Archive for January 17, 2018

Wednesday, January 17, 2018

App Store Trials: No More Free IAPs?

Markus Müller-Simhofer:

Apple no longer allows free IAPs? Oh wow. I’m glad we got ours approved before this change. This basically means the option to offer free trials via non-consuming IAPs is dead. It’s also no longer possible to offer upgrades via free IAPs. We use this for recent customers.

Drew McCormack:

Huh? I thought Apple were promoting this as a solution for free trials.

Markus Müller-Simhofer:

The biggest issues with trials via IAPs are: 1. Users have to click a system Buy button to get a free IAP 2. Users thought they started a subscription 3. No way to reset the trial after eg a year. 4. MAS IAPs have many issues, better to not encounter them right after installation

Max Seelemann:

This. And no way to help through support. No way to re-trial after major updates. No way to make promotions with extended trials.

Markus Müller-Simhofer:

In one WWDC session the presenter mentions that the new iOS DeviceCheck framework can be used to secure a free trial. Now that this framework is available, I can imagine that Apple would prefer it.

Apple is currently promoting apps with free trials, but these seem to be based on subscriptions (which aren’t allowed for all apps) rather than in-app purchases. It does seem like the DeviceCheck framework would make it possible to implement trials, with the tracking handled by your server instead of Apple’s. If this is in fact recommended, it’s a mystery to me why Apple wants trials to be handled out-of-band so that they are inconsistent from app to app.

There doesn’t seem to be a corresponding workaround for offering upgrades, either.

And, as always, it’s disappointing that news about major policy changes arrives through Twitter rather than official channels.

Previously: App Store Introductory Pricing, Omni’s IAP Trials and Upgrade Discounts.

Update (2018-01-24): Note that DeviceCheck is not available for Mac.

Update (2018-01-28): Markus Müller-Simhofer:

New Year resolution, write more radars: Family Sharing should support non-consumable IAPs (App Store, Mac App Store) Promoting Family Sharing for Freemium apps is confusing

And this is the reply to my request to remove the Family Sharing badge from our store page. So what should I tell customers who see the Supports Family Sharing badge on our store page and than are unable to share the IAP with their family members?

Update (2018-02-19): Ken Case:

I saw those reports last month, but we’ve had no trouble at all in the last year. (We did have to have a lot of conversations before we first introduced this approach in our apps in 2016.)


Also, back in September, one of our update was rejected under 3.1.1 for using IAP to activate a 14-day free trial. The reviewer said we should be using non-renewable subscription instead. We appealed and got it approved.

Update (2018-03-02): Junjie:

Big fan of upgrade pricing using IAP. By checking the App Store receipt date, @mindnode can even offer customers who recently bought their app free upgrade.


Glad you like our new business model. (As you are also a developer: It sadly has a few disadvantages like missing Family Sharing and VPP support)

See also: Core Intuition.

Reading Twitter With Feedbin

Ben Ubois:

Feedbin treats tweets differently. The idea of the feature is to fully unpack the tweet. If a tweet links to an article, Feedbin will attempt to load the full article and display it alongside the tweet. Feedbin will also include full-size images, videos and gifs with native YouTube, Vimeo and Instagram embeds.

You can start adding Twitter content to Feedbin the same way you would subscribe to a feed. Feedbin will recognize any Twitter URL that contains tweets. It also supports shortcuts for subscribing directly to twitter @usernames as well as #hashtags.

Reading Disks From 1988 in 2018

Jason Snell:

With that all set, it was time to run ADTPro on my Mac. It’s a Java app and therefore not the prettiest thing, but it did the job—I was able to connect to the Apple IIc and boot into ADTPro, at which point I could simply start inserting disks one by one and watch as they were transferred (at a surprisingly fast rate—less than a minute) across the serial cable to my Mac, where they were saved as 143K Apple II disk image files. Talk about anticlimactic. Imaging took less than an hour. There were no bad disks, nearly 30 years later.

After the imaging was done, it was time to read them on my Mac using Gerard Putter’s Virtual II emulator. The disks with DOS or ProDOS on them booted just fine. There’s even a Quick Look extension for Virtual II that would display the contents of a disk in the Finder when I pressed the space bar. How civilized.

Then came a new problem: How do you get text files out of a virtual computer? The answer seems to be the same as with a real one: you “print” the files, and Virtual II’s virtual printer can generate a PDF or put text on the clipboard. But to print a text file, you need to load it into a program.

WDMyCloud Multiple Vulnerabilities

James Bercegay (via Hacker News):

WD My Cloud is a personal cloud storage unit to organize your photos and videos. It is currently the best selling NAS (network attached storage) device listed on the website, and is used by individuals and businesses alike. It’s purpose is to host your files, and it also has the ability to sync them with various cloud and web based services.


The WDMyCloud device is vulnerable to an unrestricted file upload vulnerability within the following file[…]


As you can see in the above code, the login functionality specifically looks for an admin user named “mydlinkBRionyg” and will accept the password of “abc12345cba” if found. This is a classic backdoor.


By sending a request like the one above a remote attacker could now execute any commands as root.


The triviality of exploiting this issues makes it very dangerous, and even wormable. Not only that, but users locked to a LAN are not safe either. An attacker could literally take over your WDMyCloud by just having you visit a website where an embedded iframe or img tag make a request to the vulnerable device using one of the many predictable default hostnames for the WDMyCloud such as “wdmycloud” and “wdmycloudmirror” etc.

Violating a Website’s Terms of Service Is Not a Crime

Jamie Williams:

Good news out of the Ninth Circuit: the federal court of appeals heeded EFF’s advice and rejected an attempt by Oracle to hold a company criminally liable for accessing Oracle’s website in a manner it didn’t like. The court ruled back in 2012 that merely violating a website’s terms of use is not a crime under the federal computer crime statute, the Computer Fraud and Abuse Act. But some companies, like Oracle, turned to state computer crime statutes—in this case, California and Nevada—to enforce their computer use preferences.


Oracle v. Rimini involves Oracle’s terms of use prohibition on the use of automated methods to download support materials from the company’s website. Rimini, which provides Oracle clients with software support that competes with Oracle’s own services, violated that provision by using automated scripts instead of downloading each file individually. Oracle sent Rimini a cease and desist letter demanding that it stop using automated scripts, but Oracle didn’t rescind Rimini’s authorization to access the files outright. Rimini still had authorization from Oracle to access the files, but Oracle wanted them to access them manually—which would have seriously slowed down Rimini’s ability to service customers.