Friday, September 24, 2021 [Tweets] [Favorites]

iOS Safari Extension: Achoo

Christian Selig:

Quickly view the HTML for a given page in Safari on iOS/iPadOS 15. Customizable, beautiful, easy to use, and you can tweak the page too!

It’s $0.99.

iOS Safari Extension: Amplosion

Christian Selig:

Amplosion automatically redirects from AMP links to normal websites.

[…]

  • A great deal of the time the website loads weirdly or incompletely, potentially missing parts or acting differently than you’re used to
  • AMP links add another opportunity for AMP providers to track you
  • The URLs often become really gross for sharing with friends, with a bunch of weird extra stuff shoved into them, or sometimes not even from the correct website

Parker Ortolani:

The app also lets you keep track of how many times you’ve visited an AMP link and how many times you’ve used Amplosion to avoid one. Amplosion is priced at just $1.99 and if you hate AMP as much as I do it’s well worth it.

iOS Safari Extension: StopTheMadness

Jeff Johnson:

People have been requesting StopTheMadness on iOS for literally 3 years!

I never thought it would be possible, but I was pleasantly surprised, to put it mildly, by the announcement of Safari extensions on iOS at WWDC.

I thrilled to finally be able to release it!

Jeff Johnson:

StopTheMadness is a web browser extension that stops web sites from making your browser harder to use. And it protects your privacy on the web! StopTheMadness works in Safari on iOS and iPadOS, and in all major web browsers on macOS, including Safari, Firefox, Google Chrome, and any other Chromium-based web browser, such as Microsoft Edge, Brave, and Vivaldi. StopTheMadness is sold separately on the iOS App Store and Mac App Store.

Jeff Johnson:

[U]nfortunately App Store is very inflexible when it comes to cross-platform purchasing. It’s only possible in certain limited circumstances that don’t fit my apps.

The iOS version is $7.99, and the Mac version is $9.99.

Jeff Johnson (tweet):

I won’t screenshot the App Store page here, because I’d like people to judge the experience for themselves. There are a few featured extensions at the top, and below that there’s a list of “Must-Have Safari Extensions”. When I select “See All”, there’s a list of 22 extensions, written by 20 developers (2 developers have 2 extensions in the list). The featured extensions at the top of the previous Safari Extensions page are all included in this list too. Here’s my question: Where are the rest of the Safari extensions for iOS? An iOS user might understandably get the impression that these are the only Safari extensions available for iOS, because they’re the only Safari extensions shown by the App Store.

[…]

I’m complaining that there’s no comprehensive list of Safari extensions in the App Store. If an app isn’t featured, then it effectively doesn’t exist. […] Apple claims that the App Store gives developers access to over a billion customers, but what kind of “access” is it when the only way that customers find your app is if they follow a direct URL link to your app or search for your app by name (and hopefully see it below the irrelevant ads)?

Previously:

iOS Safari Extension: 1Password

Sami Fathi:

With iOS and iPadOS 15, Apple allows Safari extensions developers to release their previously exclusive Safari for Mac extensions to the iPhone and iPad, allowing users to use extensions on all of their devices. 1Password was one of the first to tease support earlier in June, and with its latest App Store update today, it’s bringing it to all users.

With its Safari extension on iPhone and iPad, 1Password users now have immediate access to all their passwords and 1Password entries right inside of Safari, including in-page suggestions. 1Password for Safari uses on-device machine learning to automatically fill in the login process of complicated websites and even automatically fills in two-factor authentication codes.

Too bad it doesn’t work with standalone vaults.

iOS Safari Extension: Vidimote

Felix Schwarz:

This iOS 15 Safari Extension can:

🏃‍♂️ change the speed of videos in Safari

⏯ control playback, jump ±10s

🍿 enter picture-in-picture & fullscreen

🎯 pick an AirPlay target

It’s $4.99.

European Union USB-C Mandate

Tom Warren (tweet, Hacker News):

The European Commission, the executive arm of the European Union, has announced plans to force smartphone and other electronics manufacturers to fit a common USB-C charging port on their devices. The proposal is likely to have the biggest impact on Apple, which continues to use its proprietary Lightning connector rather than the USB-C connector adopted by most of its competitors. The rules are intended to cut down on electronic waste by allowing people to re-use existing chargers and cables when they buy new electronics.

In addition to phones, the rules will apply to other devices like tablets, headphones, portable speakers, videogame consoles, and cameras.

[…]

Efforts to get smartphone manufacturers to use the same charging standard in the EU date back to at least 2009, when Apple, Samsung, Huawei, and Nokia signed a voluntary agreement to use a common standard. In the following years, the industry gradually adopted Micro USB and, more recently, USB-C as a common charging port. However, despite reducing the amount of charging standards from over 30 down to just three (Micro USB, USB-C, and Lightning), regulators have said this voluntary approach has fallen short of its objectives.

Apple was a notable outlier in that it never included a Micro USB port on its phones directly. Instead, it offered a Micro USB to 30-pin adapter.

I think Apple is right that mandating a connector will stifle innovation. And I think that, in isolation, Lightning is a better connector than USB-C. However, it’s annoying that I have to carry multiple cables and adapters because, even with exclusively up-to-date Apple gear, my iPhone and AirPods don’t use the same connector as my MacBook Pro and iPad.

Hartley Charlton:

The directive now needs to be greenlit by the EU Parliament and national governments, who may suggest amendments, before it can come into law. The European Commission hopes that this will occur in 2022. From that point, companies will have two years to transition to USB-C on their devices.

Steve Troughton-Smith:

As somebody with an iPhone, iPad, and Kindle on his bedside table, all with different, incompatible, ports, I’m 1,000% behind standardizing on USB-C for everything. Apple had the chance to push the Lightning connector as standard for USB-C; maybe they’ll reconsider that next time

See also: Dithering.

Previously:

iOS Vulnerabilities Either Unfixed or Uncredited

illusionofchaos (via Kosta Eleftheriou):

I want to share my frustrating experience participating in Apple Security Bounty program. I’ve reported four 0-day vulnerabilities this year between March 10 and May 4, as of now three of them are still present in the latest iOS version (15.0) and one was fixed in 14.7, but Apple decided to cover it up and not list it on the security content page. When I confronted them, they apologized, assured me it happened due to a processing issue and promised to list it on the security content page of the next update. There were three releases since then and they broke their promise each time.

Ten days ago I asked for an explanation and warned then that I would make my research public if I don’t receive an explanation. My request was ignored so I’m doing what I said I would. My actions are in accordance with responsible disclosure guidelines (Google Project Zero discloses vulnerabilities in 90 days after reporting them to vendor, ZDI - in 120). I have waited much longer, up to half a year in one case.

[…]

Here are links to GitHub repositories that contain PoC source code that I’ve sent to Apple. Each repository contains an app that gathers sensitive information and presents it in the UI.

Khaos Tian:

This is kinda bad given Core Duet tracks a lot of user activities on device. Maybe Apple’s security team really believe that App Review will capture this 🙃

Felix Krause:

Three 0-day iOS vulnerabilities for unauthorized access to medical data, iMessage, third party messengers, device usage, ...

Previously:

Upgrading Your iOS Device

Jason Snell:

The problem is that most people don’t buy a new iPhone every year. The primary upgraders to the iPhone 13 will be coming from the iPhone 7, or 8, or X, or XS, or XR. For them, several years of Apple innovations will be rolled into a single purchase. But reviews of the new iPhones will not address what happened in 2018, or 2019, or 2020.

Here’s an attempt to provide a little more of a big-picture overview for owners of older iPhones who are wondering what’s new in the iPhone 13.

[…]

Face ID replaces Touch ID, so if you’re frequently masked and don’t have an Apple Watch, you’ll need to enter your passcode more often.

John Gruber:

Device-to-device is better because it moves over all your login credentials. When you restore from an iCloud backup, you wind up logged out of a lot of apps on the new device. When you restore device-to-device, almost everything moves over. I know there are exceptions, but I don’t think I bounced into a single app that didn’t keep me fully logged in this week. If you tried device-to-device a few years ago and found it lacking, try it again now — Apple has improved this process every year since it debuted. Worst case scenario, you can always start over and use iCloud backup.

