Archive for December 19, 2018

Wednesday, December 19, 2018

Google Intentionally Favoring Chrome, Hurting Edge?

JoshuaJB (via comex, Catalin Cimpanu):

I very recently worked on the Edge team, and one of the reasons we decided to end EdgeHTML was because Google kept making changes to its sites that broke other browsers, and we couldn’t keep up. For example, they recently added a hidden empty div over YouTube videos that causes our hardware acceleration fast-path to bail (should now be fixed in Win10 Oct update). Prior to that, our fairly state-of-the-art video acceleration put us well ahead of Chrome on video playback time on battery, but almost the instant they broke things on YouTube, they started advertising Chrome’s dominance over Edge on video-watching battery life. What makes it so sad, is that their claimed dominance was not due to ingenious optimization work by Chrome, but due to a failure of YouTube. On the whole, they only made the web slower.

Now while I’m not sure I’m convinced that YouTube was changed intentionally to slow Edge, many of my co-workers are quite convinced - and they’re the ones who looked into it personally. To add to this all, when we asked, YouTube turned down our request to remove the hidden empty div and did not elaborate further.

And this is only one case.

Steve Troughton-Smith:

Make no mistake, Google crippling GSuite on iPad is absolutely intentional. They can singlehandedly propel the narrative that MobileSafari isn’t a good browser, especially in businesses and education. If Apple were to improve Safari, Google would just break something new

Nick Heer:

Chromium is, by all accounts, an excellent rendering engine. It is not inherently bad for Microsoft to switch its rendering engine, and it is not even necessarily bad that there is less diversity amongst rendering engines. The concern is that Google’s rendering engine is not separate from Google as a company, and its manipulative and self-preferential tactics for directing the web in a direction it favours.

Malte Ubl:

I see some folks sharing anecdotes abound Edge browser development. And boy, do I have anecdotes. The EdgeHTML side of the story is totally made up, because I have no insider knowledge whatsoever–but who would let that go in the way of a good anecdote?


I happened to work on an apparently sufficiently popular website Google+ (RIP) to make their “Must under all circumstances work” compatibility list.

First this felt pretty cool. We tested the site in Edge and it seemed to just work. Nice.

But then shit started to fall apart. Literally every day our dev team broke Edge.

It turned out the browser implemented the sparsest possible subset of the web platform to make Google and other popular websites work. And literally nothing else.

So, whenever you added code that used an API which was reasonable to assume present in a browser that managed to start up the app, that just didn’t work.

It seemed like at times they implemented web APIs in a way that only accepted exactly the arguments that we happened to pass.

Previously: Microsoft EdgeHTML Replaced by Chromium, On Switching From an iPad Pro and a MacBook to a Pixelbook.

Remote Code Execution Vulnerability in SQLite

Tencent (Hacker News):

Magellan is a remote code execution vulnerability discovered by Tencent Blade Team that exists in SQLite. As a well-known database, SQLite is widely used in all modern mainstream operating systems and software, so this vulnerability has a wide range of influence. After testing Chromium was also affected by this vulnerability, Google has confirmed and fixed this vulnerability.

D. Richard Hipp:

Reports of an RCE vulnerability in SQLite are greatly exaggerated. Some clever gray-hats found a way to get RCE using maliciously crafted SQL. So, IF you allow random internet users to run arbitrary SQL on your system, you should upgrade. Otherwise, you are not at risk.

Patrick Walton:

Hipp (SQLite author) argued with me once, and I eventually conceded, that memory safety isn’t important if you have 100% branch coverage (and moreover that memory safety is undesirable since it slows dev velocity).

Matt Denton:

The vulnerabilities are in the FTS3 extension of SQLite, which does not have 100% branch coverage. Your argument is based on a false premise. (Not that I disagree with you)


It is very likely that this bug only affects systems which accept and run arbitrary SQLite3 queries. This includes Chromium, because Chromium ships with WebSQL. The Google Home is probably vulnerable because it can be coerced to load a webpage. I doubt that this bug affects systems that merely use SQLite as a database without providing external query access.

My best guess for the bug is that arbitrary SQLite queries, prior to 3.26.0, were permitted to write to the shadow tables used by various plugins to implement features. fts3/4, prior to 3.25.3, appear to contain an integer overflow bug which can be triggered by manually modifying the fts index data. A careful application of this integer overflow appears to make it possible to truncate a writable buffer, leading to a nice heap overflow condition that can be exploited by further crafted SQL queries.

D. Richard Hipp:

The vulnerability only exists in applications that allow a potential attacker to run arbitrary SQL. If an application allows that, it is usually called an "SQL Injection" vulnerability and is the fault of the application, not the database engine. The one notable exception to this rule is WebSQL in Chrome.


Our intent is that SQLite should be secure against these kinds of attacks. We have spent years fuzzing it to try to find these problems. But the thing is, we never configured a fuzzer in such a way that it might start modifying the shadow tables of FTS3, and so we missed this one.

