly shut down. But the connections often remain.
I still use Facebook actively, which means I’ve accumulated connections across a decade of that era. When I last checked, I found two active app connections that were more than ten years old. One was Bixby Home — a Samsung app that no longer exists in its original form, discontinued years ago. The other was Quora.
Bixby Home is the more unsettling of the two. It’s not just that I’d forgotten about it — it’s that the app it was connected to has effectively ceased to be. Nobody is maintaining that integration. Nobody is monitoring it. That doesn’t automatically mean the connection is dangerous — the backend may no longer function at all — but it does mean there’s an orphaned authentication relationship you probably never intended to keep indefinitely.
Quora is different in a specific way: it was breached in 2018, with around 100 million user records exposed. If you used Quora via Facebook login at that point, the account associated with that connection was part of a major breach event. Whether or not OAuth tokens themselves were exposed, a decade-old connection tied to a breached platform is exactly the kind of thing worth reviewing.
The access Facebook grants can be significant. Depending on what you authorised at the time — and the permission screens in that era were often deliberately vague — apps may have access to your public profile, your friend list, your email address, your birthday, and in some older cases, far more than that. Facebook has tightened its API permissions since the Cambridge Analytica scandal in 2018, but apps authorised before those changes may still hold broader access under the original terms.
How to audit your Facebook app connections:
Go to facebook.com/settings/applications — or on mobile, Settings & Privacy → Settings → Apps and Websites.
You’ll see three tabs: Active, Expired, and Removed. Active is what matters. Work through it with the same questions as the Google audit: do I still use this, do I recognise it, does it still exist, do I understand what access it has?
For anything you don’t recognise or no longer use, hit Remove. Unlike Google, Facebook also lets you see specifically what data each app has access to before you remove it — worth a look for anything that surprises you.
One category worth prioritising: anything with access to your friends list. An app that can read your social graph has more than your data — it has metadata about people who never agreed to share anything with it.
Expired apps — those Facebook has automatically expired due to inactivity — are worth reviewing too. They no longer have active access, but the data they collected during the active period doesn’t disappear.
One other important nuance: revoking login access doesn’t necessarily delete the account the service created for you. In many cases, it simply cuts the authentication link while the underlying account — and whatever data it already collected — continues to exist.
Sign in with Apple — the better-designed version
Apple introduced Sign in with Apple in 2019, and the design reflects a genuine attempt to solve some of the problems that Google and Facebook OAuth created.
The core mechanism is the same — Apple authenticates you and issues a token to the third-party app. But Apple made two decisions that meaningfully change the privacy picture.
First: Hide My Email. When you sign in to an app with Apple, you’re given the option to hide your real email address. Apple generates a unique, randomly-assigned relay address for that app — something like x7k2m9@privaterelay.appleid.com — which forwards to your real inbox.
The app gets a working email address. Your real address is never shared.
Each app gets a different relay address, so there’s no easy way to correlate your activity across services, and if any one of those relay addresses starts receiving spam or is exposed in a breach, you can disable it without affecting anything else.
This is genuinely thoughtful design. It solves a real problem — the harvesting of real email addresses through OAuth connections — and it does so almost invisibly from the user’s perspective.
Second: limited scope. Sign in with Apple only shares your name and email address (or relay address) by default. There’s no mechanism for apps to request access to your contacts, calendar, photos, or other Apple data through this flow. The token confirms your identity and little else.
This makes “Sign in with Apple” structurally safer than the alternatives for pure authentication. If you have the choice between signing in with Apple, Google, or Facebook, Apple’s implementation is generally the strongest option on privacy grounds.
The catch: the same accumulation problem still applies. You may have used Sign in with Apple on apps you’ve since abandoned. Those connections remain active. And if your Apple ID itself is compromised — which is why a strong password and two-factor authentication on your Apple ID are non-negotiable — everything connected through it is potentially exposed.
How to audit your Sign in with Apple connections
On iPhone or iPad: Settings → [your name] → Password & Security → Apps Using Apple ID
On Mac: System Settings → [your name] → Password & Security → Apps Using Apple ID
On the web: appleid.apple.com → Sign-In and Security → Apps & Websites Using Apple ID
You’ll see every app you’ve connected, when you last used it, and whether you chose to hide your email. For each one, you can stop using Apple ID with that app — which revokes the connection and, if you used Hide My Email, disables the relay address for that app.
One nuance: stopping Sign in with Apple doesn’t delete your account with the app. It just disconnects the Apple authentication. If you want the account gone, you’ll need to do that separately through the app’s own account deletion process — increasingly required by App Store rules, so most apps now support it.
The three of them together
Sitting here with Google, Facebook, and Apple all audited, the picture that emerges is roughly this:
Facebook is the highest-risk legacy exposure for most people — older, broader permissions, apps from an era of looser data practices, and a platform that has historically prioritised data sharing over data protection. If you haven’t audited this in the last twelve months, do it today.
Google is the highest-risk active exposure — because Gmail read access is so powerful and because Google accounts sit at the centre of so much of what most people do online. The audit here has the most immediate practical consequence.
Apple is the cleanest of the three by design, but still worth reviewing for accumulated connections. The Hide My Email feature is worth actively using going forward — it’s one of the few cases where the privacy-conscious option is also the frictionless one.
The common thread across all three is time. None of these connections were bad decisions in isolation. They just accumulated quietly while you were doing other things. The list at each of those settings pages is the residue of a decade of convenience.
It takes about twenty minutes to go through all three. It’s probably the most useful twenty minutes you’ll spend on your personal security this year.
The harder part isn’t finding these connections. It’s building habits that stop the list quietly growing again.
Quick reference
facebook.com/settings/applications
Focus on Active apps. Remove anything unrecognised, unused, or with friend-list access.
Apple ID
Settings → [your name] → Password & Security → Apps Using Apple ID
Or:
appleid.apple.com → Apps & Websites Using Apple ID
Stop any connections to apps you no longer use. Note which ones used Hide My Email.
(covered in the previous piece)
myaccount.google.com/permissions
Priority: anything with Gmail or Drive access you can’t actively account for.
Do all three.
Simon Griffiths 
Leave a comment