Monday, March 1, 2021 [Tweets] [Favorites]

Apple Beige

Ben Zotto:

Apple’s second computer — its first to have a case — launched in 1977, and that boxy beige Apple II was soon everywhere: in classrooms, living rooms and offices. At the vanguard of a generation of personal computers to come, it featured a particular and carefully-chosen beige. But what did that look like? Those first machines — the ones that have escaped landfills anyway — have shifted in color over 40 years. The documented public record is sketchy and confused. But I stumbled upon a way to investigate what Apple Beige was like.

Ben Zotto:

Jerry Manock, the original designer of the iconic cases and the person most closely associated with Apple Beige, was kind enough to respond in detail to my inquiries following the article. There’s more to this story than just a color swatch.

[…]

I shared my earlier story about Apple Beige with Chris Espinosa, the only current Apple employee who was around back when the Apple II was being developed (!). He was “surprised at the focus on Pantone because my work with Jerry [Manock] was always in Munsell.”

The Mac Price Crash of 2021

Robin Harris (via Hacker News):

The impressive performance and battery life gains of the new M1 MacBooks have created a historic discontinuity in the normally placid resale market. Should you spend $800 for a one year old MacBook Air when for $200 more you could get a MacBook Air with several times the performance and 50 percent better battery life?

[…]

I check Craigslist fairly regularly to keep track of what’s for sale. I’ve seen an unusual bifurcation in the pricing for MacBooks.

There are more late-model Intel MacBooks showing up for sale. Some of those are showing context sensitive pricing, i.e. almost new MacBook Airs for $600 rather than the $800-$900 that some think their Intel-based machine is still worth.

Previously:

Weather Line Acquired

Off Coast LLC (tweet):

The acquisition means the app is going away. Today, we removed Weather Line from the App Store. For all existing Weather Line users, free and paid, the app will continue working for 13 months, until April 1, 2022.

[…]

As an Indie Founder without a day job, being able to sell an app provides for my family in a very difficult climate.

Ryan Jones:

For those asking – we will not be joining the purchasing company.

We’ll transition the app to them, show them the ropes, and help them plan – but we will not continuing with the app long term.

I hope the buyer brings it back in a similar form because there’s still nothing like it.

Previously:

Downcast 2.9.61

George Cox:

This update contains a big improvement in Downcast’s macOS app that reduces the chances of running into the dreaded ‘inaccessible resource’ issue. Per Apple’s suggestion, Downcast stores security-scoped bookmarks for file system resources rather than absolute paths. Bookmarks are a more robust way to keep track of the content Downcast downloads like artwork, episode media files, etc. However, these bookmarks can become stale or invalid for a variety of reasons. When this happens, it’s usually possible for the app to automatically refresh the bookmark and continue operating without issue. Unfortunately, Downcast wasn’t handling a specific recoverable condition correctly prior to this build and that led to users experiencing this frustrating ‘inaccessible resource’ issue when they shouldn’t have.

Great news, but apps shouldn’t have to deal with this. Security-scoped bookmarks have been around since macOS 10.7. Why do they continue to break for seemingly no reason?

See also: Peter Steinberger.

Previously:

Friday, February 26, 2021 [Tweets] [Favorites]

Apple Documentation and SwiftUI for Mac

Alexander Grebenyuk:

I wrote a post yesterday about triple-column navigation in SwiftUI. It felt a bit awkward posting it because this really shouldn’t be some obscure knowledge. This is hardly a challenging problem. But to me and to many other people, this was challenging.

Why was it challenging? The NavigationView documentation page doesn’t mention a triple-column layout or macOS at all. But the lack of content is not the only problem with Apple Documentation.

The intention of the article isn’t to complain, but rather to review the documentation system and point out some of its issues.

Alexander Grebenyuk:

This is a native macOS app written entirely in SwiftUI, from @main to bottom. Not a prototype, not a toy. A full-featured app. The intention is to deliver the best macOS experience possible.

[…]

The relationship between SwiftUI and AppKit are not documented and not guaranteed to be supported. This workaround is useful for now, but might stop working in the future.

[…]

I had to compromise in a few places. But I don’t have a lot of bugs to report. Maybe I’m just getting better at avoiding things that don’t quite work as expected. There are some limitations, but the AppKit integration is always there for me.

Wil Shipley:

SwiftUI is an amazing way to prototype interfaces quickly but when you hit a wall you hit it hard and there’s almost nothing you can do.

It’s also telling to me that, for instance, nobody seems to have figured out how to make two Buttons in SwiftUI be the same width.

(Yes, I’ve seen various posts about it, but so far haven’t found a solution that works in all cases.)

Previously:

Outdated Software Keeps Inmates Beyond Their Release Dates

Jimmy Jenkins (via Hacker News):

According to Arizona Department of Corrections whistleblowers, hundreds of incarcerated people who should be eligible for release are being held in prison because the inmate management software cannot interpret current sentencing laws.

[…]

According to the sources, the entire inmate management software program, known as ACIS, has experienced more than 14,000 bugs since it was implemented in November of 2019.

The article calls this one of the bugs, but it sounds like the state changed the requirements without appropriating any funds to update the software. The estimated “2,000 additional programming hours” seems rather small given the scope of the program:

The ACIS software system replaced an older program called AIMS that had been in operation for more than three decades. According to a 2019 presentation to the Joint Legislative Budget Committee, the Department of Corrections has spent more than $24 million replacing the inmate management system. A department spokesperson testified that requirements for the project were poorly scoped from the beginning, resulting in a contract that went millions of dollars over budget.

frompdx:

Software is simultaneously infallible and the perfect scapegoat. The inmate who lost their phone privileges for 30 days is an example. They did nothing wrong but the computer says so and nothing can be done. The computer is right in the sense that its decision cannot be undone, and solely to blame since no human can undo its edict or be held accountable, apparently.

Previously:

Clubhouse Wants to Upload Your Contacts’ Phone Numbers

Will Oremus:

When you join the fast-growing, invite-only social media app Clubhouse — lucky you! — one of the first things the app will ask you to do is grant it access to your iPhone’s contacts. A finger icon points to the “OK” button, which is also in a bolder font and more enticing than the adjacent “Don’t Allow” option. You don’t have to do it, but if you don’t, you lose the ability to invite anyone else to Clubhouse.

