Archive for September 25, 2018

Tuesday, September 25, 2018 [Tweets] [Favorites]

The Mojave Marzipan Apps

Benjamin Mayo (tweet):

Marzipan apps are ugly ducklings. As soon as you use them, you can just know these are not at one with the system. You detect that there’s a translation layer of some kind at work here, just like when you use Slack on the Mac you instinctively feel that it’s a web app in a thin wrapper. The underlying implementation is exposed to the user with a bevy of performance sluggishness, UI quirks and non-standard behaviours. That’s bad.

[…]

I debated calling this post ‘Home, News, Stocks and Voice Memos for Mac’ because it’s not really a comment on the Marzipan project initiative. After all, I don’t expect the solution Apple ships next year to have the same laundry list of drawbacks that these Mojave apps do. It’s a critique of the apps that are shipping now to customers of macOS. These apps are preinstalled with the OS. News was even unceremoniously placed into the middle of my Dock upon upgrading. And they are not good, simple as that. I would have been mildly happier if Apple had offered these apps as optional App Store downloads affixed with a beta label.

Steve Troughton-Smith:

Everybody’s looking at Marzipan and going ‘wow, these apps will never fit in on macOS’ and I’m here going ‘wow, this is what Mac apps are going to all be like in a few years…’

[…]

Logically, I expect:

1) Marzipan to get better on the desktop — visually, and functionally

2) iOS-based apps to dominate and subsume macOS-based apps

3) Many of iOS’ paradigms to ‘win’ in this transition, enabling new classes of touchscreen computers that otherwise wouldn’t exist

Kuba Suder:

It makes zero sense to bring Mac to the lowest common denominator to support iOS apps, it’s what Microsoft did and what Apple always criticized. I believe they’ll improve the APIs and VM layer to make such apps feel much more Mac-like, let them easily launch multiple windows etc.

[…]

But it will take a long time until Marzipan can compete with AppKit for building Mac apps that feel truly at home on macOS, and probably both AppKit and UIKit will be replaced by something new by then.

Charlie Melbye:

- marzipan is going to quickly improve and eventually power most new Mac apps

- marzipan v1 apps in Mojave are some of the poorest quality first party Mac apps in recent memory

Both of these things are true.

Steve Troughton-Smith:

The existing Mac apps are not good apps! Messages is a web view! iBooks is a travesty! Apple’s history of bringing features to both platforms strongly favors iOS

Eli Schiff:

Consider @stroughtonsmith’s rhetoric—he’s in an uncanny valley wherein one is not sure if he’s running interference for Apple to assuage fears, or if he’s the only one providing sober analysis. The truth is a drop of idealism turns latter into the former.

Bob Burrough:

His analysis is sober. The moment I realized it was when he said iPhone needed mouse support. His vision for the platform is authentic. He’s not running interference for Apple any more than you’re arbitrarily bashing them. You’re both being genuine.

John Gruber:

These Marzipan apps are not good apps.

Jason Snell:

MacOS is on the way to being a superset of iOS with legacy app compatibility and slightly relaxed security? But I do think the marzipan apps will get better than they are now. One would hope.

Bob Burrough:

I’m a bit astonished by the unanimity of opinion that Mojave’s Marzipan apps are not good. There’s usually always a holdout.

The new Mac App Store app, which does not use Marzipan, also has issues:

I’m not a huge fan of this hiding title bar in the new App Store. It’s clever, but confusing to new users (I didn’t even know it was there.) It makes the app look a little cleaner but non uniform. And it seems like a haphazard experiment around iOS navigation controllers on Mac.

Just to add to the confusion, it’s not even present/showable when you actually pop another view onto the stack, meaning it doesn’t even really reliably bridge the navigation controller concept from iOS.

And there remains a lot of interest in third-party developers using Marzipan today.

Previously: Apple Announces Marzipan for 2019, macOS Mojave: Back to the Mac, Tim Cook Says Users Don’t Want iOS to Merge With macOS.