Previously:

Some Web Sites Will Stop Working With El Capitan and Older

Scott Helme (Hacker News):

On 30th September 2021, the root certificate that Let’s Encrypt are currently using, the IdentTrust DST Root CA X3 certificate, will expire. You may or may not need to do anything about this Root CA expiring, but I’m betting a few things will probably break on that day so here’s what you need to know!

[…]

In normal circumstances this event, a root CA expiring, wouldn’t even be worth talking about because the transition from an old root certificate to a new root certificate is completely transparent. The reason we’re having a problem at all is because clients don’t get updated regularly and if the client doesn’t get updated, then the new root CA that replaces the old, expiring root CA is not downloaded onto the device.

[…]

In the last year alone, Let’s Encrypt have grown their market share quite a lot and as a CA becomes larger, it’s certificates enable more of the Web to operate and as a result, when something like this comes along they have the potential to cause more problems. This is nothing to do with what Let’s Encrypt have done, or have not done, this still comes down to the same underlying problem that devices out in the ecosystem aren’t being updated as they should be.

[…]

Because old Android devices don’t check the expiration date of a root certificate when they use it, Let’s Encrypt may be able to continue to chain down to the expired root certificate without any problem on those older devices.

Howard Oakley:

If you’re still running El Capitan, or any version of Mac OS X prior to 10.12.1, then you’re about to run into problems with some popular security certificates.

macOS 10.11 was only superceded five years ago, and some older hardware can’t run 10.12. On the iOS side, an iPhone 4S can’t update to iOS 10. I get that Apple doesn’t want to provide security bug fixes that far back, but how hard would it be to have a mechanism for updating the root certificates? (Then again, even the Mac App Store no longer works properly on macOS 10.13 due to a bad CSS URL.)

Let’s Encrypt is quite popular now, and there are other certificates issued using the same root. Lots of sites will break, and users won’t know what to do.

This blog and the C-Command forum use Let’s Encrypt, and they are set to redirect HTTP to HTTPS. I haven’t decided how to handle this yet. So far, it seems like the only options are to accept the breakage or to buy a certificate from another provider.

The main C-Command site (which my apps use for automatic software updates) uses a different certificate that should continue to work.

Previously:

Thursday, September 23, 2021 [Tweets] [Favorites]

Apple Lies About Epic Again

Apple:

As we’ve said all along, we would welcome Epic’s return to the App Store if they agree to play by the same rules as everyone else.

Tim Sweeney:

Epic has asked Apple to reactivate our Fortnite development account. Epic promises that it will adhere to Apple’s guidelines whenever and wherever we release products on Apple platforms.

Apple:

Apple has exercised its discretion not to reinstate Epic’s developer program account at this time. Furthermore, Apple will not consider any further requests for reinstatement until the district court’s judgment becomes final and nonappealable.

Tim Sweeney (MacRumors, Hacker News):

Apple lied. Apple spent a year telling the world, the court, and the press they’d “welcome Epic’s return to the App Store if they agree to play by the same rules as everyone else”. Epic agreed, and now Apple has reneged in another abuse of its monopoly power over a billion users.

[…]

Late last night, Apple informed Epic that Fortnite will be blacklisted from the Apple ecosystem until the exhaustion of all court appeals, which could be as long as a 5-year process.

This seems clear-cut to me. Yes, Epic willfully disregarded the App Store guidelines last year, and Apple had cause to terminate its developer account. But, just this month, Apple said that Epic could come back if it agreed to follow the guidelines. Epic promised to, but instead of following through, Apple now says it won’t even consider lifting the ban for potentially five years.

I say that Apple lied again because, last September, Epic reported that Apple was going to block its customers from using “Sign In with Apple.” Apple told The Verge and John Gruber that this was not, and never was, the case. But then it came out in court filings that Epic was telling the truth.

It’s surprising that Apple, which has historically been very careful about communications, would make statements like these that are so easily disproven. Perhaps it was emboldened after it became apparent that there were no consequences for its CEO lying to Congress last summer—other than its reputation among people who follow these things.

The other unfortunate thing about this story is that the Fortnite Mac app is also blocked, even though it isn’t in the App Store. You need a developer account to get a Developer ID certificate and notarize your app—otherwise macOS won’t launch the app and will suggest that it might be malware.

John Gruber (Hacker News):

But agreeing not to break Apple’s guidelines again seems in the spirit of what Apple had been asking for, regarding reinstating Fortnite.

M.G. Siegler:

I’ve long wondered if Sweeney and Epic weren’t playing a different kind of game than the one Apple is playing, and the moves today don’t dissuade me from that thinking. Yes, it’s entirely possible that Sweeney just wants this to be over with and wants Fortnite back in the App Store following the loss on most fronts with regard to their lawsuit. But actually, that doesn’t seem like the right read to me. Because if they wanted that, Sweeney obviously — obviously — would not have included a few very clear lines in his email […] to Apple’s Phil Schiller.

[…]

It’s basically saying to Apple: read the intent (and perhaps the room!) of what the judge was going for, don’t try to litigate the language down to the lowest common denominator.

[…]

“Wait a minute, that $2.5T company won’t let the game developer back in the App Store even after they lost the lawsuit, paid the fine, and agreed to their demands?!”

Previously:

iPhone 13 Reviews

Previously:

iPad mini (6th Generation) Reviews

Previously:

iPad (9th Generation) Reviews

Previously:

Tuesday, September 21, 2021 [Tweets] [Favorites]

Swift 5.5 Released

Ted Kremenek:

Swift 5.5 is a massive release, which includes newly introduced language capabilities for concurrency, including async/await, structured concurrency, and Actors.

[…]

[…]

John Sundell:

Before Swift 5.5, if we wanted to make an enum that contains associated values conform to Codable, then we’d have to write all of that code manually. However, that’s no longer the case, as the compiler has received an upgrade that now makes it capable of auto-synthesizing serialization code for such enums as well.

[…]

If needed, we could even customize what keys that are used for the associated values within a specific case. For example, here’s how we could declare that we’d like the youTube case’s id value to be serialized as youTube

John Sundell (tweet):

In general, these kinds of issues can be worked around using a compile-time platform check — but before Swift 5.5, we’d have to first break our List out into a separate expression, and then apply different listStyle modifiers separately using an #if-based operating system condition[…]

[…]

When using Swift 5.5, we now have the option to inline #if directives right within our expressions. So, going back to our ItemList, we can now conditionally apply each of our listStyle modifiers completely inline — without first having to break our expression up into multiple parts[…]

Joshua Emmons:

Sadly, these [async/await] features require runtime support. Which means, at least for the time being, async is iOS 15-/macOS 12-only.

For those of us supporting older deployment targets, this can be a bit of a let down. But not all hope is lost! We can build clean, flattened-out async handling on our own.

David Ungar:

If your incremental (i.e. Debug) builds seem to be too slow, here some things to try[…]

Previously:

Monday, September 20, 2021 [Tweets] [Favorites]

iOS 15 and iPadOS 15

Apple (iOS release notes, iPadOS release notes, Hacker News):

iOS 15 is packed with new features that help you connect with others, be more present and in the moment, explore the world, and use powerful intelligence to do more with iPhone than ever before.

Federico Viticci (extras):

Surprisingly, iOS 15 doesn’t introduce any notable improvements to what made its predecessor wildly popular last year. In fact, as I’ll explore in this review, iOS 15 doesn’t have that single, all-encompassing feature that commands everyone’s attention such as widgets in iOS 14 or dark mode in iOS 13.

As we’ll see later in the story, new functionalities such as Focus and Live Text in the Camera are the additions that will likely push people to update their iPhones this year. And even then, I don’t think either of them sports the same intrinsic appeal as widgets, custom Home Screens, or the App Library in iOS 14.

[…]

But after three months of running iPadOS 15 on my M1 iPad Pro, I can’t help but feel like power users will still be left wishing for more. Yes, iPadOS 15 brings extensive keyboard integration for multitasking with a plethora of new keyboard shortcuts and yes, the new multitasking menu and improvements to the app switcher benefit everyone, including power users, but iPadOS 15 is a foundational update that focuses on fixing the basics rather than letting the iPad soar to new heights.

