Archive for August 23, 2017

Wednesday, August 23, 2017

Testing Auto-Renewable Subscriptions on iOS

David Barnard (tweet):

Subscriptions work differently in TestFlight, the sandbox, and live on the App Store, so testing them requires knowledge of those differences. This is my attempt to help sort out the mess and document it for others to reference.


It would be nice if the purchase flow while testing mirrored that of a live app on the App Store, but that’s just not the case for whatever reason.


For an app that has yet to be released on the App Store, getting an early version of the app approved is a great way to test subscriptions[…]

He suggests setting it to manual release and then sending out promo codes so that people can test the real app before it’s available to everyone.

Implementing and testing subscriptions sounds like it’s much more complicated than you would expect. The developer of Ulysses says that it took their highly regarded team 1.5 man-years and 22K lines of code to implement subscriptions.

Update (2018-04-20): See also: Supertop.

AccuWeather Caught Sending User Location Data, Even When Location Sharing Is Off

Zack Whittaker:

Security researcher Will Strafach intercepted the traffic from an iPhone running the latest version of AccuWeather and its servers and found that even when the app didn’t have permission to access the device’s precise location, the app would send the Wi-Fi router name and its unique MAC address to the servers of data monetization firm Reveal Mobile every few hours. That data can be correlated with public data to reveal an approximate location of a user’s device.


“Everything is anonymized,” said Brian Handley, the company’s chief executive. “We’re not ever tracking an individual device,” but described a situation where his company can point advertising to customers inside a Starbucks location, for example.


“Reveal is updating its SDK and pushing out new versions of the [software kit] in the next 24 hours, with the iOS update going live [Tuesday],” said an AccuWeather spokesperson. “The end result should be that zero data is transmitted back to Reveal Mobile when someone opts out of location sharing.”

Via John Gruber:

To me this is a one strike and you’re out situation.

Update (2017-08-23): Ron Gilbert:

iOS needs a setting to deny all internet access on an app-by-app basis, like they do access to the camera, contacts, etc.

This is probably the iOS feature that I want most, although without more fine-grained control it seems incompatible with certain app types like weather.

Jacob Terry:

iOS should ask permission for network access similar to how it asks permission to access contacts and photos. Unlike those permissions, however, this one should be optional to the app author.


To distinguish apps that opt-in, Apple should brand the feature (“Secure Networking”, for example) and have an accompanying logo. Apps that opt-in should get a badge in the App Store, and Apple should promote the feature, especially to enterprises.

One more thing: authorization should happen per domain.

Update (2017-08-24): John Gruber:

AccuWeather issued a statement regarding the controversy over their app sending location-identifying information to a monetization firm. It’s a veritable mountain of horseshit[…]


The accusation is not that AccuWeather itself was using the location of the Wi-Fi router, but that Reveal Mobile was.


In other words, Reveal Mobile makes money by revealing your location to retailers (anonymously, so they claim), and AccuWeather made money from Reveal by embedding their SDK in their app.

Update (2017-08-28): Dark Sky:

While the outrage may be warranted, the surprise shouldn’t be. This isn’t just a case of a single company monetizing their customer’s location data in a shady manner; it’s a much larger — and more widespread — phenomenon. How do I know? Because there are entire companies devoted to buying this very data from the countless apps that currently make use of location data, and they contact us all the freakin’ time.


Because of this, we also believe that Apple and Google should do more to prevent this sort of behavior. They should set — and aggressively enforce — clear App Store rules forbidding the sharing of location data for any purposes not directly relevant to the app’s core functionality. If an app is caught breaking this rule, it should be removed from the store. This won’t stop all abuse, but it would, at the very least, put many of these data monetization companies out of the business of tracking where you go.

Nick Heer:

Here’s the thing, though: Grossman’s suggested response has been in place for years. […] All Apple had to do in this case was enforce their own rules. I understand that something will occasionally slip through the cracks and it will sometimes be with a high-profile app, but this is really the sort of thing that should have been caught.

AccuWeather has removed Reveal Mobile but is now sending GPS coordinates to another company.

Product Graveyard

Product Graveyard commemorates “the most memorable products that have gone away” (via John Gordon).

Swift Local Refactoring

Xi Ge (via Argyrios Kyrtzidis):

Xcode 9 includes a brand new refactoring engine. It can transform code locally within a single Swift source file, or globally, such as renaming a method or property that occurs in multiple files and even different languages. The logic behind local refactorings is implemented entirely in the compiler and SourceKit, and is now open source in the swift repository. Therefore, any Swift enthusiast can contribute refactoring actions to the language. This post discusses how a simple refactoring can be implemented and surfaced in Xcode.