D. Richard Hipp:

The coverage testing used by SQLite is very good at finding problems that occur when the system is used as it was intended. Fuzz testing is better for finding vulnerabilities that can be exploited by a hacker. The 100% MC/DC testing in SQLite is very useful in ensuring that the code does what is intended for sane inputs. And 100% MC/DC helps prevent us from breaking things as we evolve and enhance the code. But the MC/DC testing is less useful at fending off attackers.


Hence my takeaways from this episode include that I need to extend 100% MC/DC testing to all commonly used extensions in SQLite, including FTS3, FTS5, and RTREE, and I need to improve fuzz testing throughout SQLite but especially in extensions.

D. Richard Hipp:

The actual standard is called “modified condition/decison coverage” or MC/DC. In languages like C, MC/DC and branch coverage, though not exactly the same, are very close.

Achieving 100% MC/DC does not prove that you always get the right answer. All it means is that your tests are so extensive that you managed to get every machine-code branch to go in both directions at least once. It is a high standard and is difficult to achieve. It does not mean that the software is perfect.


My experience is that the weird tests you end up having to write just to cause some obscure branch to go one way or another end up finding problems in totally unrelated parts of the system. One of the chief benefits of 100% MC/DC is not so much that every branch is tested, but rather that you have to write so many tests, and such strange, weird, convoluted, and stressful tests, that you randomly stumble across (and fix) lots of problems you would have never thought about otherwise.

Conversations With AI, Featuring Brian Roemmele


Voice-first advocate Brian Roemmele returns for a chat with Rene Ritchie about the current status of Siri at Apple, and its place among other voice assistants. In January of this year, he told Rene the company’s reluctance to let the Siri feature become the SiriOS platform is holding them back. As of December 2018, let’s see where things stand now.

This was a wide ranging and very interesting conversation. I don’t really understand the context for Roemmele’s comments about Apple having an advantage in on-device voice assistants. Siri seems to be completely useless without a network connection. It can’t even add a reminder or play local music. And lately it’s been extremely unreliable for me even when connected, failing well over half the time due to a connection error when the phone reports full bars and other apps work perfectly. It’s even failing over Wi-Fi sometimes.

His breakdown of missed Apple Pay opportunities, perhaps because of corporate politics, is depressing. Apple Pay for the Web is not deployed as widely as I’d hoped, and in my experience it almost never works. I’ve seen all sorts of weird failures and errors over the years. The current one, which I ran into just hours after listening to this podcast, is that the sheet slides down in Safari and then slides right back up before I can click on anything.

Nilay Patel:

Top spot in the App Store right now is interesting

John Voorhees:

Today, Apple began promoting Apple Music’s availability on Echo devices through three different channels.

Bob Burrough:

2011: Apple introduces the world’s first voice assistant.
2018: Apple is push-advertising Amazon’s voice assistant.

Previously: More Push Notification Spam From Apple, Amazon Offering Apple Products, Apple Hires John Giannandrea.

Update (2018-12-20): Juli Clover:

Apple today announced John Giannandrea, who handles machine learning and AI for the company, has been promoted to the Apple’s executive team and is now listed on the Apple Leadership page as a senior vice president.

More Push Notification Spam From Apple

Oliver Thomas:

I just received a push notification for the offer (not an email)

Nilay Patel:

No, Apple. Bad. Desperate unsolicited push notifications are bad.

That services narrative looks a lot sketchier if it relies on the same growth hack trickery Apple forbids other people from using

Ryan Jones:

Lovely. And I do not have Apple Music.

Joe Rosensteel:

Hopefully some day Apple can afford to hire a developer that can check a list of people that are already using a feature before sending out mass, unsolicited notifications.

John Parkinson:

I like the advertising emails telling me to buy $new_product_x that I already registered on my AppleID.

Tim Schmitz:

Why am I getting spammed with push notifications about the Emmy’s? Why did I get subscribed to an Emmy news channel I don’t want, and why can’t I remove it?

Juli Clover:

Apple has recently been sending out unsolicited notifications to iOS users, promoting Carpool Karaoke episodes and the availability of Apple Music on Amazon Echo devices.


Unfortunately there’s no way to keep the TV or Music notifications you do want without also getting the unwanted notifications from Apple.


Apple’s App Store rules do not allow for apps to send notifications for advertising, promotions, or marketing purposes, but it appears those rules don’t apply to Apple’s own notifications.

Chance Miller:

In the last month, Apple has sent a flurry of push notifications to iOS users ranging from iPhone XR promotions to HomePod promotions, Carpool Karaoke episode releases, and more.


Humorously, Apple regularly touts that Apple Music has “zero ads,” though one might consider this notification an ad in and of itself.

Previously: Push Notifications to Send Promotions, Apple Pushes iPhone 6s Pop-up Ads to App Store, 2018 iPhone Sales.

Update (2018-12-21): Dave Verwer:

In response to this week’s iOS Dev Weekly comment, someone just sent me this screenshot... I think it says everything about how well respected rule 4.5.4 is...

Update (2018-12-23): Marco Arment:

App Store rule 4.5.4 is a joke. Not only is it completely unenforced, but Apple now frequently, blatantly violates it to spam us.