Update (2018-09-27): Nick Heer:

I didn’t want to complain about the state of these apps prior to release because I didn’t think that was fair — plenty of bugs were fixed as the release date drew nearer. Unfortunately, they didn’t become any more Mac-like. That would be fine if these were one-offs, but Apple is planning on releasing this framework to developers just next year, and the initial results are not promising. They remind me of the janky apps you’ll find at the top of the free chart in the Games section of the Mac App Store. I worry that this will be increasingly common now that directly porting an app from iOS is something that is seemingly officially sanctioned, and I’m not the only one. These apps are not ready.

Or, here’s an even worse situation: maybe Apple does consider these apps ready. Surely they figured they were good enough to bundle preinstalled in the latest public update to MacOS. Are these the model apps for third-party developers to aspire to when they get to start porting their apps next year? I certainly hope not.

Colin Cornaby:

The Mac Home app is a direct refutation to the idea that iOS developers won’t just use Marzipan to ship thoughtless iOS shovelware on the Mac. From Apple themselves.

Update (2018-09-28): Jason Snell:

Some of Apple’s built-in Mac apps lag behind their iOS equivalents. The best example might be Messages, which lacks all sorts of iOS features, including stickers and message effects. It’s hard not to imagine a world where most of Apple’s cross-platform apps are developed using this system, allowing them to be feature-compatible across iOS and Mac. Which is worse, knowing that the app you’re using originated on iOS, or getting up to find your iPhone because the Mac version of the app you’re using doesn’t support a feature that Apple rolled out on iOS last year?

[…]

Imagine a world where Apple has to add features to iOS apps so that they’re palatable to Mac users. That solves a lot of problems for iOS users too, doesn’t it?

See also: Connected, Hacker News, MacRumors.

Update (2018-10-10): See also: Accidental Tech Podcast.

Update (2018-10-19): John Gruber:

In Apple News on iOS you can open any article in Safari via the share sheet. Am I getting this right that there’s no way to do that in Apple News on Mojave? I don’t even see a way to copy the original URL.

Did anyone at Apple even try using these Marzipan apps?

Sam Byford:

when you pause a recording in voice memos (say, an interview for transcription) and then press play again, it starts from the beginning. and you can’t even open the file in quicktime or anything else! they’re just staggeringly bad pieces of software

Nick Lockwood:

It’s difficult for me to advocate for a technology that produces bad apps without feeling like a hypocrite wrt native app experience.

Not for the first time, Apple has put me in a position of not being willing to stake my own reputation on them not fucking something up.

I want UIKit on Mac and I think it could be done well, but the belief that it will be done well is predicated on the assumption that Apple wouldn’t deliberately lower the quality ceiling for Mac apps, and yet Apple has just shipped a bunch of apps that disprove that assumption.

Will Cosgrove:

Have you noticed the text selection color if you put News in the background. What is even happening.

Peter Steinberger :

I will show the hacks currently needed to try Marzipan, and walk through what I needed to do to get PDF Viewer to run on macOS Mojave.

Update (2018-12-10): Wojtek Pietrusiewicz:

Personally I’m horrified at what these apps look like and how they function. They appear to be foreign entities among all the software designed for MacOS. Despite understanding Apple’s reasoning behind shipping them now and not when their backbone is ready, I cannot quite fathom who said: ‘Yes, this is good enough.’ Not at Apple in any case.

Bypassing Mojave Security Protections

Juli Clover:

Researcher Patrick Wardle, who has uncovered many security flaws in Apple’s macOS operating system, today shared some details on a new vulnerability that he’s found in the newly released macOS Mojave update.

As outlined by BleepingComputer, Wardle discovered that he was able to access Contacts data from the address book using an unprivileged app, as demonstrated in the video below.

And a separate vulnerability from Sentinel One:

Here, we have remotely logged in to Sally’s user account via ssh and retrieved the last website she visited, a banking logon page, by reading the LastSession.plist stored in the (supposedly) protected Safari folder.

Importantly, the ability to ssh into the local account and traverse the protected folders does not require pre-approval of Terminal in Full Disk Access, and can even be performed locally by Sally herself with ssh[…] In short, any local or remote user can bypass the Full Disk Access requirement simply by logging in via ssh.

This is pretty demoralizing. I’ve spent months trying to make smooth user experiences in spite of the hurdles Apple has added for developers (in some cases without even telling them). Some things are broken and not in my control to fix. Even once things settle down, my customers will still have to jump through extra hoops to use my apps. And yet the bad guys can still get at the protected data, anyway.