Dan Moren:

So it is with iOS 15, a release that appears with at least one of its most touted features, SharePlay, delayed until later this year, and another impressive piece of functionality—Universal Control—demoed but never even present in the betas. What’s left is a hodgepodge of interesting ideas and occasionally misguided attempts to prescribe how people should use their mobile devices. It’s an update that’s got a lot to recommend it, but that’s simultaneously tough to recommend, if only because it’s difficult to point to a single big feature that will make a huge difference in the life of the average user.

[…]

The reason that Time Sensitive notifications are significant is twofold. Firstly, they’re a class of notification that you can allow to break through your Focus, even if you haven’t specifically allowed notifications from that app. Secondly, they work with the second new major notification feature, Scheduled Summary.

Jason Snell:

In iPadOS 14, holding down the Command key would display a simple list of app-specific features and key equivalents. In iPadOS 15, Apple has expanded this feature to make it more like the iPad equivalent of the Mac menu bar. Not only does it list keyboard shortcuts, but it can list every command in the app (with suspiciously familiar labels like File and Edit). You can click or tap any of them to execute them. iPad apps that build out the Mac menu bar for their Catalyst version can pick this feature up for free. It’s another way that the Mac and iPad are increasingly complementing one another.

Then there’s the Globe key. Initially intended for supporting multiple languages, in iPadOS 15, the Globe key has become something much bigger: it’s a symbol for global keyboard shortcuts. (The Globe key appears on most modern Apple keyboards. If your keyboard doesn’t have a Globe key, don’t worry—you can use the Hardware Keyboard settings area to map a less-used modifier key such as Caps Lock to the Globe key.)

Hold down the Globe key in any app in iPadOS 15, and instead of seeing app-specific commands, you’ll see a list of functions that are available everywhere on the iPad.

Juli Clover:

A new Focus mode cuts down on distractions by limiting what’s accessible and who can contact you, and notifications can now be grouped up in daily summaries. There’s an option for a new Safari design that moves the tab bar to the bottom of the interface, and Tab Groups keep all of your tabs organized.

Joe Rossignol:

Apple recently updated its iOS 15 features page to indicate that Find My network support for AirPods Pro and AirPods Max has been delayed until “later this fall,” implying that the feature will not be available with the initial release of iOS 15.

Joe Rossignol:

According to the iOS 15 features page on Apple’s website, the following features require an iPhone with an A12 Bionic chip or newer, which means the features listed below aren’t available on the iPhone X or any older models.

It does still run on devices all the way back to the iPhone 6s, though.

Previously:

Hide My Email

Tim Hardwick:

At its WWDC keynote on Monday, Apple announced that iCloud is getting a premium subscription tier called “iCloud+,” which includes tentpole privacy features like Private Relay and Hide My Email. Another feature included in iCloud+ that wasn’t discussed in the keynote is the ability to create a custom email domain name.

I think it’s better to use another e-mail provider, but at least with a custom domain you can more easily change in the future.

Apple:

Expanding on the capabilities of Sign in with Apple, Hide My Email lets users share unique, random email addresses that forward to their personal inbox anytime they wish to keep their personal email address private. Built directly into Safari, iCloud settings, and Mail, Hide My Email also enables users to create and delete as many addresses as needed at any time, helping give users control of who is able to contact them.

It appears that you can set it forward to a non-iCloud address. So you can improve your privacy by hiding your real e-mail address from sites, but you also reduce it by routing your mail through Apple, and add a dependency on iCloud.

Tim Hardwick:

The following steps show you how to create a new dummy email address with Hide My Email, for use in Safari and Mail.

Previously:

iCloud Private Relay

Michael Grothaus (via John Wilander, Alex Guyot):

The obvious comparison people will make is that iCloud Private Relay is Apple’s version of a VPN (something I have called for in the past for the company to offer). But from an engineering perspective, Private Relay’s privacy protections make VPNs look weak.

[…]

iCloud Private Relay uses a dual-hop architecture. When you navigate to a website through Safari, iCloud Private Relay takes your IP address, which it needs to connect you to the website you want to go to, and the URL of that site. But it encrypts the URL so not even Apple can see what website you are visiting. Your IP and encrypted destination URL then travels to an intermediary relay station run by a third-party trusted partner.

See also: WWDC, Nick Heer, Hacker News, Accidental Tech Podcast, MacRumors, TidBITS.

John Gruber:

It’s a little weird that Apple doesn’t want to talk about who these “trusted partners” are, because if we don’t know who they are, how are we supposed to trust them?

Stephen Nellis and Paresh Dave:

Apple’s decision to withhold the feature in China is the latest in a string of compromises the company has made on privacy in a country that accounts for nearly 15% of its revenue.

Tim Hardwick:

According to Apple, “regulatory reasons” prevent the company from launching Private Relay in China, Belarus, Colombia, Egypt, Kazakhstan, Saudi Arabia, South Africa, Turkmenistan, Uganda, and the Philippines.

Apple mentioned these country limitations in June, but it seems that Private Relay will not be available in Russia either, after Apple apparently disabled the feature there over the last day or so.

Spencer Dailey:

Hats off to Apple’s architects. At first glance, the principle behind this “dual hop” seems inspired by Tor, a browser that “directs Internet traffic through a free, worldwide, volunteer overlay network” with an encryption scheme that promises to “conceal a user’s location and usage” from prying eyes. The main issue with Tor has always been that it’s slow. Apple claims Private Relay works “without compromising performance”. There are reasons to be very skeptical of that claim by Apple (more on that later), but nevertheless, Private Relay will certainly be far faster than using Tor.

[…]

Private Relay will ruffle the feathers of ISPs and local network administrators.

This is a power move reminiscent of 1) when Apple launched the iPhone and decoupled phone software from the carrier, and 2) when Apple launched iTunes and CD-selling music labels had to come on board.

The industry will push back, leading to friction for consumers.

Many local area networks, such as WiFi on college campuses, will end up prohibiting Private Relay traffic. This will lead to inconvenienced users, who will be presented with dialogs to disable Private Relay for that network. I’m sure ISPs of all sizes will be tempted to also put in place hard blocks.

Florian Forster (via Hacker News):

If a user enables this feature, your RIBA [Risk Based Authentication] seriously will have a bad time. This is because, as you can see below, the user’s IP Address will be more or less useless as a signal. As of writing this blog I was in Switzerland and the IP used to egress my traffic was in a region located in the US. If this also tends to change a lot and fast you can basically throw away IP addresses as data of your RIBA.

Saagar Jha:

As expected, using Private Relay may get you flagged on certain sites, such as Wikipedia. Haven’t hit a captcha yet but I’m not looking forwards to it…

Frank A. Krueger:

Funny side-effect of iOS’s new private browsing: websites keep signing me out and reporting irregular login attempts. I have to remind myself that I sometimes live in Sweden now.

John Voorhees:

Private Relay currently has a significant impact on Safari’s performance. Here’s my Internet speed outside Safari using the Speedtest Mac app.

David Sparks:

My connection was noticeably slow and laggy. After a bit of troubleshooting, I discovered Private Relay is the culprit.

Dave Wood:

Why does iCloud Private Relay randomly turn itself back on? I didn’t reboot or anything here. And, the option to disable it again is missing. (Usually appears again if you go back a menu and forward again).

jda-blue:

I have a VPN app that uses a tunnel to route traffic, and I’m finding that port 80 traffic cannot be routed when Private Relay is enabled. Oddly, it’s just port 80 traffic. HTTP traffic over 8080 or other ports still work fine.

Specifically, connecting the socket using the connect() function for a port 80 address always returns the same error "No route to host".

Jason Snell:

Essentially, Apple has decided to launch iCloud Private Relay as a beta when iOS 15 ships in the fall, and the feature will be turned off (for now) by default. Paying iCloud users will be able to turn it on and try it out.

John Gruber:

Here’s my concern about iCloud Private Relay compatibility, though: if web publishers want to make sure their sites are compatible with iCloud Private Relay, they can make it work. They might just need more time. But everyone knows there are sites that aren’t interested in your privacy. That’s the whole reason Apple even made this feature. For a lot of websites, if the answer to an iCloud Private Relay compatibility issue is “Disable iCloud Private Relay”, that’s fine by them. For a lot of privacy-invasive web publishers, their goal, I suspect, is to break iCloud Private Relay, not fix their shit-ass websites to work with it.