Apple’s non-enforcement of the rule against marketing push notifications makes iOS on most people’s iPhones feel like a cheap, spammy flea market.

Apple itself now contributing to that is a huge failure to protect their own premium brand image for short-term promotional gains.

Update (2018-12-31): Marko Karppinen:

App Store 2018

Update (2019-01-25): Dylan Seeger (via Marco Arment):

More push notification spam from Apple. Somebody better alert the app review team.

Update (2020-10-16): TJ Luoma:

Apple’s push notification about pre-ordering the iPhone 12 bypassed my son’s iPhone’s Do Not Disturb and went off during a college audition.

It’s one thing to send these push notifications no one asked for. It’s another to bypass DND. Rude and wrong and bad. Do better, Apple.

Update (2020-11-02): Ben Sandofsky:

I hope next year’s iOS supports ad-blockers for iOS Settings.

“Push Notifications should not be used for promotions or direct marketing purposes unless customers have explicitly opted in to receive them via consent language displayed in your app’s UI, and you provide a method in your app for a user to opt out from receiving such messages.”

Update (2021-08-04): Tom Harrington:

Apple, what happened? You used to be cool. Now you push this kind of shit notification on my devices.

Update (2021-10-08): See also: Nicolas Rieul.

Shutting Down Apple Music Connect


Connect posts from artists are no longer supported.

Joe Rossignol (9to5Mac):

Apple today announced that its Apple Music Connect social platform for artists is in the process of shutting down, suffering the same fate as Ping, the company’s previous social network for music removed from iTunes in October 2012.

Zac Cichy:

Apple removing Connect from Apple Music feels like the latest in a series of mistakes with the service. Don’t get me wrong: I like Apple Music, but I’m tired of them giving up where they ought to be iterating.

Zac Cichy:

Another issue I have with Apple Music: it is shockingly difficult to find out about new music from artists you definitely listen to. In theory, that stuff shows up in New Releases under For You, but it doesn’t always. And they killed “Music from artists you like” in iTunes.

So there is effectively no great way to keep up to date with new music from artists I love from Apple Music or iTunes on iOS. It’s just kind of a bummer. I stay subscribed to Apple Music for the integration, but they are sorely lacking on the little details.

Nick Heer:

Connect was a ghost town within the first ninety days of Apple Music’s launch. […] Aside from Connect, I think Apple Music’s social features have been fairly successful.

John Gruber:

Two areas where Apple has never really succeeded: serious gaming and social media. Two areas where Steve Jobs never seemed interested: serious gaming and social media. I just don’t think either of these things are in Apple’s DNA.

Kirk McElhearn:

Initially, Connect was one of the tabs at the top of the iTunes window when users were in Apple Music. It was later relegated to a tab in For You, and most likely people simply ignored it. I had followed some artists and labels, and checked it from time to time, but there was never anything interesting.

It’s worth noting that Apple has also removed the Recommendations tab in For You[…]

Previously: Apple Music Connect, Apple Music: Connect.

App Store Ratings, Reviews, and Payments Hiccups

Alexander Schuch:

Looks like roughly half of App Store ratings & reviews no longer show up. Noticed that on my own app first, but other apps seem to be affected as well.

The Apple Post:

Developers are reporting seeing a random drop in app ratings in what is believed to be a bug with the App Store Ratings & Reviews system, with some apps seeing a sharp decline in star-ratings, and others claiming to see missing written reviews and developer responses.

Joe Rossignol:

The problem was alerted to us by MacRumors reader Robin van Doorn, who noticed that his apps Centraal Beheer and Run Trainer suddenly have around 1,000 fewer ratings displayed in the App Store. Other developers have acknowledged the glitch on Twitter, although not every developer is affected.

While some developers have seen their ratings count return to normal, others have tweeted about the issue within the past few hours[…]

Dave Howell:

I‘m furious at @AppStore. They didn’t make my Dec 6 payment. I inquired on Dec 11, got a 9-word response 6 days later claiming they tried and my bank denied it. This is not true. Do better, @Apple!

Do real customer support. Apologize when you fail. Don’t lie. Pay your bills.

Update (2018-12-23): Dave Howell:

Now Apple Royalties is saying not only will they be two months late with our Oct sales (due Dec 6), but also one month late for Nov sales.

“We are unable to process any additional payments for December. The earliest available payment date is 31 January 2018.”


Mac App Analytics Now Available in App Store Connect


Your app data from the new Mac App Store on macOS Mojave is now available in App Store Connect. Now you can find out how many times your app was seen on the Mac App Store, how many times your product page was viewed, and how many new customers downloaded your app. You can also see sales numbers for in-app purchases as well as for paying users, and more.

Kuba Suder:

Forget Mac app analytics, this is the real news - we can finally localize App Store pages to Polish It only took them 10 years

Still no gifting of Mac apps.

Max Seelemann:

No sessions and crashes it seems, but App Store Impressions is an entirely new metric to the Mac.

macOS sales numbers seem to only start somewhere midday on Friday though, so they only contain half a week.

Previously: Is There Hope for the Mac App Store?, Pre-WWDC App Store Changes.