Presumably these will be fixed, and maybe Apple will eventually improve the user interface, but it just seems like this shipped far before it was ready. As did the rest of Mojave, as there wasn’t even time to distribute a GM build.

Previously: Mojave’s New Security and Privacy Protections Face Usability Challenges.

Update (2018-09-25): Jeff Johnson:

I’ve got 1 too, different from the other 2

Update (2018-09-26): Dave Nanian:

The nice thing about the Vista-ing of Mojave is that it’s a huge pain for everyone but the people who you have to worry about.

Update (2018-09-27): Jeff Johnson:

I used a different attack vector than SentinelOne (ssh) and Wardle. I don’t know what Patrick’s attack vector is, but I did ask him if he used mine, and he said no. So there are at least 3 different privacy protection bypasses in Mojave. I suspect that there are even more.

Update (2018-11-06): Jeff Johnson:

As of today, the support document does not mention the privacy protection bypass that I discovered and alluded to in my blog post. Nonetheless, macOS 10.14.1 does appear to fix the main issue, although there remain other avenues for bypassing Mojave’s privacy protections under certain conditions.

[…]

The privacy protection bypass that I discovered is quite simple. It’s obvious that Apple exempted some of its own code from Mojave’s privacy protections; for example, you’re able to navigate protected folders in Finder without triggering permission dialogs.[…] The body in this case was Automator. Or more accurately, /usr/bin/automator.

[…]

Another possible way to bypass Mojave privacy protections is to “piggyback” on another app. Even if a malicious app is unable to obtain special permission itself, the app can use another app that has already been granted permission, such as Terminal app.

Photos Needs Better Storage Management

Bradley Chambers:

On iOS and macOS alike, I’d like to be able to control how much of a cache that the Photos app can keep offline. I know that both iOS and macOS does an excellent job of keeping free space, but I’d love additional control over how much space it uses. An idea here would to set a maximum GB usage that iCloud could use. On iOS, I’d like to be able to say: use no more than 10 GB (I have a 64GB phone) for iCloud Photo Library.

Greg Hurrell:

Wish I could automatically sync lower-quality versions of photos from my Apple Photos library to my iPhone. It seems to sync the full(-ish?) resolution versions, which at 10MB apiece adds up to 100GB. Only way I can see to make this happen is to export lower-res and sync that.

Previously: Protecting Your Network From Photos Uploads.

Apple’s Use of Swift in iOS 12

Alexandre Colucci:

Apple added some new features in iOS 12 and with no surprise the corresponding applications contain some Swift code. This is the case of the ContinuityCamera and Measure apps. Previous existing apps have been updated and some of them contain more Swift code: AppStore, Books, Music, News, SharingViewService and Stocks.

As we can see, Apple is slowly using Swift in more apps with each new iOS release, but the number of these apps is still really limited. Here is a chart showing the evolution of the number of binaries using Swift in iOS (without counting the Swift libraries)[…]

More than double the number of binaries as last year.

Update (2018-09-28): See also: Hacker News.

Swift 5 Preview

Paul Hudson:

Swift 5.0 is the next major release of Swift, and is slated to bring ABI stability at long last. That’s not all, though: several key new features are already implemented, including raw strings, future enum cases, checking for integer multiples and more.

Update (2018-09-26): See also: Swift 5.0 Release Process.

Compiler User Interfaces

Greg Titus (via Doug Gregor):

The force unwrap fixit still exists, but it is now never the only or preferred fixit offered, and hopefully the explanations of the errors are a lot more beginner-friendly now.

Shriram Krishnamurthi:

Error messages come from languages, but errors are made in programs. By definition, there’s a big semantic gulf between the language and program. Fixes have to be at the level of the program. How can the language make “obvious” the program’s problem?

This also assumes that there is “the” problem. Many times an error is the result if an inconsistency (trivial example: f takes two args and is given three; not clear whether caller or callee is to blame).

[…]

Errors live in a very complex ecosystem. As a programmer, course I’d love what the slide asks for. [“An error should make it obvious how to fix the problem.”] As a researcher and language designer and curriculum author, I’d be terrified of anything that makes such claims. Even as someone who’s spend 8 hard years now on better msgs.