Previously:

DuckDuckGo Email Protection

Sami Fathi (Hacker News):

DuckDuckGo today announced its brand new Email Protection feature that will allow users to save themselves from being tracked by trackers embedded into emails by forwarding them to a free and personalized DuckDuckGo email before being sent to their actual email.

[…]

One of the largest cornerstones of DuckDuckGo’s offering, compared to Apple’s Hide My Email, is its cross-platform compatibility.

[…]

DuckDuckGo is pledging that it never saves a user’s email and that even when emails are sent to its servers to be cleansed from trackers, that information remains private.

Previously:

Mail Privacy Protection

Apple:

In the Mail app, Mail Privacy Protection stops senders from using invisible pixels to collect information about the user. The new feature helps users prevent senders from knowing when they open an email, and masks their IP address so it can’t be linked to other online activity or used to determine their location.

Ben Lovejoy (MacRumors):

One of the new privacy features included in iCloud+ is what Apple calls Mail Privacy Protection. While that’s designed to protect Apple Mail users from overly intrusive marketeers, some are worried that it could badly hurt small publishers of email newsletters.

That’s because it will deny them access to a key metric used to sell the advertising that makes many such newsletters viable…

Casey Newton (Hacker News):

And so it’s no surprise that some observers look at Mail Privacy Protection and see a threat. “This is another sign that Apple’s war against targeted advertising isn’t just about screwing Facebook,” Joshua Benton wrote in Nieman Lab. “They’re also coming for your Substack.”

[…]

But after conversations with newsletter writers and media executives today, I’m not sure that people doing email-based journalism have all that much to worry about from the shift.

Nick Heer:

Email open rates are notoriously unreliable. Some sources will say that open rates are underreported; others will say that they are way too high. That is because open rates are determined by the number of times that a tracking pixel in an email is downloaded. If users have images turned off, it will not be triggered; if a user’s email client automatically goes to the next message when an email is deleted, it may register as the email being opened again and again.

Eric Blair:

It sounds like like MPP proxies will pre-download images regardless of whether you open the email. The effective open rate will look like 100% for Mail users. Since the download is out of band from the viewing, the access time is also meaningless.

Andrew Grant:

Apple.

Also Apple.

Previously:

Record App Activity

Jason Cross:

Apple is always expanding privacy features, and with iOS 15 you have a powerful new tool to find out which apps are accessing your phone’s features and data.

[…]

This will record a 7-day summary of exactly when and how often all your apps access things like your microphone or microphone, or which web domains they visit. Just come back to this screen a week later for a full report.

You can even tap Save App Activity to export a JSON file of all the data if you’re into that kind of thing.

Nick Heer:

I’ve just saved four days’ worth of app activity. It’s a 27 MB JSON file. An analysis of this would be wild, I am sure.

John Spurlock:

Want a better way view the json files saved from “Report App Activity” in iOS15 beta privacy settings?

I just published a simple web app that runs locally to slice and dice them.

Previously:

Rejected for Mentioning iOS 15 Compatibility

James Thomson:

And, that’s the iOS 15 build of Dice by PCalc rejected for… mentioning iOS 15.

It feels like we’ve been down this road before.

It’s a longstanding unwritten rule, though in this case Apple had already posted the iOS 15 release candidate build and notified developers to submit their updates for iOS 15. So not being able to mention the OS version just adds confusion for users.

Marco Arment:

My Overcast build with the iOS 15 GM SDK, released after the very public event this week, was rejected for mentioning “iOS 15 compatibility” in the release notes.

Such a waste of everyone’s time, Apple. Come on.

Michael Love:

My best guess is that they’re somehow trying to avoid user confusion - they’re worried that if people see a bunch of iOS 15 updates before iOS 15 is out they’ll assume their phone isn’t compatible with it or the updates won’t work on 14 or whatever.

If Apple really doesn’t want users to see these updates before iOS 15 is released, there should be an option to submit your update now but have the App Store hold it for release until iOS 15 ships.

Dave Wood:

They’re probably confused because the change of term from GM to RC. Since iOS 15 is now RC, it is no longer pre-GM so doesn’t violate the rule they quote. Which is even funnier.

Curtis Herbert:

If Apple, year after year after year, pulls the BS of an app rejection because you mention the upcoming release … at some point ya gotta stop trying. Save yourself the headache. Just say “the new iOS” or “today’s update.”

Alexey Chernikov:

Just got rejected for mentioning “the latest iOS.”

Sash Zats:

That’s why you just “bug fixes and improvements”

James Thomson:

It is my understanding that mentioning iOS 15 is allowed in your release notes, as of now, and in future mentioning an unreleased OS should not cause a problem after app submissions for that particular OS have opened.

Thanks to Thompson for relaying an unwritten rule change, but it would be nice to have a written guideline to cite when the memo inevitably doesn’t get out to everyone.

Previously:

Thursday, September 16, 2021 [Tweets] [Favorites]

Shortcuts Outage Caused By Researcher

Nick Heer:

Remember how, back in March, all links to Shortcuts just stopped working?

Frans Rosén (via Federico Viticci):

I found some permission issues when hacking Apple CloudKit. I wrote about three of them @detectify labs, one where I accidentally deleted all shared Apple Shortcuts.

He reported the bugs to Apple and received the security bounty.

Previously:

Performance of the A15

Jason Snell:

Here’s a funny thing about Tuesday’s announcement of the A15 Bionic: Apple didn’t compare its performance to the A14. In the past, Apple has compared the power of its iPhones to previous models. But this year, Apple has chosen to proclaim that the A15 in the iPhone 13 Pro has 50 percent better graphics and CPU performance “than the competition.”

Given that Apple has generally been ahead of its smartphone competition in terms of processor power, this suggests that the A15 shows less improvement over the A14 than it does over the Qualcomm processors in leading Android phones. And it makes me wonder if Apple is perhaps trying to soft-pedal a new chip that isn’t much faster than the older model.

Dylan Patel (tweet, via Meek Geek):

The CPU is claimed to be 50% faster than the competition while GPU is claimed to be 30% or 50% faster depending on whether it is 4 cores or 5 cores. They are sticking with a 16 core NPU which is now at 15.8 TOPs vs 11 TOPs for the A14. There is a new video encoder and decoder, we hope it incorporates AV1 support. The new ISP enables better photo and video algorithms. The Pro models have variable refresh rate, so that likely necessitated a new display engine. Lastly, the system cache has doubled to 32MB. This was likely done to feed the GPU and save on power. SemiAnalysis also believes Apple moved to LPDDR5 from LPDDR4X.

[…]

The most important thing to note is that the CPU gains are identical from the A12 to A14 as they are from A12 to A15. The GPU gains are quite impressive with a calculated 38.5% improvement. This is larger than the A13 and A14 improvements combined.

[…]

SemiAnalysis believes that the next generation core was delayed out of 2021 into 2022 due to CPU engineer resource problems. In 2019, Nuvia was founded and later acquired by Qualcomm for $1.4B. Apple’s Chief CPU Architect, Gerard Williams, as well as over a 100 other Apple engineers left to join this firm. More recently, SemiAnalysis broke the news about Rivos Inc, a new high performance RISC V startup which includes many senior Apple engineers. The brain drain continues and impacts will be more apparent as time moves on. As Apple once drained resources out of Intel and others through the industry, the reverse seems to be happening now.

Eric Slivka:

These scores represent a roughly 10% increase in single-core performance and 18% increase in multi-core performance compared to the A14 Bionic in the iPhone 12 lineup.

Jason Snell:

If accurate, this would place the A14 to A15 performance boost in line with recent updates. What makes this a question at all is that Apple hasn’t directly compared the two chips, instead opting to compare the iPhone to “the competition.”

Previously:

Global Chip Shortage

Nilay Patel (Decoder):

Since the beginning of the pandemic, the demand for microchips has far exceeded supply, causing problems in every industry that relies on computers.

[…]

My guest today is Dr. Willy Shih. He’s the professor of management practices at Harvard Business School. He’s an expert on chips and semiconductors — he spent years working at companies like IBM and Silicon Graphics. And he’s also an expert in supply chains — how things go from raw materials to finished products in stores. Willy’s the guy that grocery stores and paper companies called in March 2020 when there was a run on toilet paper. If anyone’s going to explain this thing, it’s going to be Willy.