Via Nick Heer:

The permission dialog iOS presents users before an app is able to access their contacts is, in a sense, being presented to the wrong person: can you really consent on behalf of hundreds of friends, family members, and acquaintances? From a purely ethical perspective, the request ought to be pushed to every contact in the directory for approval, but that would obviously be a nightmare for everyone.

There are clearly legitimate uses for doing this. Allowing people to find contacts already using a service, as Clubhouse is doing, is a reasonable feature. It does not seem like something that can be done on-device, so the best solution that we have is, apparently, to grant apps permission to collect every contact on our phones. But that is a ludicrous tradeoff.

Guilherme Rambo:

Just had a poke at the Clubhouse app with a proxy, given the recent concerns about contacts usage. The bad part is that it uploads all of your contact’s phone numbers (surprise!). The good part is that that’s the ‘only’ thing it uploads about them.

[…]

Another problem is that the API used to upload the phone numbers doesn’t seem to be using SSL pinning.

Dave Verwer:

I saw some suggestions that Apple should solve this with a Photos.app style “select which contacts can be accessed” permission, but is anyone going to go through their contacts manually, picking and choosing? I have just under a thousand records in mine from many years of personal+work life, and I bet that’s nothing compared to some people. It’s not practical. Maybe a solution would be to let the permission be on groups rather than individual contacts, but who’s contact database is that well organised? Mine isn’t.

The other popular theory on how to solve this is that Apple should provide an API to hash contact information, allowing apps to match people without getting access to personal information. That’s one of those ideas that feels better and solves one aspect of the problem, but bad situations are inevitable when you match a full contacts database.

Previously:

Excessive Mac SSD Wear

Hartley Charlton (Hacker News):

Across Twitter and the MacRumors forums, users are reporting that M1 Macs are experiencing extremely high drive writes over a short space of time. In what appear to be the most severe cases, M1 Macs are said to be consuming as much as 10 to 13 percent of the maximum warrantable total bytes written (TBW) value of its SSD.

[…]

It is not known how widespread the TBW issue is, but reports of strange SSD behavior are also now emerging from users with Intel-based Macs, suggesting that the TBW issue may not be exclusive to M1 Macs.

Dan Moren:

I ran the command-line tests on my own M1 MacBook Air versus my 2017 iMac, and it certainly did seem as though some of the numbers on the Air were higher than they should be, given the amount of relative use.

The numbers for older Macs reported on Accidental Tech Podcast also seem higher than I would have expected.

Thursday, February 25, 2021 [Tweets] [Favorites]

Steve Jobs Stories

Juli Clover:

Apple co-founder and former CEO Steve Jobs was born on February 24, 1955, and if he was still alive, today would mark his 66th birthday.

Dave Mark:

The Computer History Museum pulled together a Clubhouse visit with some Apple luminaries, all on the occasion of Steve Jobs birthday[…]

Fry’s Electronics Closing

Bill Reynolds (via Hacker News):

Fry’s Electronics is closing business nationwide effective tonight.

Om Malik:

We applaud fashion designers like Paul Smith for creating a unique look for their stores across the world, but this is one area where Fry’s innovated as well. Fry’s was ahead of the curve in their belief in experiential retail. Each store had its unique theme. Palo Alto store (my favorite) was straight out of the Old West. The store in Fremont had an 1893 World’s Fair theme. It was all kitsch, but it made visits even more memorable. And it attracted customers.

[…]

Thirty-six years is a long time for any company to exist, especially for a retailer. A lot of the vendors who sold their products on the shelves of Fry’s are long gone. The name “Zoom” belonged to a modem maker back in the day. And how many people remember AST? Undeniably, Fry’s had a good run. But we can’t forget the ultimate truth: Change is constant. And these days, things change more quickly than ever before. No place exemplifies that reality quite like Silicon Valley.

One-to-One IP Targeting

El Toro:

Specifically, El Toro offers: Targeting without having to use cookies, census blocks, or geo-location tools.

John Gruber:

Why doesn’t Apple build a VPN into its OSes? Or as an offering of paid iCloud accounts at least? At this point, if privacy truly is a paramount concern, it might be necessary to do everything over a trusted VPN. IP addresses are inherently not private.

I’ve wondered about this, too. Privacy as a service seems like a natural fit for today’s Apple. Sure, there are already lots of VPN services, but it’s hard to know which ones can be trusted.

Previously:

Anker PowerCore Magnetic 5K Wireless Power Bank

Joe Rossignol:

First previewed at CES 2021, the PowerCore battery pack magnetically attaches to the back of any iPhone 12 model and provides 5W of wireless charging. With a 5,000 mAh capacity, the battery pack is capable of charging the iPhone 12 mini from 0% to 100%, the iPhone 12 and iPhone 12 Pro from 0% to around 95%, and the iPhone 12 Pro Max from 0% to 75%, according to Anker. The battery pack itself recharges via USB-C.

While the battery pack is compatible with the MagSafe system, it is not an official accessory, so charging is limited to 5W. Apple’s rumored MagSafe battery pack would likely be able to charge an iPhone 12 model at up to 15W, in line with the MagSafe Charger.

This is pretty cool, although I wonder whether the battery is thick enough to get in the way of the camera lens. You can also use the USB-C jack to charge other devices or the iPhone itself (more efficiently than wireless). Presumably you can also use a single cable to charge the PowerCore at the time time it’s charging the phone.

Previously:

macOS 11.2.2

Juli Clover:

According to Apple’s release notes, the macOS Big Sur update prevents 2019 or later MacBook Pro models and 2020 or later MacBook Air models from being damaged when connected to certain third-party, non-compliant powered USB-C hubs and docks.

There have been several reports on Reddit from Mac users who have connected USB-C hubs and docks to their machines, resulting in the machine becoming non-functional. Affected Macs appear to go blank and unresponsive shortly after connecting the dock. Many of the users who experienced issues were using hubs and docks not purchased from reputable companies.

Howard Oakley:

The update is 2.6 GB for Intel models, and Apple doesn’t provide any details of changes which affect other models.

Are even minor updates huge these days because of the dyld_shared_cache?

Previously:

Tuesday, February 23, 2021 [Tweets] [Favorites]

The Context and the Logic

Soroush Khanlou:

How much of your time at your job is actually spent on writing the logic, and how much of it is spent preparing an environment in order for that logic to run? I wouldn’t be surprised at all if I found out that 98% of my time was spent on context.

[…]

First, that we all tell ourselves a lie: this job is primarily about the logic, interview candidates should mainly be tested on their ability to think about the logic, a “good” programmer is someone who can write the logic really well. In fact, an overwhelming amount of the job is making the context work.

And it seems like there’s more context to deal with now.

Previously:

Similar Detritus Not Allowed

Daniel Jalkut (tweet):

I’ve noticed folks on Twitter and in developer Slack’s coming up with the same problem. I don’t know if something has changed in the code signing toolchain, or we’re just having an unlucky break, but I thought I’d blog about it because it seems many people may need this advice now.

The error in question is always along these lines:

resource fork, Finder information, or similar detritus not allowed

I’ve long seen this error when there was a com.apple.FinderInfo or com.apple.ResourceFork extended attribute, but apparently it can now occur when there are no xattrs detectable by xattr. It’s a mystery what detritus is attached to the file.

Unified Office App for iPad

Nick Heer:

I am finding it difficult to adapt to increasingly unified applications on my Mac and iPad. I am not sure if this is an age and experience thing — I am used to switching between apps with multiple documents or windows open. Aside from web browsers and development environments, I use tabs infrequently within any apps because I am often juggling between many files. The advantages of thinking in an application-based model are outweighed, for me, by a document-based model.

This unified Office app has many of the same problems as, for example, Electron apps and web apps generally. Each document consumes the entire app. You can use the app in split screen, as Apple now requires, but it does not fully support multitasking within the app. So it is not possible to, for example, build a PowerPoint presentation based on a Word document outline, or reference one Excel spreadsheet while working in another.

Arizona Bill on App Store Payments

Regina Cobb and Leo Biasiucci:

The status quo is failing Arizonans, forcing us to pay inflated prices. It’s failing entrepreneurs, who are being forced to jump through hoops simply to get products to their customers. In fact, the only folks who seem to benefit from this setup are the monopolies – Apple and Google.

But we’re ready to change that – and Arizona is leading the charge. While D.C. sits on its hands, we are taking action now to challenge Big Tech’s monopoly and make Arizona a better place for every app user and app developer. We are fighting for HB2005, a bill to lower prices for consumers and free small businesses from Big Tech’s “app tax.” The legislation would allow web developers to accept payments for their apps without going through Apple or Google’s app stores, bypassing the app tax and reducing the cost for consumers without compromising security or safety.

Via David Heinemeier Hansson:

This is a more narrow bill than what was first proposed in North Dakota. It focuses exclusively on giving all developers the same kind of freedom in payment processing that Uber, Lyft, Amazon, and other physical goods apps already enjoy.

[…]

The hearing before the vote is being broadcast live on the Arizona State Legislature site.

[…]

“We we introduced the App Store in 2008, developers had to pay for the tools to build, they had to pay for their discs.” LOL. Like the internet didn’t exist in 2008? Sheesh.

“Apple: Developers had to pay 70% before the App Store was invented”, this is just terrible, horrible misinformation. Ugh. Sad to hear Apple advance this.

Apple doesn’t have the information on how much money they’ve made from the IAP cut!

Previously:

Monday, February 22, 2021 [Tweets] [Favorites]

Epic Counterclaims, Europe, and Valve

Florian Mueller (also: AppleInsider, ArsTechnica, Hacker News):

Epic Games just reduced the potential risk it incurs from its antitrust dispute with Apple over its App Store business terms: Judge Yvonne Gonzalez Rogers of the United States District Court for the Northern District of California granted an Epic motion for judgment on the pleadings on some of Apple’s counterclaims. As a result, Apple’s counterclaims (unless an appeals court revives the ones the judge just threw out) are limited to breach of contract, which Epic already acknowledged in October it would be liable for should it lose its antitrust case against Apple.

Tim Hardwick (also: Florian Mueller, Reuters, Hacker News):

Epic Games has filed an antitrust complaint against Apple in the European Union, broadening its legal battle against the tech giant by attempting to appeal to the EU’s differing interpretation of antitrust issues compared to those in the United States (via The Wall Street Journal).

[…]

Europe uses different standards than the U.S. when it comes to antitrust issues, focusing more on fairness between competitors than their impact on consumers, which the U.S tends to focus on. Epic has also filed similar lawsuits in Australia and the U.K., accusing Apple of an abuse of dominance.

Juli Clover:

Epic Games will not be able to expand its ongoing Fortnite fight with Apple in the UK after a judge said the case could not continue in London, reports Bloomberg.

[…]

The judge ruled that Epic Games’ case against Apple Inc. was better decided in the United States, but Epic Games is allowed to sue Apple (UK) Limited, a European arm of the company, and Google.

Hartley Charlton:

Apple has subpoenaed Valve in its ongoing lawsuit with Epic Games, demanding it provides huge amounts of commercial data about Steam sales and operations dating back several years, court filings have revealed (via PC Gamer).

[…]

Apple requested that Valve provided documents to show its total yearly sales of apps and in-app products, annual advertising revenues, annual sales of external products, and annual revenues and earnings from Steam. There are also more granular requests for the name of every app on Steam, the date range when every app has been available, and the price of all apps and in-app purchases.

[…]

The company also bristled at Apple’s request for Valve’s involvement in the case since Steam is not a competitor in the mobile space, saying “Valve is not Epic, and Fortnite is not available on Steam.” Valve goes as far as to allege that Apple is using the request as a shortcut to a vast amount of commercially-sensitive third-party data.

Wil Shipley:

Well, I guess now I’ll subpoena Apple and demand they release all their sales data for each app in the App Store.

Chris R. Donnelly:

The irony being they don’t retain that data for developers’ own sales on the App Store

Previously:

Swift Proposal: ConcurrentValue and @concurrent Closures

SE-0302 (forum):

This proposal describes an approach to address one of the challenging problems in this space — how to type check value passing between structured concurrency constructs and actors messages. As such, this is a unifying theory that provides some of the underlying type system mechanics that make them both safe and work well together.

[…]

One safe way to transfer reference types is to make a deep copy of the data structures, ensuring that the source and destination concurrency domains each have their own copy of mutable state. This can be expensive for large structures, but is/was commonly used in some Objective-C frameworks. General consensus is that this should be explicit, not something implicit in the definition of a type.

[…]

This proposal introduces the concept of a “marker” protocol, which indicates that the protocol has some semantic property but is entirely a compile-time notion that does not have any impact at runtime.

[…]

The ConcurrentValue protocol models types that are allowed to be safely passed across concurrency domains by copying the value. This includes value-semantic types, references to immutable reference types, internally synchronized reference types, @concurrent closures, and potentially other future type system extensions for unique ownership etc.

Previously:

Chromebooks Outsell Macs

Johanna Romero (via ChrisLTD):

Back in November, we reported on how in Q3 of 2020 Chrome OS growth was exploding across the globe. Now, the newest report by Strategy Analytics has shown that this impressive growth has continued throughout Q4, to the point that Chrome OS has overtaken MacOS’ #2 slot with 16.4% of the global Notebook PC market share.

Sami Fathi:

The data from IDC (via GeekWire) shows that Windows continues to dominate the market, although its share declined over the course of the year as Chrome OS surged past macOS into second place.

For the full year, the market share of Windows was down 4.9% in 2020 compared to 2019, while the Mac grew from 6.7% to 7.5%. IDC’s data includes collective information about desktops, laptops, and workstations, and doesn’t provide a breakdown of specific different product types.

Previously:

A Retrospective Look at Mac OS X Snow Leopard

Riccardo Mori:

So, I used Snow Leopard on my 2009 MacBook Pro for about three years, and then again on a 2010 Mac mini that a friend gave me to maintain, as a sort of offsite backup. That Mac mini was kept on Mac OS X 10.6.8 for the whole four years it was in my custody (2011–2015) and it was switched off only twice during that period and maybe restarted four or five times in total. It enjoyed an insane uptime and it was a testament to Snow Leopard’s stability.

But back to my ‘gut-reply’, I wanted to be certain that my fond memories of Snow Leopard weren’t just nostalgia. While I am confident when I say that Snow Leopard is the most stable version of Mac OS, I wanted to make sure its user interface was really the good user interface and experience I was remembering.

Previously:

Google vs. iOS App Privacy Labels

Eric Slivka (tweet):

Google today finally updated its YouTube iOS app for the first time in over two months, becoming one of the highest-profile Google apps to see an update since early December when Apple began requiring that developers disclose privacy practices for each of their apps in order to have their updates approved.

[…]

Google has denied that it is holding back iOS app updates in order to delay revealing its privacy practices, but many users have found that hard to believe considering the sudden slowing of app updates coinciding with Apple’s disclosure deadline and continued updates for Google’s various Android apps.

Earlier this week, the Gmail iOS app even began displaying “out of date” warnings when trying to add a new account, even though there is no new version of the app available and there have been no updates to the Gmail iOS app since December 1.

John Gruber:

A few hours and seems like Google has pushed a server-side change to suppress these warnings. But the apps themselves were not updated, and Google still hasn’t supplied privacy nutrition labels.

My utterly uninformed theory is that Google somehow didn’t understand the magnitude of what these iOS privacy changes entailed. It’s not just about a single device identifier used for targeted advertising.

Ryan Jones:

Google’s first privacy label. Let’s look at their strategy:

“We collect a shit ton of private data, but we link it to an Identifier and then only use that identifier to track you.”

Deviously brilliant.

[…]

Forces Apple’s hand brilliantly… you want to take down YouTube, when no one press has even noticed?

[…]

The real question:

How did Apple App Review approve this!?

Clearly it skirts the rules, which were written overly-generic to stop this exact strategy.

Ryan Jones:

I’ve annotated the exact rule.

Read the highlighted sentences. It’s expertly written by Apple to capture exactly what Google is attempted.

[…]

Intent matters, not execution. If you use an ID for the purpose of tracking 100 other things… you are “tracking 100 other things.”

[…]

I hope that helps clarify Google’s (and Facebook’s) privacy labels are most definitely breaking these rules.

Curtis Herbert:

I don’t think you get how privacy labels work.

They don’t have to say “track” for stuff used inside Google (which their ad network is). They only have to disclose track for stuff shared outside Google Inc.

They can build up a huge profile for someone and let third parties target that with ads, all while keeping the data internal (aka not “track”).

The key here is what Google shares, not what they ingest from third parties. They can grab all kinds of data from other companies, that doesn’t count for tracking (for Google, it counts for the other companies). It only counts if they share it.

Ryan Jones:

Here, read the highlighted parts as a sentence. Notice, sharing is not needed.

[…]

They don’t have to send it to anyone! If any data in the pool of data they use is from anywhere that’s not theirs - it’s tracking.

This is confusing, but I think Jones’ interpretation—that Google’s privacy nutrition label is breaking the rules—better matches the rules as written. (It’s possible but unlikely that Google has somehow segregated the data from the YouTube app so that it’s not linked with data obtained from SDKs in third-party apps or from Web sites running AdWords or Google Analytics.)

See also: this thread between Joe Cieplinski and me.

Previously:

Friday, February 19, 2021 [Tweets] [Favorites]

Apple Store Polices “Irrationally High Prices”

Guilherme Rambo:

It looks like Apple has started to crack down on scam attempts by rejecting apps that look like they have subscriptions or other in-app purchases with prices that don’t seem reasonable to the App Review team.

[…]

We were initially skeptical about the veracity of this email given some of the wording choices, but looking through Apple’s App Store Review Guidelines, it’s possible to find the term “rip-off” at least twice, such as in section 3, where Apple states that “we won’t distribute apps and in-app purchase items that are clear rip-offs.”

In contact with the developer of the rejected app, we were able to verify the authenticity of the rejection email from Apple. Unfortunately in this case, it seems clear that the rejection was a mistake.

See also: Ilia Kukharev.

Paul Haddad:

“Please note that App Store Review cannot make specific recommendations on the price for your app” Isn’t that exactly what they are doing?

If Apple thinks these prices are rip-offs shouldn’t they proactively refund anyone who paid those prices?

Francisco Tolmasky:

I wonder if Apple will apply the same rule to themselves to explain their iCloud and RAM pricing decisions…

Ryan Jones:

These apps will either a) change the price for review then instantly change it back b) lower by $1 and keep submitting until they find the max.

Paulo Andrade:

Maybe it’s just me but mandating the use of Apple provided views for subscribing (with clear monthly and yearly values) as well as an Apple provided view to display in-app for unsubscribing sounds like a better solution then having app review decide what’s worthy or not.

Previously:

Update (2021-02-22): John Gruber:

This is exactly the sort of crackdown I’ve been advocating for years. A bunco squad that looks for scams, starting with apps that (a) have high-priced in-app purchases and subscriptions, and (b) are generating a lot of money. Ideally Apple will crack down on all scams, but practically speaking, all that matters is that they identify and eliminate successful scams — and identify the scammers behind them and keep them out of the store.

Kosta Eleftheriou:

Apple trying to crack down on “irrational” pricing is an admission that @AppStore ratings just don’t work.

Fix the FAKE RATINGS and people will make it clear if some app’s price-to-value offering is bonkers.

David Barnard:

Apple appears to making some changes to the “buy sheet” on iOS 14.5. Not quite as dramatic as I hope they’ll eventually do, but headed the right direction.

Nick Heer:

I have waffled a bit on whether it makes sense for Apple to be the filter for the appropriateness of app pricing. It has always been a little bit at the mercy of Apple’s discretion — remember the I Am Rich app? — but legitimate developers have concerns about whether their apps will be second-guessed by some reviewer as being too expensive. And I am quite sure that, if the hypothetical becomes a reality, it is likely to be resolved with a few emails. But developers’ livelihoods are often on the line; there are no alternative native app marketplaces on iOS.

The proof of this strategy’s success will be in Apple’s execution, but that in itself is a little worrisome. It is a largely subjective measure; who is an app reviewer to say whether an app is worth five dollars a week or five dollars a month? Apple does not have a history of wild incompetence with its handling of the App Store, but there are enough stories of mistakes and heavy-handedness that this is being viewed as a potential concern even by longstanding developers of high-quality apps.

Unhelpful App Store E-mail Receipts

Tyler Hall (tweet):

It’s always difficult to tell when Apple charges you for something and what it was for. Because unlike every other online retailer, they queue up email receipts for an indeterminate amount of time.

[…]

Huh. I have no idea what that receipt is for.

This is because, surprisingly, receipts don’t say which app the subscription is associated with.

Sure enough, the Apple ID in 12px font is for my 68-year-old mother. It was her purchase!

But I still have no idea what the app is. And I’m very suspicious because there’s basically zero chance she would ever willingly spend $39.99 on an app. Much less one that automatically renews.

[…]

The Order ID link doesn’t open anything in Mail.app on iOS.

On the Mac, it eventually leads to the Music app.

But there’s no way to search for your purchases. And even if you could, what would you search for? Apple’s receipt didn’t give you any meaningful information. Your only option is to scroll the list and see if you recognize the receipt’s app icon.

[…]

Let’s tap the “DOCUMENT NO.” link. (Now, if you’re a developer like me, you know exactly what comes next and why.)

iOS thinks it’s a phone number.

In the email receipt on my desktop browser, clicking the “Write a Review” link opens Chrome and once again asks if I want to open Music.app. Sure.

And there it is. Inside Music.app, right next to all my music playlists, the App Store page loads, and I can see my mom signed up for an automatically renewing $39.99 a year subscription for…

…a white noise app.

[…]

It may seem like innocuous onboarding steps, but I know for a fact - based on what comes next - that this developer is already using a dark pattern to trick customers into subscribing.

Jeff Johnson:

pologists: “iOS App Store lockdown is necessary to protect people like your mother who aren’t computer experts.”

your mother: [scammed by iOS App Store]

Paul Haddad:

I think most people would agree that $40/year for a white noise app is a troublesome price. But does anyone want Apple deciding what fair prices are? I’d say no, but then again $40/year…

Previously:

Update (2021-02-22): David Wendland:

I’ve heard these email invoices have been corrected

Safari to Support WebM Video Playback

Hartley Charlton:

Safari features support for WebM video playback in the second beta of macOS Big Sur 11.3 Beta, indicating that Apple’s browser will finally support the format after failing to do so for almost 11 years.

[…]

WebM also has a sister project called WebP for images. Last year, Apple added support for WebP in Safari 14, so the company’s approach to more niche media formats appears to be softening. WebM support still appears to be unavailable on iOS, but in light of these developments it would be unsurprising if Apple’s WebKit engine added support for it too in due course.

On Catalina, WebP files launch Preview, which can’t display them, and Safari 14 can’t open them, either.

Previously:

Apple Adds Proxy for Safe Browsing Queries

Taha Broach (via Hacker News):

Apple’s privacy push is much more widespread than it seems at the surface. A perfect example is the new privacy feature in iOS 14.5 Beta 1 (V2) which redirects Google Safe Browsing traffic through Apple’s own proxy servers to enhance users’ privacy and to not let Google see your IP address.

Since Apple uses a hashed prefix, Google cannot learn which website the user is trying to visit. Up until iOS 14.5, Google could also see the IP address of where that request is coming from. However, since Apple now proxies Google Safe Browsing traffic, it further safeguards users’ privacy while browsing using Safari.

I still think that one could figure out with reasonable certainty which site the hashed prefix corresponds to. Presumably this also prevents the data from iPhone users in China from being shared with Tencent. On the other hand, now Apple gets the data and would be in a position to link it to your iPhone if it wanted to.

Previously:

Thursday, February 18, 2021 [Tweets] [Favorites]

Citibank’s $500 Million UI Lesson

Timothy B. Lee (via Hacker News):

A federal judge has ruled that Citibank isn’t entitled to the return of $500 million it sent to various creditors last August. Kludgey software and a poorly designed user interface contributed to the massive screwup.

[…]

However, Revlon was in the process of refinancing its debt—paying off a few creditors while rolling the rest of its debt into a new loan. And this, combined with the confusing interface of financial software called Flexcube, led the bank to accidentally pay back the principal on the entire loan—most of which wasn’t due until 2023.

[…]

The subcontractor thought that checking the “principal” checkbox and entering the number of a Citibank wash account would ensure that the principal payment would stay at Citibank. He was wrong. To prevent payment of the principal, the subcontractor actually needed to set the “front” and “fund” fields to the wash account as well as “principal.”

Citibank’s procedures require that three people sign off on a transaction of this size. In this case, that was the subcontractor, a colleague of his in India, and a senior Citibank official in Delaware. All three believed that setting the “principal” field to an internal wash account number would prevent payment of the principal.

LastPass Pricing Changes

Dan DeMichele (via Jason Koebler, MacRumors, Hacker News):

LastPass offers access across two device types – computers (including all browsers running on desktops and laptops) or mobile devices (including mobile phones, smart watches, and tablets). Starting March 16th, 2021, LastPass Free will only include access on unlimited devices of one type.

[…]

In addition to this change, as of May 17th, 2021, email support will only be available for Premium and Families customers.

[…]

If you’d like unlimited device type access and email support, you can upgrade from Free to LastPass Premium for a limited time, for $2.25 per month (billed annually).

1Password is $2.99/month, billed annually, with a native Mac app.

m000:

A few years back, their free/premium tiers were looking similar to what they announced today. Only they charged a mere $15/year for premium, which I gladly paid.

Then, overnight, they offered syncing across all types of devices for their free tier. The premium tier was only adding some niche features. I would have continued to pay $15/year just to support them, but at the same time they bumped up premium to $36/year. That was a deal-breaker: not paying 2.5x for features I don’t use.

Now, they switch back to not syncing across all types of devices, but the premium price stays $36/year.

Previously:

Update (2021-02-19): Vítor Galvão:

This is a major (but seldom discussed) reason why so many hate subscription software. The rent price (or what it allows you) can change at any time. It’s a Darth Vader deal.

“Classic” licenses don’t suffer from that issue.

2021 State of Mac Malware

Malwarebytes Labs (MacRumors):

Overall Mac detections decreased by 38%, though Mac detections for businesses increased 31%

Malware accounted for just 1.5% of all Mac detections in 2020—the rest can be attributed to Potentially Unwanted Programs (PUPs) and Adware

ThiefQuest tricked many researchers into believing it was the first example of ransomware on macOS since 2017, but the malware was hiding its real activity of massive data exfiltration. It accounted for more than 20,000 detections in 2020

The full PDF report:

All that changed with macOS 10.15 (Catalina). We’ve entered a world in which no software in the entire industry can remove all components of these PUPs, because they’ve come under the protection of Apple.

Apple’s days of sitting on the fence are now over. With the protection involved in the system extension entitlement, there is no longer any middle ground. At the time of writing, Apple is implicitly siding with the PUPs, providing them protection against removal.

[…]

Notarization involves submitting apps to Apple. […] Adware developers responded in divergent ways. Some simply stopped signing their Adware, providing the user with instructions on how to bypass macOS security to run the unsigned installer. This means that they don’t have to bother with notarization, but they also don’t have to worry about Apple revoking their code signing certificate.

However, other Adware developers went the other way, and actually managed to get their malware notarized! In a number of cases, it appears to have passed the notarization checks without significant modification.

Previously:

Mail Search vs. Big Sur’s Fast User Switching

John Gordon:

In our case Ben and Emily both have non-admin accounts on her M1 Air running Big Sur 11.2.1 with fast user switching enabled. When Ben logs out Emily’s Mail search stops working. There’s no error message, but search does nothing and Smart Folders are inactive.

The fix is to kill corespotlightd.

See also: Marco Arment.

Ivan Pavlov:

Fast user switch also breaks Handoff/Continuity/Unlock with Apple Watch. Submitted multiple radars over the last 4 years, still not fixed. Mac needs a year of refinements and bug fixes with no new features.

Clayton Andersen:

I wonder if something fundamental to fast user switching changed with big sur. Had this bug for a while related to it too.

Code Signing When Building on Apple Silicon

Quinn:

codesign should choose the signing format based on the deployment target:

  • If your deployment target is 10.11 or later, you get sha256.
  • If your deployment target is earlier, you get both sha1 and sha256.

This problem crops up because, when building for both Intel and Apple Silicon, your deployment targets are different. You might set the deployment target to 10.9 but, on Apple Silicon, that’s raised to the minimum Apple Silicon system, 11.0. So, which deployment target does it choose?

The wrong one, if you’re trying to deploy to an older version of macOS. I’ve seen lots of posts about this problem in relation to installer packages, but it applies to apps, too.

The upshot is that you have problems if your deployment target is less than 10.11 and you sign on Apple Silicon. When you run on, say, macOS 10.10, the system looks for a sha1 hash, doesn’t find it, and complains.

You can work around this by setting OTHER_CODE_SIGN_FLAGS to --digest-algorithm=sha1,sha256.

Update (2021-02-19): Peter Ammon:

#fishshell was bitten by this, it means we can no longer use Apple’s tools to codesign, so we use xar instead.

See also: Jonathan Deutsch.

Why Reporting Bugs to Apple May Harm Software Quality

Howard Oakley (tweet):

In recent years, I’ve grown concerned – as many of you have – at the increasing number of obvious bugs in release versions of macOS. In the last week or so, I’ve come across some real howlers: the Rich Text Spotlight importer which can’t import the content of RTF documents, Bluetooth status which is never up to date when you first check it, and most recently Big Sur installers and updaters which don’t work on external SSDs connected to M1 Macs.

[…]

Although Dave tested the changes he’d made, he didn’t have time to test whether the mdimporter still indexed the content of RTF files.

It doesn’t help that recent security changes have made it more difficult to test Spotlight importers.

I’ve now reached the stage where I simply don’t have time to report all these bugs, nor should I have to. Indeed, I’ve realised that in doing so, I only help perpetuate Apple’s flawed engineering practices. […] We let Apple get away with this by devoting our time to testing and documenting for Apple. […] Above all, there’s the threat. If we don’t complete Feedback, then Apple won’t know of the bug, and it won’t get fixed.

I’m frustrated, too, and I can certainly understand not having the time to report all the bugs one encounters. But I just don’t see how filing can hurt. Apple would still “get away with it,” and the bugs would be fixed even later, if at all.

If you’re an Apple engineer, please don’t take this personally. I don’t think the current system is good for you either, but at present Apple only seems to respond to public criticism.

I haven’t seen much correlation, personally. Some very public bugs go a long time with no fix. Some obscure ones that I file get fixed right away. Some serious ones get fixed 6 months or a year after I was forced to develop a workaround. Most never get fixed and are seemingly ignored.

Dave Wood:

Got a response to a radar I filed 3 years ago, about a bug in iCloud. They say they can’t look into it now because “the server logs from that date have rolled off”.

This is why I barely file bugs with Apple anymore. Just a waste of everyone’s time.

See also: How to Report Bugs to Apple So They Get Fixed.

Previously:

Tuesday, February 16, 2021 [Tweets] [Favorites]

Dash 6

Kapeli (tweet):

The interface was updated to feel more native, especially in macOS Big Sur

[…]

The most requested feature is here. I think I finally found a way to make full-text search fit well within Dash, alongside the results coming from the docset index.

Full-text search is opt-in. You have to manually enable it for the docsets you want, by opening the docsets in the docset browser and choosing “Enable full-text search”

Full text search is not supported for the Apple API Reference or Man Pages. In my limited testing it worked well for Python, though. Dash 6 retains the 5.x interface of having separate search fields for searching across pages and within the current page. I still haven’t fully adjusted to that. I find myself having to think about which keyboard shortcut to press, whereas the unified search field always felt natural. It’s $30 to buy the app or $20 to upgrade.

Previously:

PodSwap

Michael Potuck (via Ruffin Bailey):

With Apple’s official battery service for worn-out AirPods, you’re looking at $49 for AirPods and AirPods Pro (per headphone), and the same rate goes for any of the AirPods charging cases.

[…]

PodSwap is a relatively new service, and it looks like a great option to get your AirPods batteries replaced at a nice discount. You can swap in your gen 1 or gen 2 AirPods with dead batteries for a refurbished and sanitized pair with “restored battery life.”

The company has indeed found a way to replace AirPods’ batteries with “specially developed equipment.” You’re not getting an official Apple battery here, but PodSwap says it’s done independent testing to make sure “The batteries we use are similar in performance to your original ones from Apple.”

This costs $60 for a pair. They don’t yet support AirPods Pro.

Previously:

Why Does the Apple TV Still Exist?

Jason Snell (tweet, 2):

First, the arrival of the Movies Anywhere service has allowed most iTunes film (not television) purchases to migrate to other devices. Then in advance of the arrival of Apple’s TV streaming service, Apple made deals with the makers of TV sets and streaming boxes to add support for AirPlay, an Apple TV app, or both.

[…]

Gruber and Thompson suggest that perhaps the way forward is to lean into an identity as a low-end gaming console. Maybe amp up the processor power, bundle a controller, and try to use Apple Arcade to emphasize that this is a box that is for more than watching video.

The thing is, that’s really been the story of the Apple TV for the last few years, and so far as I can tell, it’s basically gone nowhere.

My Apple TV 3 is long in the tooth. Now we want to watch a show on HBO, which it no longer supports. But, and I’ve been thinking this for a year or two, this is not a good time to buy an Apple TV 4. It’s still got that awful remote, and surely version 5 will be out soon. I should probably just buy a Roku, now that they support AirPlay and iTunes content. I would miss the Flickr screensaver, though.

John Gruber (tweet):

Really, Apple Arcade is the only recent evidence that Apple remains strongly committed to the Apple TV platform. Every single Apple Arcade game is available on Apple TV — which is difficult for games designed for touchscreen phones. And I will bet that it’s been difficult for some games performance-wise to achieve 30+ FPS on Apple TV 4K. I think Apple’s requirement that Arcade games not just play but play well on Apple TV is a sign that they’re committed.

Cory Zanoni:

If my Apple TV 4K packed it in today, I’d buy a new one. Options are limited here in Australia and I’m not sold on Chromecasts or Fire Sticks. Asking Siri to jump through videos is just that good. The screensavers are incredible. tvOS, neglected as it is, is smooth. Then there are the services: Music and Fitness+ have their hooks in me.

Previously:

Update (2021-02-22): John Gruber:

Also, Apple TV is the only box known to protect your privacy. I think Roku is pretty bad in that regard — that’s how they sell for such low prices.

Jason Snell:

I think this is overstated. Roku defaults to tracking, you can turn it off.

Dman:

You can’t fully turn off Roku tracking. All you can do is turn off the most egregious kinds of profiling but Roku still tracks your usage patterns and what you watch / search for and there is NO WAY to turn that off.

John Gruber:

But even on an Apple TV box, you’re at the mercy of each app you use, and the major streaming services all collect information on everything you do.

[…]

But Roku (and similar boxes, and smart TVs) track you at the system level.

Benjamin Mayo:

What I want, what everyone wants, is a modern Apple TV with an updated processor. We will pay for the niceness. At $99, we’re sold. Like all of Apple’s products, the Apple TV should aim to fill the segment of the market that toes the line between being accessible to the masses and being aspirational luxury.

Mike Rockwell:

I’ve been a fan of the Siri Remote since day one. The ability to control HomeKit devices with my voice, being able to quickly swipe through lists, and essentially acting as a universal remote is just so nice. We don’t use any other remotes in our house. The Apple TV remote turns our TV on and off, controls the volume of our receiver, and interacts with the only non-game console connected to our television.

I would argue that it’s actually the best TV remote I’ve ever used.

[…]

If Apple wants to be in the living room, they need to make their own box to ensure a rock solid, predictable experience. I’m actually surprised that companies like Netflix and Hulu aren’t building their own boxes too.

Swift for TensorFlow Canceled

TensorFlow (via Francisco Tolmasky, Hacker News):

Swift for TensorFlow was an experiment in the next-generation platform for machine learning, incorporating the latest research across machine learning, compilers, differentiable programming, systems design, and beyond. It was archived in February 2021.

skohan:

It’s a shame. I had high hopes at the beginning that S4TF - and the investment in Swift from Google - would help Swift break out of the iOS ghetto and cement it as a mainstream language.

Alexis Gallagher:

Was very saddened to learn, in the Swift for TensorFlow design meeting this morning, that the project had been canceled.

But as this thread notes, much of the tech that was developed is freestanding and usable without tensorflow.

Fan Jiang:

[The] Differentiable Swift part made into mainline and should be available in the official toolchain pretty soon. In retrospect, and from a user’s perspective, I think the team did a great job in modularizing the whole effort so a lot of the products will thrive, like the PythonKit and the Swift Jupyter kernel. One of the unfortunate (and fortunate) aspect is that S4TF is a bit too close with TF - TF is the reason why S4TF even exists, but it also tied the project image to TF, and makes contributing to S4TF libraries require understanding TF and XLA, which is by no means a simple job, especially in a market where elegance in code is yet not a first-class citizen.

See also: Swift: Google’s bet on differentiable programming (Hacker News).

Previously:

The Long Hack

Jordan Robertson and Michael Riley (Hacker News, 9to5Mac):

Bloomberg Businessweek first reported on China’s meddling with Supermicro products in October 2018, in an article that focused on accounts of added malicious chips found on server motherboards in 2015. That story said Apple Inc. and Amazon.com Inc. had discovered the chips on equipment they’d purchased. Supermicro, Apple and Amazon publicly called for a retraction. U.S. government officials also disputed the article.

With additional reporting, it’s now clear that the Businessweek report captured only part of a larger chain of events in which U.S. officials first suspected, then investigated, monitored and tried to manage China’s repeated manipulation of Supermicro’s products.

[…]

“In early 2018, two security companies that I advise were briefed by the FBI’s counterintelligence division investigating this discovery of added malicious chips on Supermicro’s motherboards,” said Mike Janke, a former Navy SEAL who co-founded DataTribe, a venture capital firm. “These two companies were subsequently involved in the government investigation, where they used advanced hardware forensics on the actual tampered Supermicro boards to validate the existence of the added malicious chips.”

The story has more than 50 sources, most anonymous. All the companies and the NSA still deny it. I guess the truth could be so bad that everyone is conspiring to cover it up, but in that case I still would have expected Bloomberg to present some more convincing details and evidence. I started reading this thinking they were going to go back and lock down the 2018 story, but that’s not what this is.

Nick Heer:

Robertson and Riley’s new report concerns the three specific incidents in the quoted portion above. There is no new information about the apparent victims described in their 2018 story. They do not attempt to expand upon stories about what was found on servers belonging to Apple or the Amazon-acquired company Elemental, nor do they retract any of those claims. The new report makes the case that this is a decade-long problem and that, if you believe the 2010, 2014, and 2015 incidents, you can trust those which were described in 2018. But if you don’t trust the 2018 reporting, it is hard to be convinced by this story.

This time around, there are many more sources, some of which agreed to be named. There is still no clear evidence, however. There are no photographs of chips or compromised motherboards. There are no demonstrations of this attack. There is no indication that any of these things were even shown to the reporters. The new incidents are often described by unnamed “former officials”, though there are a handful of people who are willing to have quotes attributed.

John Gruber:

It’s a 4,000-word exercise in journalistic sophistry. It creates the illusion of something being there, but there is nothing there.

Matt Tait:

tl;dr is a source misunderstood an FBI defensive briefing on China’s supply chain activities, leaked it to the press, and bloomberg has again failed to do the work necessary to verify the sensational claims, because they mistake impressive credentials with domain expertise.

[…]

Articles like this are constructed out of parts. There are a series of claims attributed to collections of sources, grouped into an overall story. The way to read them is to read carefully to break out the specific claims and the corresponding sourcing.

Previously:

Monday, February 15, 2021 [Tweets] [Favorites]

Arq 7

Stefan Reitshamer:

Arq 7 is fully backward-compatible with backup data created by older versions of Arq, but it’s packed with new features. It’s been through 4+ months of internal and beta testing, so it’s solid.

Many of the features listed on that page were also in Arq 6. The more detailed change notes are here. The biggest change is that it’s no longer an Electron app. The new interface is a big improvement, much better than Arq 6 and in most respects better than Arq 5, too. (I’m not crazy about the new, unsorted, list of the paths to back up or the way exclusion rules are handled and duplicated.) You can once again navigate backup settings and restores without having to repeatedly enter your password. The backup logs are now integrated into the main part of the app, and you can jump from a backup’s settings to its latest log. And the global Arq menu clearly shows what’s happening with each backup. I did run into an issue where the ArqAgent process consumed 7.6 GB of private memory. After restarting my Mac and doing a few (smaller) backups, it so far hasn’t recurred. Overall, a smooth and trouble-free upgrade, unlike last time.

Previously:

Update (2021-02-22): Arq 7 costs $50 and includes one year of updates. You can optionally subscribe beyond that for $25/year. It continues to work well for me with the following exceptions:

Nicholas Riley:

A warning if you’re upgrading to Arq 7: check your retention settings first. Several of my family’s Macs ended up deciding everything was new from the Arq 5 backup, then this pushed the overall backup size over quota to the point that ALL of the backup history was deleted.

Thomas Clement:

Why does Apple keep restraining the snapshots API to select developers? Aren’t all developers treated equally?

All the apps that might have been but never will...

(and yes I applied to get access at some past job and we got refused for trivial reasons)

Previously:

Friday, February 12, 2021 [Tweets] [Favorites]

FastScripts 3 Beta

Daniel Jalkut:

Over the years I’ve had a lot of ideas about how FastScripts might evolve, and have worked on new features intermittently. As part of my recent decision to reinvest in Red Sweater, I decided to focus on finally shipping some of those features in a major 3.0 upgrade. Today, I’d like to share what I’ve got so far, as a public beta[…]

[…]

The major changes in this upgrade are the introduction of a search feature so you can easily sift through all the scripts in the menu, and a major overhaul to the way scripts are executed so that multiple scripts can be fired off in rapid succession without interfering with one another.

[…]

Apart from the changes listed above, I hope to soon offer the ability to monitor and cancel long-running scripts are launched from FastScripts.

This great app is free while in public beta. I’ve been using the beta for a several days with no problems.

Previously:

The Evolution of “safe” and “unsafe” in Swift

Joseph Heck:

One of the interesting take-aways is that the terms “safe” and “unsafe”, or at least the specific implications of when they’re used in the swift language, are broadening what they cover with the upcoming changes. You could start to see it as early as last October when the Swift Concurrency Roadmap was published, but the wording wasn’t fully in place, more of just conceptual frameworks. The details of the broadening of the definition didn’t hit home for me until I caught up with the recent discussion on the pitch for task local values.

[…]

Across the recent pitches and proposals, some of the language terms that use safe are now being used to imply concurrency safety, somewhat independently of memory safety. The goal looks to be to provide APIs that have some guarantees about thread-safe access and updates. And along with the safe versions, there are some potential “unsafe” variants to use when you need the escape hatch and are willing to take on the thread safety guarantees yourself.

Paulo Andrade:

If you’ve ever encountered the dreadful UnsafeMutableRawBufferPointer or one of its friends and ran to stackoverflow… then this post is for you!

Previously: