Archive for January 12, 2015

Monday, January 12, 2015

Spotlight Suggestions and Web Bugs

Dan Goodin:

Using the Spotlight search feature in OS X Yosemite can leak IP addresses and private details to spammers and other e-mail-based scammers, according to tests independently performed by two news outlets.


Mail allows users to block remote images for precisely this reason. But even when remote image viewing is disabled in Yosemite-based Mail app settings, the images will be opened by Spotlight, according to two recent media reports. The feature is used to search a Mac for files or e-mail containing a specified search term. When spotlight returns a preview of e-mails containing the term, it loads the images, overriding the option. Images are loaded even when the previewed message has landed in a users’ junk mail folder.

Rene Ritchie:

As described above, email can be turned into a pseudo webpage by requesting server-side images — including tracking pixels — be loaded into them. Instead of attaching an image, which embeds the image in the email, they pull it from a website: If “load remote content” is enabled, that image will be pulled as soon as you open the email, and the website will get your IP address and other information just as if you visited the site directly.

As I recall, the same bug has always been present in Quick Look. Quick Look thumbnails seemingly try to load the images but are thwarted by the sandbox. Quick Look previews load the images regardless of the setting in Mail.

See also: Spotlight Suggestions and Privacy and SpamSieve’s documentation on Web bugs.

Using the Hypervisor Framework: A Simple DOS Emulator

Michael Steil:

Since Version 10.10 (Yosemite), OS X contains Hypervisor.framework, which provides a thin user mode abstraction of the Intel VT features. It enables apps to use virtualization without the need of a kernel extension (KEXT) – which makes them compatible with the OS X App Store guidelines.


There is no real documentation, but the headers contain a decent amount of information. […] So let’s create a virtual machine that runs simple DOS applications in 16 bit real mode, and trap all “int” DOS system calls – similar to DOSBox.

Apple Introduces App Store Refunds

Jordan Kahn (via Rosyna Keller):

Apple has recently introduced a new 14-day no questions asked return policy for iTunes, App Store and iBooks purchases in Europe including the UK, Germany, Italy, France, and many other EU countries.

Apple’s terms and conditions for the stores previously stated users had the right to withdraw from a transaction “without charge and without giving any reason until delivery of the product has started.” That meant purchases were all but final apart from some exceptions handled by Apple support.

Now, Apple has updated its terms to include a specific no questions asked 14-day return window that includes all purchases apart from gift cards.

The menu item in question does not seem to be available in the US store. But it seems that EU customers now have a limited form of trials. With a normal refund, the customer will get the money back, but Apple will keep its 30%, so the developer ends up in the red. It’s not clear to me whether this is also true of purchases canceled in this manner.

Update (2015-01-12): Rosyna Keller:

So it appears Apple does detect abusers of their new 14-day return policy for digital items and revokes the ability.

Update (2015-01-17): Dave Mark has more on how Apple doesn’t want people to use the refunds for trials.

Overcast Rejected for Listing Competing Podcast Apps

Marco Arment:

Well, Overcast linking to competing apps is over. I knew it would get rejected eventually.

I always knew the feature was living on the edge of this rule’s interpretation.

This is what the list in question looked like. I think it was genuinely useful.

Overcast was rejected for violating Rule 2.25:

Apps that display Apps other than your own for purchase or promotion in a manner similar to or confusing with the App Store will be rejected

There is also Rule 2.26:

Apps may display and recommend apps other than your own only if the collection is designed for a specific approved need (e.g. health management, aviation, accessibility, etc.) or provides significant added value for a specific group of customers, or they will be rejected

He’s not going to appeal the rejection, though:

I might “win” on appeal, but it would always be a risk for future updates, and it’s simply not worth delaying bugfixes any further.

Update (2015-01-18): Kirk McElhearn:

This is pretty surprising. I don’t see why Apple would not allow a developer to link to other apps; I’m pretty sure I’ve seen apps that try and get you to buy other apps by the same developer. The only difference here is that Arment was helping you find the best podcast app for you by sharing links to apps that aren’t his.

GoodReader and iCloud Drive

Fraser Speirs:

I can’t even compose a coherent tweet about iCloud Drive any more.

Richard Padilla:

PDF reader app GoodReader has removed a number of operations related to iCloud Drive to comply with Apple’s guidelines. Specifically, developer Good.iWare has disabled GoodReader’s ability to create and delete new folders inside iCloud along with the ability to move iCloud files. The developer called the iCloud usage policy “mandatory” and also included VoiceOver compatibility along with a big fix for opening iCloud containers.


Apple has quickly reconsidered its decision and allowed GoodReader to restore iCloud Drive functionality with version 4.8.1.

As with the Transmit case, I don’t think there was ever a written guidelines that was being violated.


Norihiro Sakamoto’s SwiftFilePath provides Path objects with methods for functionality from NSFileManager (via Swift Toolbox). I’ve long used a similar pattern, creating Objective-C categories on NSString and then NSURL. The idea potentially works even better in Swift, although Sakamoto’s code regrettably converts all the NSError objects to strings.

Does Using Swift Save Development Time?

Paul Haddad:

For developers that jumped head long into Swift how much time have you saved coding vs. lost fighting with tools, learning, bugs?

This got some interesting responses on Twitter.

Lenient Date Parsing

Mike Abdullah:

As far as I can see, [NSDateFormatter.lenient] doesn’t support anything like the range of the older APIs. Indeed as best I can tell the leniency only comes into play as far as separator characters are concerned. So for example, if dates are expected to be in the format YYYY/MM/DD, then strings of the form YYYY-MM-DD will also be accepted. But that’s about it.

NSDataDetector is a possible solution.

Finite States of America

Soroush Khanlou:

The benefits of using state machines are myriad. First, explicitly storing the states and transitions that are valid in your system leaves fewer nooks and crannies for bugs to hide out in. It is said that bugs are just states that you haven’t defined yet. If your object is defined by four booleans, it can be in 16 different states, all of which require testing. Imagine how many states it can have with integers, or strings! A state machine limits the number of possible configurations your object can be in, and defines them formally.

Having all of the transitions in one place will help you see the user’s flow through the system. What happens if this step takes longer than expected? Clearly-defined transitions make it painfully obvious what happens if an event happens out of order. Since every transition flows through one point, it is trivial to log all of the transitions. You can use that information to determine how your object went off the rails.

Update (2015-01-13): Soroush Khanlou:

As awesome as state machines are, they can often be very high-ceremony to set up. A typical Objective-C library requires a lot of code to set up. I wanted to explore combining a few techniques from the this blog to try and make a low-ceremony state machine, one that doesn’t require setting up all of your states, transitions, and events ahead of time.

Lowering the Project Threshold

Tyler Hall:

One part of GTD and OmniFocus that I’ve always struggled with is the idea that any action that requires more than one step is actually a project. It sounds simple, and I agree with that definition in theory, but I’ve never followed through in practice. My OmniFocus project list has always been relatively sparse – really just containing my three areas of focus each with 5-10 medium-to-big-sized projects plus a catch-all single action list for miscellaneous tasks.

The problem with this approach is that it’s stopped me from adding piddly, little multi-step tasks to OmniFocus because I don’t believe they count as a captial-letter PROJECT, and they don’t fit into my single-action lists. Instead, they stay in my brain, forgotten or causing anxiety.