Ian King et al. (via Hacker News):

Building an entry-level factory that produces 50,000 wafers per month costs about $15 billion. Most of this is spent on specialized equipment—a market that exceeded $60 billion in sales for the first time in 2020.

Three companies—Intel, Samsung and TSMC—account for most of this investment. Their factories are more advanced and cost over $20 billion each. This year, TSMC will spend as much as $28 billion on new plants and equipment. Compare that to the U.S. government’s attempt to pass a bill supporting domestic chip production. This legislation would offer just $50 billion over five years.

Once you spend all that money building giant facilities, they become obsolete in five years or less. To avoid losing money, chipmakers must generate $3 billion in profit from each plant. But now only the biggest companies, in particular the top three that combined generated $188 billion in revenue last year, can afford to build multiple plants.

Yang Jie et al. (via John Gruber):

Taiwan Semiconductor Manufacturing Co. plans to increase the prices of its most advanced chips by roughly 10%, while less advanced chips used by customers like auto makers will cost about 20% more, these people said. The higher prices will generally take effect late this year or next year, the people said.

Horace Dediu:

IPhone 13 pricing is same as 12. So much for new pricing due to semiconductor shortages.

FlickType Sherlock+’d

Tom Maxwell (Hacker News):

But one, seemingly minor product announcement has caused a stir in the developer community: the new full software keyboard that Apple is adding to the Apple Watch.

It was just last month that Kosta Eleftheriou, the developer of FlickType, announced that his swipe-based keyboard for the blind would be pulled off the App Store over objections by Apple. Its reasoning was unclear[…]

A separate version for the Apple Watch would remain, but then Apple pulled that one as well, telling Eleftheriou that keyboards aren’t allowed on the Apple Watch.

Now Apple has announced its own, nearly-identical keyboard for the Apple Watch — and seven years after the smartwatch was introduced, no less.

Kosta Eleftheriou:

So now we know. See you in court, @Apple.

Dave Mark:

I’m mystified by this decision by Apple, especially given the ratcheted up scrutiny they are under. Did they think no one would make the connection? Or did they not care about that, Sherlock business as usual?

This is much worse than a regular Sherlocking. In the past, Apple would just build a popular third-party feature into the operating system. You can argue about whether there’s a more or less fair way to do that, but at the end of the day it makes sense to have a built-in keyboard. What’s different here is that, not only does the third-party app have to compete with the built-in feature, but Apple is also using App Review to harass the developer and block updates for no good reason. Competing with Apple on an unfair playing field is difficult, but it can be done and has been many times. But you can’t compete when they won’t let you ship your app and won’t even explain why they’re rejecting it.

Rui Carmo:

Seeing the Sherlocking of FlickType streamed live to the world, however, was a major downer (I was one of the Watch beta testers, and loved it). Apple really ought to be better than this, and I expect a fair amount of fallout over the next few days.

Joshua Topolsky:

This is really messed up. Apple forced a keyboard designed for the blind off of the App Store... and then announced its own version of it yesterday. COME ON you can do better than this.

Previously:

Update (2021-09-17): William Gallagher:

Kosta Eleftheriou’s lawsuit had already been filed when Apple unveiled QuickPath. Apple says it has told Eleftheriou that following further explanation from him, it now believes that the app’s accessibility keyboard complies with App Store rules.

In other words, it never should have been rejected.

Sean Hollister:

Yes, Eleftheriou filed his suit nearly six full months before the Apple Watch Series 7 announcement.

[…]

But no, Apple didn’t actually reject every Apple Watch keyboard app in 2019 — Eleftheriou believes his app was singled out for this treatment.

[…]

The company basically admits that removing Eleftheriou’s app was a mistake, and claims it quickly corrected the issue.

But Eleftheriou disputes that last point, saying it took a year of appeals and resubmissions to get his keyboard back onto the store. “From [January 2019] on, I was simultaneously discussing a FlickType acquisition with them, while also being rejected,” he tells me. And Apple initially made it look like those appeals failed, too. “The App Review Board evaluated your app and determined that the original rejection feedback is valid. Please note that all appeal results are final,” reads Eleftheriou from a message he received in May 2019.

In the complaint, he alleges it wasn’t until January 2020, a year after the surprise takedown, that his Apple Watch keyboard extension was approved.

[…]

He’s particularly annoyed with how Apple’s own keyboard has an unfair advantage since it doesn’t need to use its own APIs, and how those APIs are lacking features that Apple publicly promised years ago.

Wednesday, September 15, 2021 [Tweets] [Favorites]

The Future of the App Store

Marco Arment (tweet, Hacker News):

I think the most likely long-term outcome isn’t very different from the status quo — and that’s a good thing.

I would like to see big changes, but I think he’s probably right that we won’t.

Apple will still require apps to use their IAP system for any qualifying purchases that occur in the apps themselves. […] Most apps will be required to also offer IAP side-by-side with any external methods.

[…]

Apple will have many rules regarding the display, descriptions, and behavior of external purchases, many of which will be unpublished and ever-changing. App Review will be extremely harsh, inconsistent, capricious, petty, and punitive with their enforcement.

[…]

I’d expect any app offering external purchases to have a very high chance of being escalated to a slower, more pain-in-the-ass review process, possibly causing it not to be worthwhile for most small developers to deal with.

[…]

Most importantly, many products, services, and business models will become possible that previously weren’t, leading to more apps, more competition, and more money going to more places.

I don’t see why that would happen given the very limited scope of the changes.

Nick Heer:

I keep thinking about the likelihood of the sideloading doomsday scenarios that Arment writes about. […] I could see Facebook creating its own app marketplace for iOS, but I am unclear why developers would need to submit their apps to multiple marketplaces, so long as Apple gets to keep its first-party App Store.

[…]

This modest corrective action is, I think, a good step toward a store that improves users’ experiences while opening up new possibilities. I still hope Apple takes greater advantage to simultaneously release regulatory pressure and the hostility felt by developers.

David Heinemeier Hansson:

Now imagine that Apple abides by the injunction but also attempts to continue forcing IAP upon developers who don’t want it. The gag orders are gone, because that was the anti-steering provisions explicitly prohibited by the injunction. Which means developers have to offer something they don’t want to offer, but they’re free to present that offer as they see fit. Can you see where this is going?

Not the way he thinks, I expect. Apple will probably get away with having lots of rules about the allowable language, require that IAP get top placement, and do various other things to make the non-IAP flow needlessly feel second-class.

Previously:

Magic Lasso Adblock 3.0

Matthew Bickham:

Magic Lasso seamlessly blocks all YouTube ads with a combination of custom, efficient content blocking rules using Safari’s native content blocker API along with a new permission-restricted ‘Magic Lasso Pro’ web extension.

Unlike other ad blockers whose web extensions have unrestricted permissions to read and view any pages you visit, Magic Lasso Pro only has access to pages within the youtube.com domain. Therefore your browsing history beyond YouTube is not accessible to the web extension. Or to the Magic Lasso app.

This feature requires the Pro version, which is $3/month or $30/year (shared across Mac and iOS). Pro also includes a blocker for those annoying cookie pop-up banners. Both features work well in my experience, though sometimes I run into a Safari bug that stops extensions from working until I quit and relaunch.

Previously:

Creating Compile-Time Reminders in Xcode

Robin Kunde:

This attribute will produce a warning if the selected Swift version is available in the version of Xcode you’re using. For 5.5 for example, this would generate a warning in Xcode 13.0 but not Xcode 12.5.

[…]

This attribute will produce a warning if the selected iOS (or tvOS, or macOS) version is equal to or below your deployment target. In other words […] after you remove support for older operating systems.

[…]

By wrapping [a #warning] in this condtional compilation check, you can get Xcode to ignore the statement until you’re using an Xcode version that ships with the given compiler version.

Intuit to Acquire Mailchimp

Intuit (Hacker News):

The planned acquisition of Mailchimp for approximately $12 billion in cash and stock advances Intuit’s mission of powering prosperity around the world, and its strategy to become an AI-driven expert platform. With the acquisition of Mailchimp, Intuit will accelerate two of its previously-shared strategic Big Bets: to become the center of small business growth; and to disrupt the small business mid-market.

[…]

Founded in Atlanta, GA in 2001, Mailchimp began by offering email marketing solutions, and evolved into a global leader in customer engagement and marketing automation fueled by a powerful, cutting-edge AI-driven technology stack.

Previously:

Update (2021-09-17): Ben Bergman (via Hacker News):

When employees were recruited to work at Mailchimp there was a common refrain from hiring managers: No, you are not going to get equity, but you will get to be part of a scrappy company that fights for the little guy and we will never be acquired or go public.

The founders told anyone who would listen they would own Mailchimp until they died and bragged about turning down multiple offers.

[…]

Employees reacted with shock and anger over text, Slack, and Twitter to the deal. They described feelings of betrayal and a cash windfall that seemed to only benefit those at the very top of the 20-year-old company.

Tuesday, September 14, 2021 [Tweets] [Favorites]

Xcode 13 RC

Apple (release notes):

Xcode 13 includes everything you need to create amazing apps for all Apple platforms. Includes the latest SDKs for macOS, iOS, watchOS, and tvOS.

Don’t delete your beta version because this build removes the Monterey SDK. Seems like the iOS stuff isn’t quite ready yet, either.

Previously:

Update (2021-09-16): Nick Lockwood:

So far, Xcode 13 RC seems like a major regression in stability. I've had it freeze up multiple times on my M1 in the last couple of days, after basically no problems for months with 12.5.

Steve Troughton-Smith:

Xcode 13 is so crashy right now 👀 RC goes down multiple times a day, and I can’t even blame Interface Builder or the SwiftUI preview system because I use neither

I’m seeing many reports like this.

iPhone 13 and iPhone 13 Pro

Apple (MacRumors):

Apple today introduced iPhone 13 and iPhone 13 mini, the next generation of the world’s best smartphone, featuring a beautiful design with sleek flat edges in five gorgeous new colors. Both models feature major innovations, including the most advanced dual-camera system ever on iPhone — with a new Wide camera with bigger pixels and sensor-shift optical image stabilization (OIS) offering improvements in low-light photos and videos, a new way to personalize the camera with Photographic Styles, and Cinematic mode, which brings a new dimension to video storytelling. iPhone 13 and iPhone 13 mini also boast super-fast performance and power efficiency with A15 Bionic, longer battery life, a brighter Super Retina XDR display that brings content to life, incredible durability with the Ceramic Shield front cover, double the entry-level storage at 128GB, an industry-leading IP68 rating for water resistance, and an advanced 5G experience.

[…]

Customers can get iPhone 13 for $33.29 (US) a month for 24 months or $799 (US) before trade-in, and iPhone 13 mini for $29.12 (US) a month for 24 months or $699 (US) before trade-in[…]

I’m glad to see the base storage increase to 128 GB. I hope the iPhone mini stays in the lineup. It’s unfortunate that there’s still no good way to unlock it while wearing a mask, unless you have an Apple Watch. I would have loved to see Touch ID on the power button or under the display.

Apple (MacRumors, Hacker News, Slashdot):

Apple today introduced iPhone 13 Pro and iPhone 13 Pro Max, pushing the boundaries of what’s possible in a smartphone. Redesigned inside and out, both models introduce an all-new Super Retina XDR display with ProMotion featuring an adaptive refresh rate up to 120Hz, making the touch experience faster and more responsive. The pro camera system gets its biggest advancement ever with new Ultra Wide, Wide, and Telephoto cameras that capture stunning photos and video, powered by the unmatched performance of A15 Bionic, more powerful than the leading competition. These technologies enable impressive new photo capabilities never before possible on iPhone, like macro photography on the new Ultra Wide camera and up to 2.2x improved low-light performance on the new Wide camera. New computational photography features like Photographic Styles personalize the look of images in the Camera app, and both models now include Night mode on all cameras. Video takes a huge leap forward with Cinematic mode for beautiful depth-of-field transitions, macro video, Time-lapse and Slo-mo, and even better low-light performance. Both models also offer end-to-end pro workflows in Dolby Vision, and for the first time, ProRes, only available on iPhone. iPhone 13 Pro and iPhone 13 Pro Max also include 5G with more bands for better coverage, big improvements to battery life for the best battery life ever on iPhone with iPhone 13 Pro Max, new storage capacity of 1TB, and the Ceramic Shield front cover, tougher than any smartphone glass.

[…]

Customers can get iPhone 13 Pro for $41.62 (US) a month for 24 months or $999 (US) before trade-in, and iPhone 13 Pro Max for $45.79 (US) a month for 24 months or $1,099 (US) before trade-in[…]

I’m not sure what to make of the touted camera improvements. It seems like Apple always says stuff like this, and most years it feels like a small improvement compared with the prior year. But every once in a while it really is a big leap.

Ryan Jones:

Normal person summary of iPhone 13 Pro

  • 1.5-2.5 hours more battery life
  • super fluid animations
  • light blue
  • macro photos
  • Portrait Mode for video
  • smaller notch
  • better cameras

Previously:

Update (2021-09-16): John Gruber:

Last year, the 12 Pro Max had a better camera system than the 12 Pro. Only the 12 Pro Max had the sensor shift optical image stabilization, and only the 12 Pro Max had a 2.5× (as opposed to 2×) telephoto lens. This year, both Pro models have identical camera systems. (And, like last year, the regular iPhone 13 and 13 Mini share the same camera system as each other.)

The iPhone 13 Pro camera modules are entirely different from the non-Pro 13 and and 13 Mini, though. Not just the existence of the new 3× telephoto, but the 1× (wide) and 0.5× (ultra wide) cameras are better on the Pro models.

Kuba Suder:

Updated table of all recent iPhone sizes & weights. Heaviest iPhone ever!

Juli Clover:

All of the iPhone 13 models are heavier than their iPhone 12 counterparts, likely due to the larger batteries that are inside and the thickness increase. Weight comparisons are below.

Jason Snell:

I want to call out Apple’s incremental improvement in battery life. The last couple of years, Apple seems to be on a mission to extend iPhone battery life. The fact that they tacked on 1.5 hours (iPhone 13 mini and iPhone 13 Pro) or 2.5 hours (iPhone 13 and iPhone 13 Pro Max) should not be underestimated. That’s an impressive addition—and if you’re upgrading from a three- or four-year-old phone, the battery life of a new model will be even more impressive.

Quinn Nelson:

Please enjoy getting 4K ProRes off your new iPhone using AirDrop or USB 2.0 via Lightning.

🤦‍♂️

Update (2021-09-17): Tim Hardwick:

The iPhone 13 lineup features new low-power displays, a more efficient A15 chip, larger batteries, and more power-efficient components, all of which make for dramatic improvements when streaming, as the numbers above show.

For example, Apple claims that when streaming video, the iPhone 13 Pro and Pro Max last nine hours and 13 hours longer than last year’s equivalent models, respectively. Taking the same metric, the battery in the iPhone 13 mini manages 13 hours, which is longer than even the iPhone 12 Pro Max.

Josh Ginter:

Here’s what I’m most excited to try out in the new camera system when I get my hands on it next week.

Nick Heer:

Apple’s accessory design guidelines have not been updated with these phones yet. But if the webpage rendering is anything to go by, the bump is now over 50% of the width of the back glass and over 25% of its height.

And, apparently, the phones don’t lay flat in Apple’s cases.

Apple Watch Series 7

Apple (MacRumors):

Apple today announced Apple Watch Series 7, featuring a reengineered Always-On Retina display with significantly more screen area and thinner borders, making it the largest and most advanced display ever. The narrower borders allow the display to maximize screen area, while minimally changing the dimensions of the watch itself. The design of Apple Watch Series 7 is refined with softer, more rounded corners, and the display has a unique refractive edge that makes full-screen watch faces and apps appear to seamlessly connect with the curvature of the case. Apple Watch Series 7 also features a user interface optimized for the larger display, offering greater readability and ease of use, plus two unique watch faces — Contour and Modular Duo — designed specifically for the new device. With the improvements to the display, users benefit from the same all-day 18-hour battery life, now complemented by 33 percent faster charging.

[…]

Apple Watch Series 7 will start at $399 (US), Apple Watch SE starts at $279 (US), and Apple Watch Series 3 starts at $199 (US).

Yep, they’re still selling the Series 3 from 2017.

Previously:

Update (2021-09-16): John Gruber:

Quinn “Snazzy Labs” Nelson flagged Apple for an unfair comparison, regarding just how much more text the larger Series 7 displays can show at a time. The font was the same size, but the line spacing was quite a bit tighter in the Series 7 screenshot. I would also argue that Apple chose text that line-wrapped inefficiently on the Series 6 display, but the difference in line heights is clearly unfair. Apple doesn’t usually play games like that in comparisons. Yellow card issued.

Dr. Drang:

The Series 3 is today’s version of the iPad 2, the 16 GB iPhone, or the 5 GB iCloud free storage tier: The Thing That Wouldn’t Die. But like the iPad 2, it’s a perfectly good device if your needs stay the same as when you bought it.

iPad mini (6th Generation)

Apple (MacRumors, Hacker News):

Apple today introduced the powerful new iPad mini — with a larger 8.3-inch Liquid Retina display — in four gorgeous finishes. Featuring the brand new A15 Bionic chip, the new iPad mini delivers up to 80 percent faster performance than the previous generation, making it the most capable iPad mini ever. A new USB-C port allows faster connectivity, and cellular models with 5G bring more flexible mobile workflows. New advanced cameras, Center Stage, and support for Apple Pencil (2nd generation) enable new ways for users to capture photos and videos, communicate with loved ones, and jot down their ideas when creativity strikes.

[…]

Wi-Fi models of iPad mini are available with a starting price of $499 (US) and Wi-Fi + Cellular models start at $649 (US). The new iPad mini, in 64GB and 256GB configurations, comes in pink, starlight, purple, and space gray finishes.

My iPad mini 2 died a while ago, and I decided to switch to a larger screen with an iPad Air (4th generation) earlier this summer. I don’t regret it. However, this new iPad mini looks really great, pretty much what I was hoping Apple would do.

Previously:

Update (2021-09-16): Joe Rossignol:

Both the iPhone 13 and the new iPad mini are equipped with Apple’s latest A15 Bionic chip, but benchmark results reveal that the chip is downclocked to 2.9GHz in the iPad mini, compared to 3.2GHz in all iPhone 13 models.

iPad (9th Generation)

Apple (MacRumors, Hacker News):

Apple today introduced the new iPad (9th generation), featuring the powerful A13 Bionic chip that packs even more performance and capability into the most popular iPad, all while retaining its all-day battery life. Starting at just $329, the new iPad features a 10.2-inch Retina display with True Tone, a 12MP Ultra Wide front camera with Center Stage, support for Apple Pencil (1st generation) and Smart Keyboard, the intuitive iPadOS 15, and twice the storage of the previous generation.

[…]

Wi-Fi models of iPad are available with a starting price of $329 (US), and Wi-Fi + Cellular models start at $459 (US), in silver and space gray finishes. The new iPad starts with 64GB of storage — double the storage of the previous generation. A 256GB option is also available.

I wish they could get the entry price a bit lower, as it’s still higher specced than it needs to be, but at least it comes with 64 GB now.

Previously:

Monday, September 13, 2021 [Tweets] [Favorites]

The Epic Anti-Steering Injunction Is Narrow

Nick Heer:

The nearly two hundred page order is very readable and well-written, but the injunction ordering Apple to scrap the last sentence of the first bullet in App Store rule 3.1.1 leaves plenty of ambiguity over what developers can do and what Apple must allow. This will undoubtably be clarified with time, but it is the only part of the result that creates more questions than it answers. Apple is apparently interpreting it as requiring the company to, in effect, apply its settlement with the Japan Fair Trade Commission to all apps, not just Apple’s “reader” app category. That means the anti-steering App Store policies will be removed within three months. But it may not mean that Apple must permit alternative in-app purchase options.

John Gruber:

YGR is only striking down the anti-steering rules that inform and link users to out-of-app (which effectively means web) means of sign-up and payment.

Judging by their reactions, both Apple and Epic see it that way too.

John Gruber:

I think the injunction allows, and Apple will enforce, that such links must open outside the app.

MacJournals:

The court specifically, carefully, and methodically examined whether Apple should be forced to allow IAP (in-app purchasing) systems other than the one built into iOS. The court found the arguments for such a ban lacking and declined to allow external IAP methods.

So the third-party IAP approach taken by Fortnite would still not be allowed.

Florian Mueller:

It’s one of those situations in which either side “gets something” and could claim victory, as Apple apparently does though the stock market initially disagreed (I, personally don’t think the decision should have moved the stock at all). This makes it all the more remarkable that Epic doesn’t engage in spin but concedes defeat. It’s not that Epic achieved nothing; but for the time being, all it got is a consolation prize, and that’s why Fortnite won’t return to iOS at this stage.

John Voorhees:

Building alternative storefronts or offering separate payment schemes are no more possible today than they were a week ago. In fact, the Court specifically concluded about the App Store and In-App Purchases, that Apple’s approach is valid[…]

Benedict Evans:

The more I look at this the more questions occur to me. Apps can offer their own payment now, but can Apple require them to offer IAP as well? Yes, on this text. At what price? What if Apple demands both IAP inclusion & price parity? Wouldn’t that mean Spotify was still blocked?

Michael Love:

There’s something unsettling about the fact that all the “actually much narrower” spin on Apple v. Epic has come secondhand through off-the-record “industry sources” and such; if Apple believes YGR did not comprehensively block anti-steering, they should come out and say so.

Personally, I think the injunction is unambiguous in blocking all anti-steering restrictions, and I don’t see anything in the longer opinion to suggest that that wasn’t her intent - she wants something simple to enforce, doesn’t want to get into the weeds of what a “button” is.

I don’t even think it’s particularly clear that developers have to keep offering in-app purchase at all - many of the developers this applies to weren’t offering it in before, the idea that Netflix can only offer an in-app ‘subscribe’ button if there’s an IAP option too is silly.

At the very least, certainly for ‘reader’ apps the combination of existing allowances for selling stuff outside of the app + this new requirement that all apps be allowed to redirect people to other purchase methods should fairly comprehensively end any obligation to use IAP.

Florian Mueller (Hacker News):

Let’s bear in mind that only Epic’s tenth claim succeeded at all. Not only Epic’s federal antitrust claims but also various state law claims failed. The failed state law claims include a couple that were very specifically about offering different IAP systems: Count 8 alleged unreasonable restraints of trade in the iOS IAP processing market under the California Cartwright Act, and Count 9 presented a tying claim related to IAP. Epic’s tenth and last claim--based on California UCL--broadly raised the issue of Epic being “unreasonably prevented from freely distributing mobile apps or its in-app payment processing tool, and forfeit[ing] a higher commission rate on the in-app purchases than it would pay absent Apple’s conduct.” But the court found for Epic under its tenth claim only with respect to the anti-steering provisions.

Florian Mueller:

By coincidence, that case was also an antitrust case as its caption shows. And the same appeals court--the one with which Epic filed its appeal yesterday--clarified that the standard involves “disobedience to a specific and definite court order.” (id.)

The bottom line is that any alleged ambiguity would favor Apple, not developers.

[…]

The question is not whether a developer’s interpretation of the injunction is somewhat reasonable. It’s whether Apple’s interpretation is so unreasonable as to constitute disobedience to a specific and definite court order.

[…]

Apple won’t even have to approve linking out to websites that merely sell digital items consumed in an iOS app.

Ben Thompson:

Judge Gonzales Rogers disagreed with both, defining the market as ‘mobile game transactions’.

[…]

I mentioned above that this was where the decision got a bit complicated; notice that I just used “IAP” and “in-app purchases” to represent two distinct concepts. Specifically, it seems clear that Gonzales Rogers has defined “IAP” to be Apple’s overall commerce system, while “in-app purchases” are purchases made in an app. In other words, Apple is justified in requiring IAP for in-app purchases.

Ryan Jones:

Basically, Judge ruled the same as the Japan anti-steering law, but for all apps: Apple can’t stop linking out.

  • Apple’s 30% rate is not threatened
  • Apple Pay + Stripe is not allowed
  • Apple crushed Epic

Craig Hockenberry:

While the lawyers argue about IAP, the rest of the development ecosystem is stuck with stuff that just plain doesn’t work.

Has anyone been able to get “Reset Eligibility” to work?

Previously:

Why Apple Should Compromise With Antitrust Regulators

Roger McNamee:

Recent news reports alleging mistreatment of some employees, internal policies that conflict with the company’s outward-facing stance on privacy, and efforts to prevent the passage of state laws to enable competition with the AppStore, along with a high profile lawsuit related to AppStore policies have tarnished Apple’s reputation. Despite this, the company has taken a stance towards Congress and regulators that the latter describe as ranging from arrogant to inflexible.

Unless Apple rethinks its approach, regulators will likely have no choice but to undermine its advantage in privacy and security. As a customer, that will piss me off. As an activist trying to reform the tech industry, it will leave me wondering what might have been. I would like to suggest a path to a better outcome.

[…]

It is a strategic error for Apple’s lobbyists and surrogates in Washington to argue against every new antitrust law targeting the tech industry. Apple has made itself a target by being incredibly successful and by adopting communications strategies that mimic tech giants whose anticompetitive behavior is substantially more damaging. Apple is almost certain to lose something, but there is still room to protect your most valuable assets. There may also be an opportunity to gain competitive advantage.

Via Nick Heer:

If there is some ambiguity as to what rules the permanent injunction permits Apple to create around in-app purchases, my hope is that the company uses this as an opportunity to ease off a little. I am not saying that I expect this to happen — today’s judgement indicates that Apple has little reason to stop pursuing its existing App Store strategy, with only the aforementioned exception. But a world in which Apple is not in an antagonistic role with developers is a better one for everyone, assuming that Apple can maintain or improve upon iOS’ privacy and security reputation. These fights are just noise.

M.G. Siegler (Hacker News):

My read is that Apple did win — exactly what everyone always knew they would win. But in winning that battle, they actually lost something far more important. There is no way around it: the judge’s order to stop App Store anti-steering is a big one. And seemingly one Apple did see coming given the Japanese settlement a few weeks back. But this is still a major blow because it both continues and accelerates the boulder rolling down the hill of real reforms to the App Store.

Apple may think that they’re doing enough in a piecemeal fashion to stave off major change, but they’re not. If anything, they need to make a major change to stanch the bleeding. But they won’t do that. They’re both too proud and too arrogant. They’re so sure that they’re in the right here that they don’t see that it actually doesn’t matter.

[…]

They should open things up to win these arguments on the product side of the equation — something which they’re uniquely situated to do thanks to about two dozen aspects of the iPhone. They should compete on the playing field in which they already have home field advantage.

Previously:

Update (2021-09-16): Michael Love:

At some point either Apple will allow sideloading or Safari will (foot-draggingly) reach a threshold where large numbers of apps start going web-only; I think option a is much healthier for iOS than option b, but absent legislative intervention the latter seems more likely.

Previously:

macOS 11.6

Juli Clover:

According to Apple’s release notes, macOS Big Sur improves the security of macOS and is recommended for all users. Apple has also released security update 2021-005 for macOS Catalina, and both updates address an issue that could allow a maliciously crafted PDF to execute code. Apple says that it is aware of a report that this bug may have been actively exploited.

It’s unclear why this update isn’t numbered 11.5.3. It was also weird in that the Update Now button was disabled for me in Software Update even though the text said that the update was available. I had to click the text to see the sheet with the list of updates and then click the checkbox next to it before macOS would start downloading the update.

Apple:

This document describes the security content of macOS Big Sur 11.6.

Howard Oakley:

Congratulations to Mikey @0xmachos, who has worked out that the PDF vulnerability is most probably the same as the Megalodon/FORCEDENTRY iMessage zero click exploit, involving a bug in CoreGraphics decoding JBIG2-encoded data in a PDF file.

See also: Mr. Macintosh (tweet).

Previously:

Update (2021-09-14): Howard Oakley:

Software which has changed version or build numbers between macOS 11.5.2 and 11.6 includes[…]

[…]

Although it does contain some minor fixes – that to SMB looks of potential interest – the 11.6 update is primarily a security update.

[…]

If you’re still running Mojave, this almost certainly means that your macOS is no longer supported by Apple, and may well be vulnerable to either or both of these bugs.

The standalone download is still not available.

Update (2021-09-17): Mr. Macintosh:

The macOS Big Sur 11.6 full installer is now available. 🎉

Zero-click iMessage Attacks

Lily Hay Newman (Hacker News):

These “zero-click” attacks can happen on any platform, but a string of high-profile hacks show that attackers have homed in on weaknesses in Apple’s iMessage service to execute them. Security researchers say the company’s efforts to resolve the issue haven’t been working—and that there are other steps the company could take to protect its most at-risk users.

[…]

Apple did make a major push to comprehensively address iMessage zero-clicks in iOS 14. The most prominent of those new features, BlastDoor, is a sort of quarantine ward for incoming iMessage communications that’s meant to weed out potentially malicious components before they hit the full iOS environment. But the interactionless attacks keep coming. This week’s Citizen Lab findings and research published in July by Amnesty International both specifically show that it’s possible for a zero-click attack to defeat BlastDoor.

Apple hasn’t issued a fix for this particular vulnerability and corresponding attack, dubbed “Megalodon” by Amnesty International and “ForcedEntry” by Citizen Lab. An Apple spokesperson told WIRED that it intends to harden iMessage security beyond BlastDoor, and that new defenses are coming with iOS 15, which will likely come out next month.

[…]

In fact, Citizen Lab researchers and others suggest that Apple should simply provide an option to disable iMessage entirely.

Lorenzo Franceschi-Bicchierai (tweet):

Security researchers found the vulnerability when they were investigating the potential hack of a Saudi activist’s iPhone, according to a new report by Citizen Lab, a digital rights group housed at the University of Toronto’s Munk School that has investigated NSO spyware for years.

The researchers told Motherboard that they believe the attack was carried out by a customer of NSO, the infamous Israeli company that sells spyware to dozens of governments all over the world.

Bill Marczak:

The exploit is invisible to the target, but in our forensic analysis, we found 31 files with the “.gif” extension on a target’s phone. Of course, they weren’t GIFs at all! 27 of them were the same 748-byte Adobe PSD file, and four were PDFs.

See also: Goodbye, iMessage.

Previously:

Update (2021-09-14): Juli Clover:

Today’s iOS 14.8 update addresses a critical vulnerability that Apple engineers have been working around the clock to fix, reports The New York Times.

See also: Hacker News.

Update (2021-09-17): Tom McGuire:

This blog post will analyze the integer overflow in CoreGraphics, CVE-2021-30860. After examining the modified .dylib, it appears that there were other issues that were resolved as well, related to imaging processing. We will focus in on the JBIG2 processing, specifically in the JBIG2::readTextRegionSeg.

MarsEdit 4.5.2

Daniel Jalkut (tweet):

This update brings long-awaited media syncing functionality for WordPress blogs. After you refresh your blog in MarsEdit 4.5, all the existing images and files from your blog will be available for re-insertion from the Media Manager’s “Published” tab.

Historically, this tab has included only files that are uploaded from MarsEdit itself. This limitation was based in shortcomings of the WordPress API (the interface MarsEdit communicates to the blog with), but the API has since been updated to support downloading a complete list of the published media files.

This is really cool. I ran into some issues when syncing large numbers of images, and these have been addressed in the 4.5.2 update.

Friday, September 10, 2021 [Tweets] [Favorites]

History of App Store Policy Changes

Dieter Bohn:

Apple’s app store policies have caused controversy and consternation many times over the years, but few periods have been as active and strange as the last two weeks. For the first time, we are seeing Apple being forced to react directly to lawsuits and regulators with substantial policy changes.

[…]

Here, then, is a very brief history of the major policy changes and statements Apple has made about the App Store over the years. The impetus for these different changes (or, as Apple tends to call them, “clarifications”) has varied, but the trend has remained the same. Apple has worked hard to keep the fundamental, central model of a 30 percent cut intact while softening it around the edges to appease various constituencies.

But just take a look at the timing and cadence of these changes. After a development period from 2007 to 2011 when Apple fills out the features, there’s a large gap when Apple made few notable policy changes. Then, a major shift in 2016 to address some growing discontent among developers. And then, starting in the summer of 2019, there is an ever-increasing cadence of controversies and policy tweaks to address them.

Previously: