Archive for December 2019

Tuesday, December 31, 2019

Apple’s New Map: Final Parts of the 50 States

Juli Clover:

Apple has made good on that promise with the rollout of the new mapping terrain to large swathes of the United States, and the updated Maps are now available across most of the country. It could still take some time for all users in the Central and Southeastern areas of the U.S. to see the new content.

Apple plans to bring the new Maps app to additional countries in 2020.

Justin O’Beirne:

This latest expansion is Apple’s largest yet, and it’s almost twice as large as the expansion before—suggesting that Apple’s rollout is accelerating[…]

Previously:

Undercover Spies in the Digital Age

Jenna McLaughlin and Zach Dorfman (via Hacker News):

The OPM hack was a watershed moment, ushering in an era when big data and other digital tools may render methods of traditional human intelligence gathering extinct, say former officials. It is part of an evolution that poses one of the most significant challenges to undercover intelligence work in at least a half century — and probably much longer.

[…]

The Singaporeans had developed a database that incorporated real-time flight, customs, hotel and taxicab data. If it took too long for a traveler to get from the airport to a hotel in a taxi, the anomaly would trigger an alert in Singaporean security systems. “If there was a gap, they’d go to the hotel, they could flip on the TVs and phones and monitor what was going on” in the room of the suspicious traveler, says the same former senior intelligence official. “They had everything so wired.”

[…]

The intelligence community has developed sophisticated “backstopping” procedures, which seed a cover story through web traffic, emails and other digital channels. But in an interconnected world, “good backstopping can be defeated in a Google search,” says one former senior intelligence official. Because of that reality, the use of front companies for NOCs has become increasingly untenable, necessitating closer coordination and cooperation with private American businesses for the placement and recruitment of NOCs, say former senior officials.

[…]

Even a switch of employer, or an unexplained gap in one’s résumé, can be a giveaway to a foreign intelligence service, say former officials. In response, the agency has also shifted to recruiting individuals within the companies they already work at, and, with the approval of corporate leadership, secretly transitioning those persons onto the CIA payroll, and training them intermittently and clandestinely, far from any known CIA facility.

Previously:

Select vs. Choose

Brent Simmons:

People often think, mistakenly, that select is the polite or proper form of choose — but, in user-interface-world, they actually mean different things.

I’ve intuitively used “choose” for menu items. However, I had been using “select” for pop-up menu items because I see them as making a selection—just a variant of a radio button—rather than invoking a command. Apple’s style guide says to use “choose” for both.

Previously:

Screen Time Communication Limits Workaround

Juli Clover:

As it turns out, though, there’s a bug in the feature that’s allowing children to communicate with anyone who texts them.

[…]

When an unknown number texts a child, there’s an option to add that number to the list of Contacts, allowing the child to then text, call, and FaceTime that person even without parental permission.

There are so many interacting features…

Previously:

Apple Changes Crimea Map When Viewed From Russia

BBC (via Hacker News):

Russian forces annexed Crimea from Ukraine in March 2014, drawing international condemnation.

The region, which has a Russian-speaking majority, is now shown as Russian territory on Apple Maps and its Weather app, when viewed from Russia.

But the apps do not show it as part of any country when viewed elsewhere.

Doctor_Fegg:

This happens pretty much everywhere with every online map. Kashmir, Taiwan, Western Sahara, etc. etc. Apple doing it for one country is not particularly news.

The only major-league mapping site I know that doesn’t do local alterations is OpenStreetMap, and that’s because OSM’s attitude is “you want the map to show something else? sure, download the raw data and host your own instance”.

Previously:

Monday, December 30, 2019

Comparison of Reverse Image Search Engines

Aric Toler (via Nick Heer):

However, if you only use Google for reverse image searching, you will be disappointed more often than not. Limiting your search process to uploading a photograph in its original form to just images.google.com may give you useful results for the most obviously stolen or popular images, but for most any sophisticated research project, you need additional sites at your disposal — along with a lot of creativity.

This guide will walk through detailed strategies to use reverse image search in digital investigations, with an eye towards identifying people and locations, along with determining an image’s progeny.

He says Yandex is “by far the best.”

Update (2020-01-24): Nick Heer:

At the time that I linked to the Bellingcat report, I wondered why Google’s reverse image recognition, in particular, was so bad in comparison. In tests, it even missed imagery from Google Street View despite Google regularly promoting its abilities in machine learning, image identification, and so on. In what I can only explain as a massive and regrettable oversight, it is clear to me that the reason Google’s image search is so bad is because Google designed it that way. Otherwise, Google would have launched something like Yandex or Clearview AI, and that would be dangerous.

“Erase Mac” Doesn’t?

Howard Oakley:

What does the terse phrase Erase Mac mean? If you think that it means completely erase your Mac, then I’m with you. But that apparently isn’t what Apple means, at least not when it comes to the Find My service and Activation Lock.

[…]

But hang on: according to another support note, ‘Erase your Mac’ is one of the features of Find My, which allows you to delete everything on your lost or stolen Mac.

[…]

Just to make this clear, let’s establish what Apple means by the following terms:

  • erase filedelete a file completely
  • erase volume/diskdelete the entire contents of that volume/disk
  • erase Mac – maybe (or maybe not) delete some Apple Pay data on that Mac.

This is so confusing:

See also: Apple’s Activation Lock Will Make It Very Difficult to Refurbish Macs (tweet).

Previously:

Update (2019-12-31): I now think there are documentation issues and a bug but that Erase Mac is intended to erase the Mac. Please see the comments below and here.

Apple’s Filing Against Corellium and Jailbreaking

Amanda Gorton (MacRumors):

Apple’s latest filing against Corellium should give all security researchers, app developers, and jailbreakers reason to be concerned. The filing asserts that because Corellium “allows users to jailbreak” and “gave one or more Persons access… to develop software that can be used to jailbreak,” Corellium is “engaging in trafficking” in violation of the DMCA. In other words, Apple is asserting that anyone who provides a tool that allows other people to jailbreak, and anyone who assists in creating such a tool, is violating the DMCA.

[…]

Across the industry, developers and researchers rely on jailbreaks to test the security of both their own apps and third-party apps – testing which cannot be done without a jailbroken device. For example, a recent analysis of the ToTok app revealed that an Apple-approved chat app was being used as a spying tool by the government of the United Arab Emirates, and according to the researchers behind this analysis, this work would not have been possible without a jailbreak.

The filing is available here (tweet).

Will Strafach:

in their most recent court filing, Apple has declared an all out war on jailbreaking.

they’ve actively decided that they will destroy the livelihoods of those who dare to help folks escape the walled garden.

Jamie Bishop:

Apple’s latest filing in the Corellium case is HORRIFYING.

It effectively will set a precedent which makes unsanctioned research of Apple products ILLEGAL.

[…]

I am SO unbelievably disappointed that Apple has declared war on the security scene.

They lost all those years ago with the DMCA exemption, but now they’ve decided to go after the researchers, the people keeping US safe.

Pwn All The Things:

If Apple won this case, not just Apple, but any platform company could sue any security researcher for publishing a tool to help with security research on their platform. The DMCA claim is a really extreme claim.

Miguel de Icaza:

“We are profiting from Apple’s IP for security” is not any different than “we are selling bootlegged DVDs of Star Wars for the sake of the children”

Of course, under capitalism rules, the next step is to offer more scenarios beyond security for the product - assorted virtualization workloads are the obvious next step. Then followed by tools to install iOS on non-Apple hardware. This is why Apple will fight this.

It seems like Corellium is probably legally in the wrong, at least with respect to the virtualization product. Apple also acted dishonorably towards them and is now trying to use the case to overreach and assert even more control.

Previously:

Update (2020-01-03): Kyle Wiens (Hacker News):

Despite a lack of apparent interest in enforcing their copyright to iOS software, in this specific case Apple has decided to exert control over iOS. And they’ve crossed a red line by invoking the most notorious statute in the US copyright act, section 1201. This is the very law that made it illegal for farmers to work on their tractors and for you to fix your refrigerator. It’s the same law that we’ve been whacking away at for years, getting exemptions from the US Copyright Office for fixing, jailbreaking, and performing security research on everything from smartwatches to automobiles.

[…]

In other words: Corellium sells a way to use iOS that works around the way Apple intended it to work. Apple knows that you can’t use Corellium’s software to create your own knock-off iPhone. But they can claim that Corellium’s software is illegal, and they might technically be right.

Update (2020-02-14): Pwn All The Things:

Notice how Apple defines “good-faith” research here. That for Corellium to be a “good-faith” org, it would have to require its users to turn over any security research directly to Apple. Otherwise it’s not “good faith”.

But, wait, it gets worse. Apple defines “good faith” as not only turning over all your research on their platform and also requiring that your customers turn over theirs, but they also reserve the right to just not ever pay for it if you do.

That’s the point. The lawsuit is about strategic control of the security market on iOS.

“Good faith” researchers are the ones who go cap in hand and beg Apple for permission to test and give Apple all their research at prices Apple decides (which might be $0, yolo)

J. A. Guerrero-Saade:

For iOS, Apple is betting the house on the walled garden / code signing / dev verification approach. Meaning exploits are that much more important in the attack chain. Once past initial checks, Apple’s unwillingness to actively check device integrity means attackers are king.

[…]

Claiming Corellium enables attackers undermines the fact that most defenders are being barred from researching this space while attackers have been doing just fine. Need is huge. Research enablers must be embraced and emboldened precisely to entice defenders to look.

Update (2020-02-24): Pwn All The Things:

Me: oh looks like this lawsuit is about Apple cornering the infosec research community on their platform

Lots of people: wow sounds like you’re overreacting

Apple: uses lawsuit as vehicle to subpoena random other security researchers

Apple Forces CoinBase to Remove Support for DApps

The Block (via Mike Dudas, Hacker News, Reddit):

Coinbase Wallet, Coinbase’s mobile cryptocurrency wallet, may soon remove its DApp browsing feature according to a message appearing in the app. According to Coinbase, it is removing the DApp browser functionality “in order to comply with App Store policy.”

Brian Armstrong:

If Apple customers want to be able to use Dapps, we may need to make this request know to Apple in some way. This is an important area of innovation in finance, and many developers and early adopters of this technology have millions of dollars worth of crypto tied up in these financial applications, which they will no longer be able to use on Apple mobile devices if this app store policy continues.

Sargos:

Apple and Google have complete control over the mobile market which is the dominant way humanity interacts with the internet in today’s world, especially in developing countries. Having a policy which forbids arbitrary things like listing other apps for users to interact with is very dangerous as it effectively bans whole industries from competing on a level playing field.

This is a big problem for cryptocurrency especially as mobile web browsers cannot interact with blockchains and so users are forced to use custom apps that implement the web3 interfaces. This effectively bans wallets from providing a good experience to allow users to interact with dapps and since you can’t fall back to using a web browser on mobile it might end up being a total ban on the use of dapps on mobile platforms unless each dapp makes their own app (which just opens a whole new can of worms).

Previously:

Friday, December 27, 2019

Dropbox No Longer Follows External Symlinks

Dropbox:

As of mid-2019, Dropbox no longer follows items outside of your Dropbox account that are linked to by a symlink.

You can have symlinks that link to items both in and outside of your Dropbox account; however, these two types of symlinks sync differently.

  • If you create a symlink that links to an item in your Dropbox account, we’ll sync the the symlink file at its location and the item that it links to at its location respectively
  • If you create a symlink that links to an item outside of your Dropbox account, when you sign in to dropbox.com you’ll only see the symlink file but not the content it links to

Too bad, as I had considered symlink support one of the advantages of Dropbox over iCloud Drive. It made it possible to store things in Dropbox yet have them actually reside at other locations in the file system. And I could use Git to manage the contents of a folder that syncs, without having to put the .git folder in Dropbox.

The timing of this is not clear to me, though. The article says “as of mid-2019,” which we have certainly passed. Yet, as of now, it seems to still be following symlinks, and the report it generated for me lists the symlinks that “will” stop syncing.

Remote Work Hygiene

Moodthy Alghorairi (via Ryan Jones):

I’ve split up the various tricks and tips I’ve come to rely on into 3 categories:

  1. Work Habits: habits around work I start and end my day with.
  2. Work Practices: specific ways and methods of working.
  3. Environmental Practices: things I take care of in the environment to support focus and life balance.

Good advice.

See also:

Previously:

BlueMail Rejected From the Mac App Store

Julian Chokkattu (Hacker News):

A few days later, still reeling from the shock of seeing the technology they patented announced on the world stage, the Volach brothers’ email app, BlueMail, was removed from the Mac App Store. Coincidence? They don’t think so.

[…]

Last year, the app was found to be sending users’ passwords to the developers, but the company issued an update that reportedly rectified the issue and claims it doesn’t store emails or passwords on its servers.

[…]

In this resubmission, the team asked Apple to “elaborate on which apps you find similar, so we can look into it and take action if required.” Yet BlueMail was rejected again, with Apple citing the app duplicated content available on the App Store. After asking again for more clarity, a few days later Apple finally said BlueMail is duplicating TypeApp.

“BlueMail and TypeApp were never duplicate applications—but they certainly could not be “duplicates” on June 4, 2019, that were “currently available on the App Store” when TypeApp for Mac had already been voluntarily removed weeks earlier,” according to the lawsuit.

No matter how you look at this, it’s odd that both apps are approved for the iOS App Store but not the Mac App Store. How did they get a patent for an e-mail relay? And why haven’t they made a Developer ID version of the app?

Ben Volach:

This isn’t our first time facing unfair practices as a developer for Apple devices. Our iPhone app was unfairly ranked until The Wall Street Journal, The New York Times and others exposed how the App Store manipulated search results. Overnight, its ranking went from #143 to #13.

Previously:

The iPad’s Identity Crisis

Emily Lipstein:

Apple is pushing the iPad at people like me, people who have an iPhone, likely have AirPods, and are looking for a device that they can use at home when their only real computer is what they’re given at work. We’re deep in the Apple ecosystem, and have been for years, and here’s another opportunity to stay in it without paying too much of a premium. That’s the idea at least.

[…]

So from the second you sync your brand new device with your iCloud login, you’re left confused about why Apple’s replicating your phone on something bigger and with a keyboard. There should at least be an option to opt-out of getting all of the apps to immediately start downloading to the device.

[…]

Obviously Google wants you to be using Chrome OS. But even so, you want a Google Docs app on the iPad that’s a full-fledged replica of what you have in-browser on desktop. But that’s not what you get, neither here nor in the Gmail app either.

[…]

The attachable Smart Keyboard mostly gets the job done, but its flimsiness makes it nearly impossible for me to actually use it on my lap on the couch[…] It also tends to tip over when it’s not on a flat surface[…]

Previously:

Update (2019-12-30): AAPL of Discord:

SJ introduced iPad as a new category of device. Now TC seems to be wedging it in as a PC replacement, ignoring the input conventions that define it as anything but. It will remain awkward under this new strategy.

Pata Ling:

While Apple is struggling to make the iPad a computer-substitute, there is no effort to make it a phone-substitute. A cellular iPad mini, especially if paired with an Apple Watch, would be my main mobile device if I still didn’t have to tether to an iPhone for full phone features

Thursday, December 26, 2019

Copyright Exhaustion Does Not Apply to E-books

Rory O’Neill:

In a highly-anticipated decision, issued today, December 19, the Court of Justice of the European Union (CJEU) held that offering ‘second-hand’ e-books for sale qualifies as an unauthorised “communication to the public” under the 2001 InfoSoc Directive.

[…]

This is because e-books do not deteriorate with use and are therefore a perfect substitute for new physical copies of the work.

In a way, e-books with DRM do deteriorate because there is always the risk that the DRM provider will get out of that business or stop supporting the platform you care about.

Via Howard Oakley:

According to the publishers in that recent case in the CJEU, you get a perpetual licence (not ownership) to access their copyright content, which never deteriorates in the same way that physical books do. As a result, the publishers claimed successfully, you aren’t free to sell on your licence, and can only do so if they, the copyright owners, agree.

[…]

What amazes me about all this is that the many penalties and drawbacks of eBooks aren’t the result of the medium itself, but have been cunningly devised and implemented by eBook publishers. It’s almost as if they don’t want us to license eBooks in the first place.

Previously:

At one extreme it seems unfair that I could buy a book and then pass it on and eventually the whole world reads it and the creators only got one sale. At the other (and very real) extreme, it seems unfair for my ebooks to die when I do; I can’t bequeath them.

In the latter case, “going out of print” means “when all the purchasers have died, this thing will cease to exist, and you are not even allowed to pay for it to keep it alive”.

Ebooks aren’t only selling less than everyone predicted they would at the beginning of the decade. They also cost more than everyone predicted they would — and consistently, they cost more than their print equivalents.

[…]

The case of US v. Apple encapsulates the dysfunction of the last decade of publishing. It’s a story about what we’re willing to pay for books — and about an industry that is growing ever more consolidated, with fewer and fewer companies taking up more and more market share. What happened to the ebook in the 2010s is the story of the contraction of American publishing.

Previously:

Putting the “Author” in “Authoritative”

John Wilander:

We’ve had a reasonable debate over the right to be forgotten. The next one will be about the right to lie. Not the right to lie in court or as part of some fraud, but the right to everyday lies and white lies. Digital surveillance deprives is of this important part of life.

For whatever reason, I might be ashamed or shy about my age/looks/past/job/health/sexual preferences/race/ethnicity/beliefs/political views/abilities/education/family history etc. It’s valid to lie about such in everyday life. Tracking and ML should not interfere with that right.

Via Peter Hosey:

When we try to automatically verify someone’s identity using whatever scraps of information they’ve given us, or to let them board a plane with their face, we treat the data we have on someone as being necessarily, implicitly the same as their actual truth. We assume/trust/bet that the data we have matches the truth; that they are the same as each other, and therefore the record can tell us the truth.

[…]

Back in the present, our system of mass-surveillance/data-brokerage/(whatever facet you want to look at) is one that promises convenience. It promises to enable its users, its querents, to learn (or verify) information about a subject without their involvement (which implies without their consent). It promises to enable the construction of other systems, automated themselves, to fulfill the function of querent, to ask the questions about us that the record-keeping system promises to be able to answer.

[…]

The more data we assemble on everyone, the more we can automate. And the automated systems feed data back, and contribute more.

Previously:

Update (2019-12-27): Sander Van Dragt:

Generally speaking, tracking takes away your ability to represent who you are yourself in the current moment. Your identity is how you are perceived by others. People won’t appreciate this until they’ve lost it, but anyone who has been the victim of for example online bullying or stalking will recognise it.

ClassDumpRuntime and dsdump

Leptos:

My Obj-C classdump library is now open source. It was developed primarily to handle C++ and other less common types. The type parser isn’t the fastest it could be, but in my tests it’s significantly faster than existing parsers.

Derek Selander (tweet):

This article attempts to explain the complete process of programmatically inspecting a Mach-O (Apple) binary to display the compiled Swift types and Objective-C classes[…]

Previously:

Apple News No Longer Supports RSS

OSXDaily:

Want to add an RSS feed of a site to News app? Can’t find a site you like in the Apple approved list on News app? No problem, here’s how you can add them yourself from Safari in iOS and subscribe directly[…]

David A. Desrosiers:

Apple News on iOS and macOS no longer supports adding RSS or ATOM feeds from anywhere. Full-stop, period. It will immediately fetch, then reject those feeds and fail to display them, silently without any message or error. I can see in my own server's log that they make the request using the correct app on iOS and macOS, but then ignore the feed completely; a validated, clean feed.

They ONLY support their own, hand-picked, curated feeds now. You can visit a feed in Safari, and it will prompt you to open the feed in Apple News, then silently ignore that request, after fetching the full feed content from the remote site.

Previously:

Update (2019-12-27): Matt Birchler:

I wish I could remember who it was, but there were some folks who thought I was crazy to use Apple News and an RSS reader since Apple News could aggregate my RSS feeds too. I didn’t use it at the time because I thought it was a bad RSS reader and didn’t do what I wanted. Now I’m happy that I didn’t put my eggs (of feeds) in one basket; a basket that doesn’t have an export option.

See also: Hacker News.

Dave Verwer:

I was all ready to celebrate this change until I realised that the News app still captures the click when you visit an RSS feed, but then just refuses to do anything with it.

Apple News isn’t (what I consider) an RSS reader, yet insisted on capturing every RSS feed I clicked on. Now it’s even worse. Just let it open in Safari like it used to so I can get the RSS URL myself and add it to my actual feed reader. I really hope this gets fixed.

Simon Willison:

What bothers me is that in Mobile Safari the Apple News app still hijacks clicks on Atom/RSS feeds - so if you click a feed icon you’ll be bounced to the News app, which will then display an error message.

I don’t think there’s a workaround for this. Atom links just look broken.

Stefan Arentz:

This is fine, there are plenty great RSS readers for iOS. What is not fine is that Apple News is still claiming the rss:// scheme. What Apple needs to do is implement a proper system wide setting that lets you pick the applications that you want for http, rss, mail, etc.

Previously:

Stefan Arentz:

On iOS 13.3, tapping on an RSS link in Safari ..

Update (2019-12-28): See also: Hacker News and Slashdot.

Update (2020-01-30): Brent Simmons:

Is there no way, on iOS, to specify the default RSS reader — that is, specify the app that handles the feed and feeds URL schemes?

It looks like Apple News always handles it, no matter what, and then doesn’t actually do anything with it. Which cuts out every RSS reader.

Doug DeJulio:

This is even true if you remove the News app. I did, and when I hit a “feed:” URL, it asks for permission to reinstall it.

Tuesday, December 24, 2019

New WebKit Features in Safari 13

Jon Davis:

WebKit provides the heart of this new experience with deep, fundamental changes that deliver a great desktop website experience on a touch device. With the exception of iPad mini, Safari on iPad will now send a user-agent string that is identical to Safari on macOS. Beyond just a user-agent change, WebKit added new support for web standards to provide the needed compatibility and quality. That included adding new support for Pointer Events, the Visual Viewport API, and programmatic paste.

[…]

Find on page now works like Safari on desktop, highlighting all of the matching terms on the page with a special highlight for the current selection.

[…]

Support for websites saved to the home screen have been polished to work more like native apps. The changes focused on better multitasking support, improved login flow to work in-line without switching to Safari, support for Apple Pay, and improved reliability for remote Web Inspector.

[…]

With the introduction of native WebDriver support in Safari on iOS 13, it’s now possible to run the same automated tests of desktop-oriented web content on desktop and mobile devices equally.

Notably absent from Safari for iOS: extensions.

Messages Screen Sharing for Remote Troubleshooting

Joseph Keller:

You can invite someone to share your screen, or request or be invited to share the screen of another person’s Mac, and it’s all done through Messages. This is a great way to help troubleshoot problems on a remote Mac[…]

When this works, it’s great. But I’ve found that sometimes, for no discernible reason, the command to start sharing the screen just isn’t there.

If you’ve got a problem with an iOS device, you can get some remote help with it using Messages screen sharing and QuickTime Player on your Mac. While the person from whom you’re seeking help won’t be able to remotely control your iOS device, they will be able to watch as you perform the steps necessary to fix it yourself.

Modding the Silicone Tips of AirPods Pro

Federico Viticci:

I can use in-ear silicone tips without getting a headache after 20 minutes. It’s not my favorite method of listening to music, however, because I know that memory foam tips are a better fit for my ears since they can better adapt to the shape of my ear canal and, as a result, provide better isolation and a more bass-y response.

[…]

The solution I’ve adopted isn’t ideal since I still haven’t found complete foam replacements made specifically for AirPods Pro, but, at least for me, what I’m using today is better than using Apple’s default silicone tips. As I shared on Twitter a few days ago, I’ve modded the AirPods Pro’s silicone tips with an extra memory foam layer, which helps the tips fit better in my ears, resulting in a warmer sound and overall more comfortable feel. The best part: I didn’t have to cut the memory foam layer myself – I simply took the foam layer from a pair of Symbio W eartips and fitted it inside the AirPods Pro’s tips.

Previously:

AirPods Pro Alternatives

Andrew O’Hara:

Jabra boasts a resistance rating of IP55, which means it can withstand dust and jets of water, while AirPods Pro is only able to withstand sweat and rain. Apple did not test dust ingress into AirPods Pro, resulting in the IPX4 rating.

Importantly, we also found that Jabra Elite 75t is capable of better sound quality than AirPods Pro. The cases individual buds are slightly larger, which could yield a bit more bass and overall fuller sound. If sound quality is the predominant factor in selection, then the Jabra Elite 75t takes the crown.

Julio Ojeda-Zapata:

The recently released Solo Pro are full-sized headphones, not tiny earbuds, but they are otherwise similar to the AirPods Pro.

They include noise cancellation and transparency mode, with minor differences. A physical button on the left side cycles through the audio modes, but you can turn them off only in the iPhone’s Bluetooth settings and via Control Center, or in the Mac volume settings. No Apple Watch controls are available.

[…]

Amazon’s new, noise-canceling Echo Buds cost only $129 and have Siri support along with custom-made Comply foam tips. Note: I haven’t tried the Echo Buds and don’t know how well they work, so this mention should not be construed as a recommendation.

Shop for non-Apple earbuds with care, because many lack active noise cancellation, including much-hyped new products like Google’s Pixel Buds, Microsoft’s Surface Earbuds, and Samsung’s Galaxy Buds.

Previously:

App Store to Ban Deprecated UIWebView

Apple (via John Wilander):

If your app still embeds web content using the deprecated UIWebView API, we strongly encourage you to update to WKWebView as soon as possible for improved security and reliability. WKWebView ensures that compromised web content doesn’t affect the rest of an app by limiting web processing to the app’s web view. And it’s supported in iOS and macOS, and by Mac Catalyst.

The App Store will no longer accept new apps using UIWebView as of April 2020 and app updates using UIWebView as of December 2020.

I’m not sure how things are on iOS, but on the Mac WKWebView is not yet able to fully replace WebView, even if you rewrite lots of delegate methods in JavaScript.

Jonathan Deutsch:

For my app (@hypeapp), the WebView DOM APIs are quite integral and I am waiting for an performant equivalent in WKWebView.

[…]

UIWebView on iOS was always pretty limited, but on macOS they deprecated hundreds of APIs without any suitable replacements!

I did make a bridge as an experiment that replaced the DOM APIs, but performance was crap since it needed to use JS.

Presumably Apple knows this—and has experience with some of the issues from Mail—and so won’t be so hasty with the transition on the Mac.

Personally, I don’t think WebView should have been deprecated at all until it had a suitable replacement. It feels like it’s setting up a situation where Apple is going to ban it, saying “We deprecated it a long time ago and gave you years to switch,” when it was only actually possible to switch for a short time.

Previously:

Update (2019-12-26): David Kilzer:

NOW is the time to submit enhancement requests or bug reports if you can’t use WKWebView to replace use of WebView (macOS) or UIWebView (iOS) in your apps! Reply with Feedback Assistant or Radar IDs here and I’ll make sure they are seen.

Isaiah Carew:

i talked directly to people. i have filed mutiple radars. well over a year ago.

the limitations are profound and obvious.

they say they’re taking feedback, but I’m not optimistic that they’ll do anything with that feedback.

Sam Soffes:

Last I tried, proper printing support on Mac isn’t possible with WKWebView but works flawlessly with WebView. Spent an entire day trying to figure this out back in March. Forums all agree it’s broken in WK 😞

Update (2020-01-24): David Dunham:

OK, I am finally trying to switch. It is not looking good — one of my views displays way too small, and neither use the custom fonts that with UIWebView “just worked.”

I managed to handle that (hacking HTML and CSS). Now I am stuck with a much less responsive app. Probably because I have to spin up two new processes to handle the WKWebViews.

Update (2020-01-30): Bogdan Popescu:

I’ve decided to discontinue Dash for iOS, as maintaining it is no longer sustainable. […] Dash for iOS also uses UIWebView extensively, which won’t be accepted on the App Store starting with April 2020. Migrating to WKWebView would be more work than it’s worth.

Update (2020-05-06): Steve Tibbett:

Apple is enforcing the UIWebView deprecation today on uploads (not submissions) of binaries for unreleased apps. We depend on an SDK from a third party that fixed the UIWebView deprecation in a major, breaking SDK update. Surprise!

Update (2020-10-09): Apple:

And last year, we announced that the App Store will no longer accept app updates containing UIWebView as of December 2020.

However, to provide additional time for you to adopt WKWebView and to ensure that it supports the features most often requested by developers, this deadline for app updates has been extended beyond the end of 2020. We’ll let you know when a new deadline is confirmed.

Josh Avant:

Will this become another requirement like App Transport Security that kinda just disappears?

Previously:

Monday, December 23, 2019

What to Do When a macOS Update Goes Wrong

Howard Oakley:

When you’re ready, in most cases the best thing to try next is to start up in Safe mode, which is explained in full here We often don’t do that properly, and it’s worth following Apple’s instructions very carefully[…]

[…]

If Safe mode makes little or no difference, the next thing to try is downloading a standalone version of the update and installing that.

[…]

In Catalina, one unique problem which can occur is that spurious additional volumes are created by the installer. To discover whether that has happened, check your boot disk using Disk Utility.

Previously:

AirPods Pro Bluetooth Latency

Stephen Coyle (via John Voorhees):

Looking to the AirPods first, there’s a very encouraging trend occurring. They drop from 274ms to 178ms going from the first to second generation, and the AirPods Pro take it down even further, to 144ms. While a 130ms reduction may not seem like a lot, the perceptual difference from this makes the AirPods Pro tantalisingly close to seamless.

Keyboard clicks are near enough to their corresponding keypresses that they feel like they’re actually related to them, not just the cacophony of blips they had seemed before. Tapt is playable, but only just; there’s still additional cognitive load caused by the delay, which I’m sure affects other rhythm-based games equally, and risks upsetting the playability of games that rely heavily on audio cues. However, it’s a lot better, and it looks like things are heading very much in the right direction.

Impressive, although I wonder how much more improvement will be possible.

Previously:

ToTok and TikTok

Mark Mazzetti, Nicole Perlroth, and Ronen Bergman:

It is billed as an easy and secure way to chat by video or text message with friends and family, even in a country that has restricted popular messaging services like WhatsApp and Skype.

But the service, ToTok, is actually a spying tool, according to American officials familiar with a classified intelligence assessment and a New York Times investigation into the app and its developers. It is used by the government of the United Arab Emirates to try to track every conversation, movement, relationship, appointment, sound and image of those who install it on their phones.

[…]

Apple removed ToTok from its App Store on Friday and was still researching the app, a spokesman said.

Patrick Wardle (tweet):

The main goal of this blog post is to provide the technical details, about how one may go about triaging an iOS application, using ToTok as a “case-study”

[…]

It’s reviews (over 32,000!) are largely positive, and mostly laud the fact that this application is not blocked in the UEA (Skype, WhatsApp, etc. are blocked, while using VPNs to access blocked services is illegal).

[…]

Based on these embedded strings it’s relatively clear that ToTok is largely composed of code from YeeCall. According to CrunchBase YeeCall is “a software company that has developed Yeecall messenger app for video & voice calling.” It is rather unsurprising that ToToks is simply based on existing code/an product (vs. written entirely from scratch).

Random Hash Value:

As a side note.... A good description why locked down platforms make security harder. Needing a jailbreak to reverse a suspect software just to bypass the device vendor is Corp policy gone wrong.

ToTok is not to be confused with with TikTok.

Matthias Eberl (Hacker News):

I did a detailed privacy check of the app TikTok and its corresponding website. Multiple law infringements, trust, transparency and data protection breaches were found.

M.B. Pell, Echo Wang (Hacker News):

Earlier this week the United States Navy banned the social media app TikTok from government-issued mobile devices, saying the popular short video app represented a “cybersecurity threat.”

[…]

TikTok is hugely popular with U.S. teenagers, but has come under scrutiny from U.S. regulators and lawmakers in recent months. The U.S. government has opened a national security review of the app’s owner Beijing ByteDance Technology Co’s $1 billion acquisition of U.S. social media app Musical.ly, Reuters first reported last month.

Previously:

Update (2020-01-06): Bill Marczak:

This report examines the corporate structure of ToTok, a Voice over IP (VoIP) app associated with an Abu Dhabi-based company, Breej Holding Ltd. In December 2019, the New York Times reported that American officials said that the UAE Government spies on ToTok’s users, and that Breej was connected to UAE companies involved in earlier spying attempts. Google and Apple removed the app from their app stores, and ToTok has begun to aggressively fight the charges, calling them “defamat[ory],” a “shameless fabrication,” “vicious rumours,” “deranged,” and “absurd.”

Update (2020-01-07): Joseph Cox:

ToTok, a social media/messaging app that is reportedly a secret surveillance tool for the UAE, is back on the Google Play Store. Originally Google said the app violated policies; now the app makes it explicit it gathers your contact information.

Swift’s CollectionOfOne

Bruno Rocha:

The cases where using CollectionOfOne is the best approach possible is when you are forced to operate on Collections. In the Standard Library for example, CollectionOfOne is used to insert elements in specific positions of an Array:

public mutating func insert(_ newElement: __owned Element, at i: Int) {
  _checkIndex(i)
  self.replaceSubrange(i..<i, with: CollectionOfOne(newElement))
}

Because replaceSubrange replaces a Collection with another one, cases where the replacement is only a single element can greatly benefit from using CollectionOfOne.

Chuck Peddle, RIP

Mike Mika:

On Dec 15th, we lost Chuck Peddle, the lead designer of the MOS 650x series microprocessor and the Commodore PET. His processor was the heart of the Atari 2600/5200/400/600/800, Apple II, NES, VIC-20, C-64, Kim-1, Master System, Lynx, BBC Micro, arcade games and so much more. RIP

Bill Mensch (Hacker News):

In the Spring of 1974, Chuck asked me to head a semiconductor engineering team to design a microprocessor family of chips that the world knows as the 6502 family of chips. We left Motorola as a team on August 19, 1974 to begin work at MOS Technology.

[…]

The TFC chip was designed using my 65C02 microprocessor with high-speed DMA features for USB FLASH Modules Chuck planned to manufacture sell. The TFC used Chuck’s patented “page-mode” concepts for replacing bad pages with “good” pages within tested “bad” segments. Chuck wrote the Assembly language code for the TFC. Chuck had negotiated a relationship with FLASH memory suppliers to support his “page-mode” business.

[…]

Chuck’s latest work was on Solid State Disc (SSD) drives, used some of the TFC concepts for high speed DMA transfers.

Previously:

Update (2019-12-26): See also: Cade Metz (Hacker News).

Friday, December 20, 2019

Apple Stops Staingate Repairs After 4 Years

Joe Rossignol:

Apple continues to authorize free display repairs for eligible MacBook and MacBook Pro models with anti-reflective coating issues for up to four years after the affected notebook’s original purchase date, the company said in an internal memo distributed to Apple Authorized Service Providers this week.

[…]

Over the years, the issues have led to an online petition with nearly 5,000 signatures, a Facebook group with over 17,000 members, and complaints across the Apple Support Communities, Reddit, and our own MacRumors forums. A so-called “Staingate” website was set up to share photos of affected MacBooks.

Macs should last much longer than 4 years. If larger numbers of them fail due to a design or manufacturing problem, Apple should recall them and replace them with a fixed version. Instead, they tried to keep the problem a secret and ran out the clock.

For the 2016 MacBook Pro keyboards, there is a public repair program, but it only lasts for 4 years. Yet they just replace one defective keyboard with another, so the problem is bound to recur after you’re no longer eligible. And, even within the 4-year window, some customers have been denied more than 2 repairs.

Previously:

Flickr Needs More Paying Users

Connie Loizos (Hacker News):

In an email tonight to users of Flickr who pay roughly $50 annually for the service, MacAskill has basically asked them if they know anyone else who might be interested in a yearly subscription to Flickr, explaining that it “still needs your help. It’s still losing money.”

[…]

To sweeten the deal for new subscribers, SmugMug is offering 25% off a Flickr Pro account for those who visit this link and input the code 25in2019.

Don MacAskill (tweet):

Flickr is the world’s largest photographer-focused community. It’s the world’s best way to find great photography and connect with amazing photographers. Flickr hosts some of the world’s most iconic, most priceless photos, freely available to the entire world. This community is home to more than 100 million accounts and tens of billions of photos. It serves billions of photos every single day. It’s huge. It’s a priceless treasure for the whole world. And it costs money to operate. Lots of money.

[…]

Every Flickr Pro subscription goes directly to keeping Flickr alive and creating great new experiences for photographers like you. We are building lots of great things for the Flickr community, but we need your help. We can do this together.

Louie Mantia, Jr.:

I can take a really nice picture from my very nice iPhone. And on my iPhone, I can view it how it was meant to be seen. But if I post it to a social network, it will be compressed because the convenience of delivery outweighs the full quality weight of the file.

A. Lee Bennett Jr.:

People are perpetually complaining about @Flickr and the price increase for a Pro account.

But what Louie is describing is exactly why there is value in Flickr Pro. One of the few places that stores your original photos, uncompressed, and EXIF data intact.

Previously:

Mac Bug Bounty Program Opens

Apple (Hacker News, MacRumors):

As part of Apple’s commitment to security, we reward researchers who share critical issues with us through the Apple Security Bounty. You can now earn up to $1,500,000 and report issues on iOS, iPadOS, macOS, tvOS, watchOS, and iCloud. In addition, Apple offers public recognition for those who submit valid reports and will match donations of the bounty payment to qualifying charities.

Apple Security Bounty:

These eligibility rules are meant to protect customers until an update is available, ensure Apple can quickly verify reports and create necessary updates, and properly reward those doing original research.

[…]

Not disclose the issue publicly before Apple releases the security advisory for the report. (Generally, the advisory is released along with the associated update to resolve the issue).

It sounds like you don’t get paid until (and unless) Apple fixes the bug.

Previously:

Update (2019-12-20): Jeff Johnson:

iOS 13 and macOS 10.15 may have huge security holes that we haven’t heard about yet — that even Apple haven’t heard about yet! — because everyone started hoarding their bugs after the bounty program was announced back in August, while those major OS updates were still in beta.

Rob Napier:

I’d be most concerned about a system that used payment to prevent disclosure without fixing the issue. That achieves none of the goals.

I’m ok with “if you disclose early you don’t get paid.” That creates reasonable trade-offs for both sides. If Apple thinks the bug isn’t as important as you do, then Apple should be ok with you disclosing it. But if it’s very complex, then it could take months to fully fix.

[…]

Where I’d be concerned is if submitting the bug creates an NDA situation, paid or not. That would definitely be a problem.

Alas, that seems to be how the bug bounty program is designed.

Update (2020-04-20): Jeff Johnson:

Here’s the problem, though. What happens if a reported issue is not addressed for a very long time: 9 months, 12 months, or even more? Does Apple refuse to pay the bounty during that time? […] The Apple Security Bounty eligibility rules also state that researchers must “Not disclose the issue publicly before Apple releases the security advisory for the report”. As discussed recently by Google Project Zero, it’s common industry practice to disclose reported vulnerabilities after 90 days, but the rules of the Apple Security Bounty could force vulnerability reporters to remain silent indefinitely, which is unacceptable.

[…]

I hope that Apple has a good solution to this problem, and that Apple’s intention is not just to keep vulnerabilities a secret for as long as possible by dangling a bounty in front of the reporters.

The hacker-friendly phones announced at the same conference don’t seem to be available yet.

Update (2020-04-22): Francisco Tolmasky:

RE: Unbounded bug fix times. My further concern is whether you become persona non grata for future reports if you decide on principle to disclose your bug after 90 days despite losing your bounty reward.

Jeff Johnson:

I’m thinking about withdrawing from the Apple Security Bounty program.

I see no evidence that Apple is serious about the program. I’ve heard of only 1 bounty payment, and the bug wasn’t even Mac-specific.

Also, Apple Product Security has ignored my last email to them for weeks.

[…]

It’s a joke. I think the goal is just to keep researchers quiet about bugs for as long as possible.

Project Connected Home Over IP

Apple (via Hacker News):

The goal of the Connected Home over IP project is to simplify development for manufacturers and increase compatibility for consumers. The project is built around a shared belief that smart home devices should be secure, reliable, and seamless to use. By building upon Internet Protocol (IP), the project aims to enable communication across smart home devices, mobile apps, and cloud services and to define a specific set of IP-based networking technologies for device certification.

The industry working group will take an open-source approach for the development and implementation of a new, unified connectivity protocol. The project intends to use contributions from market-tested smart home technologies from Amazon, Apple, Google, Zigbee Alliance, and others.

See also: Project Connected Home over IP.

Update (2019-12-23): Benjamin Mayo:

Like everyone else, I was sceptical the moment the news broke. Why would these companies suddenly want to play happy families, after five years of constructing fiefdoms?

Well, I think I’ve figured out the motivations. This open protocol commoditises access to appliances and accessories. For manufacturers today, getting their stuff to work (and certified) with proprietary platforms is expensive and time consuming, especially for HomeKit. An open initiative should break down those walls and reduce costs. For Apple, Amazon and Google, they don’t base their business on the smart home accessories themselves. Their interest is in the voice assistants, in the intelligence layer, in the hardware and services that manages the accessories. And this doesn’t threaten that at all.

Update (2020-01-10): See also: The Talk Show.

The Cub Programming Language

Louis D’hauwe:

Cub is an interpreted, dynamically typed, scripting language inspired by Swift. This project includes a lexer, parser, compiler and interpreter, all written in Swift.

Cub is used for OpenTerm’s scripting feature. A language guide is available in OpenTerm and online. Cub was derived from Lioness (my first programming language).

The standard library (abbreviated: stdlib) contains basic utility functions, for example to convert from/to dates.

Via Ezekiel Elin:

Found in the Apple Research app

Hamish Sanderson:

The author joined Apple in 2018 as an Xcode engineer. Read as much or as little into that as you want.

(Not that I’m thrilled by the thought of yet another 1990s-era scripting lang, but honestly at this point any sign of a clear automation strategy at Apple would be welcome.)

Thursday, December 19, 2019

Twelve Million Phones, One Dataset, Zero Privacy

Stuart A. Thompson and Charlie Warzel (MacRumors):

[The data] didn’t come from a telecom or giant tech company, nor did it come from a governmental surveillance operation. It originated from a location data company, one of dozens quietly collecting precise movements using software slipped onto mobile phone apps. You’ve probably never heard of most of the companies — and yet to anyone who has access to this data, your life is an open book. They can see the places you go every moment of the day, whom you meet with or spend the night with, where you pray, whether you visit a methadone clinic, a psychiatrist’s office or a massage parlor.

The Times and other news organizations have reported on smartphone tracking in the past. But never with a data set so large. Even still, this file represents just a small slice of what’s collected and sold every day by the location tracking industry — surveillance so omnipresent in our digital lives that it now seems impossible for anyone to avoid.

[…]

The companies that collect all this information on your movements justify their business on the basis of three claims: People consent to be tracked, the data is anonymous and the data is secure.

None of those claims hold up, based on the file we’ve obtained and our review of company practices.

Yes, the location data contains billions of data points with no identifiable information like names or email addresses. But it’s child’s play to connect real names to the dots that appear on the maps.

Previously:

Update (2019-12-26): John Gruber:

What do we do about it?

Legislation? Make the collection of this sort of data highly-regulated? Is that even feasible with an internet that spans the globe?

Technical? Is there something Apple and Google can do?

I think Apple should empower users to see and control what apps do. Many apps don’t need network access for their core functionality. I should be able to block them from connecting, like I can with Little Snitch on the Mac. Other apps need the network to sync with iCloud, but I want to be able to enforce that’s all they’re doing—not accessing other sites or public CloudKit databases. For apps that need more connections, I should be able to see what servers they’re connecting to, and how often. This is not a solution, but it’s a first step. For example, having this information would make it possible to shame apps that are not well behaved. And apps that work well without making connections could be promoted, e.g. like games that don’t require IAPs.

Update (2019-12-27): John Gruber:

The Times needs to come to grips with the fact that they are a player in this racket.

Swift Evolution Pitch: Modify Accessors

Ben Cohen:

We propose the introduction of a new keyword, modify, for implementing mutable computed properties and subscripts, alongside the current get and set.

The bodies of modify implementations will be coroutines, and they will introduce a new contextual keyword, yield, that will be used to yield a value to be modified back to the caller. Control will resume after the yield when the caller returns.

This modify feature is currently available (but not supported) from Swift 5.0 as _modify, for experimentation purposes when reviewing this proposal.

[…]

We cannot yield the value in the array’s buffer directly because it needs to be placed inside an optional. That act of placing inside the optional creates a copy.

We can work around this with some lower-level unsafe code. If the implementation of Array.first has access to its underlying buffer, it can move that value directly into the optional, yield it, and then move it back[…] During the yield to the caller, the array is in an invalid state: the memory location where the first element is stored is left uninitialized, and must not be accessed. This is safe due to Swift’s rules preventing conflicting access to memory.

Previously:

ML Super Resolution in Pixelmator Pro

Pixelmator Team:

Until now, if you had opened up the Image menu and chosen Image Size, you would’ve found three image scaling algorithms — Bilinear, Lanczos (lan-tsosh, for anyone curious), and Nearest Neighbor, so we’ll compare our new algorithm to those three.

[…]

Until now, if an image was too small to be used at its original resolution, either on the web or in print, there was no way to scale it up without introducing visible image defects like pixelation, blurriness, or ringing artifacts. Now, with ML Super Resolution, scaling up an image to three times its original resolution is no problem at all.

Apple Platform Security Guide (Fall 2019)

Apple (PDF, via Rosyna Keller):

This documentation provides details about how security technology and features are implemented within Apple platforms. It also helps organizations combine Apple platform security technology and features with their own policies and procedures to meet their specific security needs.

[…]

Apple continues to push the boundaries of what is possible in security and privacy. For example, Find My uses existing cryptographic primitives to enable the groundbreaking capability of distributed finding of an offline Mac — without exposing to anyone, including Apple, the identity or location data of any of the users involved. To enhance Mac firmware security, Apple has leveraged an analog to page tables to block inappropriate access from peripherals, but at a point so early in the boot process that RAM hasn’t yet been loaded. And as attackers continue to increase the sophistication of their exploit techniques, Apple is dynamically controlling memory execution privileges for iPhone and iPad by leveraging custom CPU instructions — unavailable on any other mobile devices — to thwart compromise. Just as important as the innovation of new security capabilities, new features are built with privacy and security at their center of their design.

There’s also a Web version.

See also: Behind the Scenes of iOS and Mac Security.

Previously:

Update (2019-12-20): Jeff Johnson:

Apple security folks, what does this mean? Is it a typo? apps that are not using Full Disk Access?

Update (2019-12-23): Perhaps it’s worded correctly, and the point is that apps can no longer access data or executable code that happens to be in the trash. Users don’t intend for the trash to be shared storage, but that’s what it ends up being without addtional protections.

See also: Ivan Krstić.

What’s New in Vapor 4

Tanner (tweet):

Vapor 4’s new dependency injection API is now based on Swift extensions rather than type names. This makes services offered by third party packages - and Vapor itself! - more discoverable and feel more Swift-native.

[…]

Vapor 4 upgrades to SwiftNIO 2.0. This release includes tons of great quality of life improvements, performance enhancements, and awesome features like vendored BoringSSL and pure Swift HTTP/2 implementation.

[…]

Vapor joined forces with Apple to help define common standards for core functionality like Logging and Metrics.

[…]

Fluent 4’s model API has been redesigned to take advantage of property wrappers in Swift 5.1. Property wrappers give Fluent much more control over how models work internally, which has been key to enabling long-requested features like a concise API for eager loading.

[…]

Vapor 4 includes a new testing framework that makes it easier to test your application using XCTest.

Previously:

Update (2020-02-04): Felix Schwarz:

Vapor Cloud will be shutting down on February 29th.

Vapor:

We are sad to announce that Vapor Red will be shutting down on February 29th.

WinterFest 2019

WinterFest:

Winter is coming. It’s time to take a deep breath and roll up your sleeves.

It’s the time for new plans and fresh projects and great new ideas. Whether you’re mapping out your next novel, finishing your dissertation, planning a product, or writing memories for your grandkids, these great tools will help.

As is our custom in this season, we’re hosting a gathering of software artisans who are working to transform research and writing for a new era. We’ve all finished our latest updates, we’re working together to save you lots of money.

25% off some venerable Mac apps and promising newcomer Hook, which makes it easy to create links between different documents and apps (including EagleFiler).

Previously:

How Clean Re-installs Change in Catalina

Howard Oakley:

Because you want to re-install macOS, the logical thing to do would be to wipe the System volume, which suggests that you could get away with retaining your own files on the Data volume through a clean re-install. Sadly, that’s wrong.

[…]

To perform a clean re-install in Catalina, once in Recovery Mode, you need to wipe your Data volume, that’s the one named Macintosh HD - Data, or something similar if you are using a custom name. There are two ways to do this in Recovery Mode: you can select the volume at the left of Disk Utility’s window then click on Erase, or you can select the volume and use the Delete APFS Volume command from the Edit menu (a shortcut to this is to click the – tool).

[…]

At one time, the Recovery volume contained sufficient to restore the current version of macOS if you have entered ‘local’ Recovery Mode using Command-R, but this doesn’t seem to work any more. Whichever type of re-installation you have set now requires that version of macOS to be downloaded afresh.

Wednesday, December 18, 2019

Persistent File Access via com.apple.macl Xattr

Jeff Johnson (Hacker News):

I’ve discovered that on Catalina, pasting a file from Finder not only outputs the file path in Terminal, it also invisibly and permanently grants Terminal access to the file, bypassing any macOS privacy protections!

[…]

Notice that after copying from Finder, the Documents folder has a new com.apple.macl extended attribute. (I’ll assume the “l” in “macl” stands for “lockdown” until someone tells me otherwise.) This special extended attribute gives Terminal (and possibly other apps?) special access to the file. The com.apple.macl extended attribute, as well as the special file access, is persistent across reboots. Indeed, it remains even if you reset the privacy permissions of Terminal!

The com.apple.macl extended attribute is so persistent that you can’t even delete it.

Unless you turn off System Integrity Protection. This seems so much more convenient than the way it works for sandboxed apps, where the app is responsible for storing and using a security-scoped bookmark.

See also: Quinn the Eskimo.

Update (2019-12-19): Rosyna Keller:

Indeed, this was documented in the Advances in macOS Security session at WWDC. To prevent spurious dialogs when a file access is clearly due to a user action (like dragon drop/manual file opens, double-click in the finder) access is inferred by the user’s action and granted.

I watched that session and don’t think it really conveyed what is going on:

And user privacy protections in macOS Catalina now support the notion of user intent, when-- which is inferred when double clicking on files in Finder, when dragging and dropping from another application or when selecting files in an Open or Save panel.

And when the user performs any of these actions, the file-- performing any of these actions on a file protected location, your app gets access to the file or files that the user selected without the need for a consent prompt. So let’s see how Catalina’s inference of user intent compares with user consent. Sorry. So, first of all, user consent is reactive. Access may be granted only after your app tries to read or write a file, whereas user intent is proactive. Access is granted before the app, even tries to read or write the file. And user consent prompts to kind of interrupt the user’s workflow, whereas user intent is inferred from standard UI interactions. In order to minimize those interruptions, user consent applies to an entire class of data, for example, all files on your desktop.

Whereas user intent is inferred for just the file or files that the user is interacting with.

Jeff Johnson:

As developers, we need to test our software under known conditions. That’s when all these inscrutable irrevocable privacy protection exceptions become a nightmare. tccutil reset was good enough on Mojave, but now it’s not on Catalina. Apple offers no good solution to the problem.

Update (2019-12-20): Howard Oakley:

The com.apple.macl xattr contains a list of UUIDs for the apps which can open it, each with a prefix 0100 containing a single flag which presumably grants that file-specific entitlement. There can be one or several UUIDs, which are stored there in binary, not text[…]

[…]

There are some worrying features in Catalina, though. I have written before about the promiscuous use of the quarantine flag on documents in Mojave and earlier. I regret to report that this behaviour doesn’t appear to have changed at all, and in many current Catalina installations the new com.apple.macl xattr will be outnumbered by all those devalued quarantine flags. This also gives rise to some strange consequences: open a PDF in Preview without saving it, and it will be given a quarantine flag but no com.apple.macl xattr. If you try to Save that to overwrite the original document, Preview promptly refuses, and may not even be able to write that file out under another name. Repeat that with a PNG file, and Preview has no such problems.

Previously:

Jeff Johnson:

At least with the quarantine xattr, the value contains the bundle id of the app that wrote it. The macl is effectively untraceable.

Update (2019-12-26): Jeff Johnson:

I received a link to a video from the PSU Mac Admins conference in August that mentioned the macl xattr I blogged about recently.

Not much new info on that subject, but relatedly, the speaker said the quarantine xattr may apply to curl in the future!

Abusing Electron Apps to Bypass macOS’s Security Controls

Wojciech Reguła (via Patrick Wardle):

To bypass the Transparency, Consent, and Control service (TCC), we need an Electron application that already has some privacy permissions. As it turns out, you probably have at least one such app installed - look, for example, on your desktop messengers.

[…]

To do this, we have to recall how Electron apps work. Simplifying, the main executable (that is signed with the entitlements and hardened) is responsible for loading the HTML, JS and CSS files and render them. So the actual program’s logic is stored in these files, not in the signed executable!

[…]

What surprised me, the modified applications still have access to their entries in the Keychain - so these entries can be stolen as well.

Rewound Rejected From the App Store

Jay Peters (MacRumors):

Rewound, the basic music player app released last week that you could skin to make your iPhone look remarkably like an iPod Classic, has been pulled from the App Store, according to Rewound blog post published on Medium.

Rewound:

Rewound was specifically designed not to infringe on Apple’s trademarks and we didn’t. Rewound could look many ways. Not until users started sharing/using clickwheel skins did they ban the app.

[…]

Skins were user added/downloaded, we didn’t include them in the app.

If the iPod skin wasn’t built-in and wasn’t provided by the developer, I don’t see what the issue is.

Tuesday, December 17, 2019

Toolbox Pro

Federico Viticci:

When I covered the updated Shortcuts app in my iOS and iPadOS 13 review earlier this year, I argued how, thanks to parameters, Shortcuts actions provided by third-party apps could become native features of the Shortcuts app.

With his debut app Toolbox Pro, released today on the App Store, developer Alex Hay has taken this idea to its logical conclusion: Toolbox Pro is a new kind of “headless” app – a utility whose sole purpose is to complement and extend Apple’s Shortcuts app with over 50 new actions, providing a native implementation of functionalities that Apple hasn’t brought to Shortcuts yet. After having used Toolbox Pro for the past couple of months, not only is the app a clever idea well suited for Shortcuts’ parameter framework, but it’s also a must-have for anyone who relies on Shortcuts on a daily basis.

It sounds like the equivalent of AppleScript’s Standard Additions.

See also: MusicBot.

Tim Cook’s Apple

Walt Mossberg (via John Gruber):

How do you replace a legend like Steve Jobs and, at the same time, adapt to the slow decline of your most important, most iconic product? Those were the twin challenges Apple faced in the 2010s. Under CEO Tim Cook, the company has found some answers and flourished financially, but it hasn’t been without a few wrong turns and big changes to the very nature of its business.

[…]

But Cook does bear the responsibility for a series of actions that screwed up the Macintosh for years. The beloved mainstream MacBook Air was ignored for five years. At the other end of the scale, the Mac Pro, the mainstay of professional audio, graphics, and video producers, was first neglected then reissued in 2013 in a way that put form so far ahead of function that it enraged its customer base.

I think these, and even the notebook keyboard fiasco, are smaller issues than this decade’s decline in software quality. Even in the best scenario, it would take years to dig out, and so far Apple does not seem to be on that path. Cook is also responsible for the services strategy, still in the early stages, which is infecting the software design by making it AAPL-first rather than customer-first.

Apple remains what it has been for many years: the single most important consumer tech hardware company, a major force not only in its industry but in society at large. […] But it’s still unclear if it can be anybody’s favorite music provider, TV network, or news service. Or if it can launch another blockbuster device.

By that he means a new iPhone-scale device, which is an unrealistic expectation. Apple Watch and AirPods are certainly blockbusters.

Previously:

IBM Stops Funding Kitura

tomerd (via Benjamin Mayo, Hacker News):

@IanPartridge and @Chris_Bailey let the group know that following a review by IBM of its open source priorities, it has been decided that they will not be continuing to work on Swift in 2020. As a result, they are both standing down from the workgroup.

Daniel Sinclair:

Could see this one coming. IBM is winding down support for Kitura and server-side Swift. Was excited about this prospect, & the momentum — great people behind in too — but Apple never really supported open frameworks like they needed to for Swift on Linux

IIRC, Apple had monetarily incentivized IBM’s open-source focus on Swift. I don’t know when that ended, but I think you can look at IBM winding down Kitura as Apple ending support for server-side Swift too.

Vapor seems to have more traction, anyway.

Previously:

Storyboards, Dynamic Type, and Accessibility

Craig Hockenberry:

“Editing storyboards with BBEdit, why do you ask?”

Let me put it another way:

Both the current and beta versions of Xcode can’t make text in a storyboard accessible with dynamic type. Your tools can’t build apps that adapt to a customer’s visual capabilities.

For a company that prides itself in doing this, it’s unbelievable.

Previously:

Monday, December 16, 2019

Catalina Removes Malware Assurance

Howard Oakley:

If you’ve updated to macOS Catalina 10.15.2 [actually, 10.15.1 —MT] and installed any notarized apps since, you might have noticed that something has gone missing. Do you remember that dialog shown by Gatekeeper when you first open a notarized app, telling you that “Apple checked it for malicious software and none was detected”? Well, that sentence has now vanished. Instead, that dialog now looks very similar to the pre-Catalina dialog for non-notarized apps.

[…]

If you then go and check that dialog against Apple’s support note explaining how Gatekeeper works in Catalina and earlier, you’ll see that this new dialog doesn’t appear to exist in Catalina. You could be forgiven for assuming that your system had been subverted by malware, or the app you were just trying to open wasn’t notarized at all.

[…]

Maybe Apple wants to distance itself from the reliability of its checks for malware now.

Previously:

Update (2019-12-17): Norbert M. Doerner:

I really wish they would change the massively offensive text of the scare window when launching non-notarized apps. I take great offense in Apple placing the word malware in the same sentence as the app name. Unacceptable.

Catalyst and Cohesion

Jack Wellborn:

Developers using first party tools from Apple shouldn’t have to swim upstream to build cohesive Mac versions of their apps. I am not saying that the existence of any incongruous Catalyst ports is worrisome — incongruous ports are inevitable and Catalyst is an opportunity to make them better — what’s worrisome is that incongruity seems to be the default with Catalyst.

Look no further than Apple’s own Catalyst ports.

[…]

The crux of the issue in my mind is that iOS and Mac OS are so fundamentally different that the whole notion of getting a cohesive experience through porting apps with minimal effort becomes absurd.

Kind of like a toaster-fridge.

Previously:

Update (2019-12-19): Nick Heer:

It worries me that some of Apple’s own MacOS apps lack cohesion; and, though Catalyst is the purest expression of this concern, it is not solely at fault. The redesigned Mac App Store that debuted in Mojave certainly looks like a Mac app, but it feels and functions like a crappy port from some distant platform.

Previously:

Update (2019-12-20): John Gruber:

I’m just not seeing it with Catalyst apps. They almost all look and feel and work wrong. I’ll pick on Twitter because they’re a big company. They’ve made a bunch of improvements to their Catalyst Mac app in the two months or so since it shipped. Some really preposterous shortcomings in the initial release have been fixed in a short amount of time, and I get the impression — both through their public comments and some private ones I’ve exchanged with developers on their team — that they’re trying to do the right thing and make Twitter for Mac a good Mac app, not just the iPad app running in a window on the Mac. But the release notes for the latest update this week include new features like support for scrolling with the Page Up, Page Down, Home, and End keys. It’s kind of crazy that support for those keys wasn’t there from the start. 15 years ago you’d almost never find a Mac app that didn’t support them.

[…]

In short, I remain unconvinced that standard UIKit iPad apps are a good starting point for good Mac apps. But it’s pretty obvious — and should have been right from the start — that nonstandard not-really-using-UIKit iPad apps make for a terrible starting point for a good Mac app. Developers can make it work — as a programmer friend once told me, “It’s all just typing” — but it’s so much work it seems to defeat the entire “Just click a checkbox in Xcode” premise and promise of Catalyst.

Previously:

Douglas Hill:

The standard UIKit scrolling class, UIScrollView, does not provide any keyboard-driven scrolling functionality.

[…]

Developers need to use the undocumented input strings UIKeyInputPageUp and UIKeyInputPageDown and write their own code to scroll up or down by the correct amount in response to those input events.

In other words, you need private API to offer a good user experience, but private API is not allowed in the App Store.

Update (2019-12-23): Jesper:

“Project Catalyst”, the adaptation of iOS and UIKit unto macOS, is an unmitigated disaster. Maybe it didn’t have to be, but it definitely is. Let’s take one of the better in-box apps, Podcasts, as an example.

Previously:

Matt Birchler:

I love native apps and prefer them in almost every case to using services in a browser. It’s just a better experience for me in most cases, and has the added benefit of integrating more seamlessly into macOS systems like notifications, keyboard shortcuts, and automation. However, my experience with Catalyst apps from third parties has been so bad that I have uninstalled every one of them and gone back to using the web.

Nick Heer:

It was somewhat concerning to see a collection of tech demos ship as user-facing apps in Mojave last year. But to have recurring complaints of basic MacOS features after a year — why the hell are picker controls still touch-based spinners? — is inexcusable.

Jason Snell:

With the arrival of Mac Catalyst this summer, as promised by Apple last year, the Mac has started to benefit from apps developers originally on iOS. But I predicted that it would be a major onslaught that would dramatically change the Mac forever, and this was my biggest miss. Some combination of a rough summer of developer betas and limitations of the technology itself mean that there aren’t nearly as many Catalyst apps as I thought, and a bunch of my favorite iOS apps still aren’t anywhere close to shipping Mac versions. Catalyst may still change the Mac forever, but it’s going to take a lot more than one year to make it happen.

Update (2019-12-26): Josh Centers:

What can you do with 40 GB of RAM? Have Apple News take up 28 GB of it.

Do Catalyst apps not do any sort of garbage collection?

Update (2020-01-24): Cédric Luthi:

Trying the Twitter app from the Mac App Store.

• There is no padding at all between my username and the gray focus.
• The keyboard arrows do not move the cursor at all.
• Pressing the tab key does not select the password field!

It confirms that Catalyst doesn’t give you much.

Dominik Wagner:

If you told me that Apple would seriously ship such an interface back in 2010 I would have been offended and called you a fool…

Steve Troughton-Smith:

Asphalt 9 shows exactly why Catalyst is so bad for games. It’s an interaction nightmare. Every key input triggers the system beep, the escape key rips it out of fullscreen instead of triggering menu or ‘back’, and the whole thing is designed without manual acceleration controls

Update (2020-02-04): Colin Cornaby:

Most of Catalyst this WWDC cycle has been me going “Well maybe I’m just a giant imposter because there should be a lot of issues here but I guess Apple knows better” followed by me going “Nope guess they don’t.”

Peter Steinberger:

Apple stopper commenting on my Catalyst bugs in November, there are about 30 open... it’s pretty frustrating to be dependent on a company that has a yearly update cycle when customers report bugs and expect a fix within weeks, not years.

Shopping Sucks Now

Casey Johnston (tweet):

Looking up “lined leather gloves” yields 40,000 results. On the first page, there are two different gloves listed, one for $17 and one for $60, that look exactly identical and come in the exact same colors. Both have the same exact star rating (4.5/5) and hundreds of positive reviews.

[…]

For a long time, our problem was there were not enough things to choose from. Then with big box stores, followed by the internet, there were too many things to choose from. Now there are still too many things to choose from, but also a seemingly infinite number of ways to choose, or seemingly infinite steps to figuring out how to choose. The longer I spend trying to choose, the higher the premium becomes on choosing correctly, which means I go on not choosing something I need pretty badly, coping with the lack of it or an awful hacked-together solution (in the case of gloves, it’s “trying to pull my sleeves over my hands but they are too short for this”) for way, way too long, and sometimes forever.

[…]

If big box stores represented the problem of the “tyranny of choice,” the problem is that now, somewhat suddenly, perfect knowledge of the perfect glove, for you specifically, exists, if you simply do enough research.

[…]

I’m realizing what I actually want is not the perfect glove; what I want is for the world to be small again.

It’s frustrating how long it can take, but I do like being able to (usually) find what I’m looking for. I think the keys are knowing when it’s worth spending the time to do a deep dive vs. “settling” with a quick decision; and knowing which area-specific sites to search, since Amazon doesn’t have everything nor always surface the best results.

Amazon reviews, as bad as they can be, have been extremely helpful overall. For example, they recently helped me figure out that almost all products in a particular category don’t work with 5 GHz Wi-Fi networks (the only kind my Google Wi-Fi supports).

Sites like Wirecutter are a great help. Although I don’t always agree with their picks, they at least get you started with an overview of the main options and what to look for. But they don’t always give you all the options. For example, Wirecutter’s humidifier review omits the entire category of console humidifiers. For less than half the price of their upgrade pick, I found a model that’s easier to maintain, has a 6-gallon tank (vs. 3-gallon for the largest they tested), and is much easier to fill (short hose from the faucet, no need to carry tanks around).

Update (2019-12-17): See also: Nick Heer.

Tony Brooker, RIP

Cade Metz (via Hacker News, Slashdot):

Mr. Brooker joined the Manchester lab in October 1951, just after it installed a new machine called the Ferranti Mark 1. His job, he told the British Library in an interview in 2010, was to make the Mark 1 “usable.”

Mr. Turing had written a user’s manual, but it was far from intuitive. To program the machine, engineers had to write in binary code — patterns made up of 0s and 1s — and they had to write them backward, from right to left, because this was the way the hardware read them.

[…]

In the months that followed, Mr. Brooker wrote a language he called Autocode, based on ordinary numbers and letters. It allowed anyone to program the machine — not just the limited group of trained engineers who understood the hardware.

This marked the beginning of what were later called “high-level” programming languages[…]

See also The Guardian, Wikipedia.

See also: Tony Brooker and the Atlas Compiler Compiler (PDF, via Hacker News).

Joining Apple Computer 40 Years Ago

Bill Atkinson (Hacker News):

I wanted to port the UCSD Pascal system to the Apple II. We needed to build software in a cumulative fashion with libraries of reusable modules, and Apple BASIC didn’t even have local variables. My manager said "No", but I went over his head to Steve. Steve thought Apple users were fine with BASIC and 6502 assembly language, but since I argued so passionately, he would give me two weeks to prove him wrong. Within hours I boarded a plane to San Diego, worked like crazy for two weeks, and returned with a working UCSD Pascal System that Apple ended up using to bootstrap the Lisa development.

[…]

I convinced project manager Tom Whitney that the Lisa computer needed to include a mouse in the box so we could write software that counted on a pointing device.

[…]

Steve Jobs wanted me to leave Apple and join him at Next, but I chose to stay with Apple to finish HyperCard. Apple published HyperCard in 1987, six years before Mosaic, the first web browser.

Friday, December 13, 2019

UserDefaults Access via Property Wrappers

Christian Tietze:

The hip and cool property-wrapper implementations on the web so far ignore the registerDefaults layer completely and provide a local fallback if no value for the key is persisted for the current user.

The problem I see here is that you don’t have a shared default value anymore. Knowledge of the default value is local to the property declaration in a concrete type.

A full solution would include something like:

  1. A pair type that combines a key with a default value.
  2. A connection between that and UserDefaults for getting and setting values.
  3. A way to access predefined pairs from different places in your code.
  4. A full list of the predefined pairs so that they can be registered.
  5. A way to link a property to a pair and a given instance of UserDefaults.

SwiftUI Deal-Breakers

Weston Hanners:

SwiftUI is really fun and the data flow is just awesome. It makes building new screens super quick and opens the door to a ton of prototyping.

I am sure these will all be fixed in time, but many of these are deal-breakers and as it is right now, I will not recommend SwiftUI for any paid projects I am involved with.

His post is about iOS. More stuff is missing for macOS.

Previously:

Google Achieves Its Goal of Erasing the WWW Subdomain From Chrome

Lawrence Abrams (Hacker News):

With the release of Chrome 79, Google completes its goal of erasing www from the browser by no longer allowing Chrome users to automatically show the www trivial subdomain in the address bar.

[…]

Many users, though, felt that this was a security issue, could be confusing for users, and is technically incorrect because www.domain.com is not always the same host as domain.com.

Previously:

Update (2019-12-16): Tanner Bennett:

This seems like their most controversial change since they tried to pull that stuff with adblockers not too long ago.

“http://subdomain.www.domain.com” displays as “http://subdomain.domain.com”.

Completely wrong.

A. Lee Bennett Jr.:

I have literally seen corporate web sites that only worked if www. was in front. It 503’d if the subdomain was missing.

Pro Display XDR Limited to 5K With iMac Pro

Joe Rossignol:

Thomas Grove Carter has since demonstrated that the iMac Pro can in fact drive the Pro Display XDR, but only at a 5K resolution. This is likely because the iMac Pro uses Intel’s older “Alpine Ridge” Thunderbolt 3 controller without enough bandwidth to drive a 6K display.

[…]

To use the Pro Display XDR at its full 6K resolution, the display must be connected to the new Mac Pro with MPX Module GPUs, a 2018 or later 15-inch MacBook Pro, a 16-inch MacBook Pro, or a 2019 iMac.

This makes sense given that the iMac Pro’s specs haven’t been updated since it was announced in June 2017. Hopefully that will change soon.

Previously:

Thursday, December 12, 2019

Apple Watch and AirPods Have Overtaken Peak iPod

Horace Dediu:

This analysis helped me conclude the Apple Watch overtook the historic “peak iPod” which occurred in the fourth quarter of 2007 at $4 billion. My Watch revenue estimate was $4.2 billion in the fourth quarter of 2018.

[…]

Looking forward to the next quarter, I am expecting a 51% increase y/y for Wearables and 24% growth in Watch. This results in a Watch revenues about $5.2 billion and non-Watch $5.7 billion. Now if we assume $1.7 billion for non-Watch-non-AirPods (i.e. Apple TV, HomePod, Beats, iPod, other) then this quarter AirPods will have overtaken peak iPod.

Update (2020-01-08): Kevin Rooke:

Imagine a startup with $12 billion of revenue, 125%+ YoY revenue growth (two years in a row), and Apple-esque gross margins (30-50%). Without knowing anything else about the business, what would you value it at? $50 billion? $100 billion? More?

That’s Apple’s AirPods business, the fastest-growing segment of the world’s most valuable company.

[…]

This is what AirPods revenue looks like compared to some of the world’s top tech companies. AirPods make as much money as Spotify, Twitter, Snap, and Shopify combined.

Neil Cybart (Hacker News):

AirPods revenue does not exceed Spotify, Twitter, Snapchat, and Shopify revenue. It’s not even close either.

[…]

Not surprisingly, nearly every financial metric found in this screenshot is wrong. The assumptions about AirPods sales mix are wrong too.

Update (2020-01-10): Jason Snell:

So when you read about Tim Cook emphasizing Services and Wearables to financial analysts or in a quick interview on CNBC come January 28—this is why. In less than half a decade, Services and Wearables have gone from afterthoughts to a third of Apple’s business.

How and Why Would Apple Kill the iPhone’s Lightning Port

Joe Rossignol:

Apple plans to launch a high-end iPhone without a Lightning connector in the second half of 2021, according to a new prediction from analyst Ming-Chi Kuo. The device will supposedly offer a “completely wireless experience,” suggesting that Apple is not switching to USB-C, but rather dropping the port entirely.

Jason Snell:

Yes, Qi charging is a thing. I have two Qi chargers. But when you need to charge fast, wires are more effective. And when you’re out and about, how do you charge your iPhone if there’s no charging port? Are we meant to replace our external battery packs and USB chargers in cars, airports, and airplanes with inefficient Qi chargers that waste power that should be going straight to our phones?

[…]

Wireless CarPlay support was announced years ago, but the truth is, most CarPlay units still require physical connectivity to function. It’s hard to imagine Apple releasing an iPhone that is incompatible with a majority of cars, especially since it’s very hard to replace in-car entertainment systems and most people won’t buy a new car just to work with their new iPhone.

Previously:

Twitter’s Bluesky

Jack Dorsey:

Twitter is funding a small independent team of up to five open source architects, engineers, and designers to develop an open and decentralized standard for social media. The goal is for Twitter to ultimately be a client of this standard. 🧵

twitter was so open early on that many saw its potential to be a decentralized internet standard, like SMTP (email protocol). For a variety of reasons, all reasonable at the time, we took a different path and increasingly centralized Twitter. But a lot’s changed over the years…

First, we’re facing entirely new challenges centralized solutions are struggling to meet. For instance, centralized enforcement of global policy to address abuse and misleading information is unlikely to scale over the long-term without placing far too much burden on people.

[…]

Finally, new technologies have emerged to make a decentralized approach more viable. Blockchain points to a series of decentralized solutions for open and durable hosting, governance, and even monetization.

Dave Winer:

I advocate something different, Twitter already has the bugs and scaling issues solved for a global notification network. Let’s add a few APIs and create a new universe. It’ll happen a lot faster with much better results imho.

[…]

Had they proposed such a standard when they were starting Twitter, no one would have cared, and it would have had a chance of working. Now it’s a huge industry with lots at stake and lots of entities that would like to keep it from standardizing.

Loren Brichter (via John Gruber):

What’s the downside to letting the Twitter API as it stands be v1.0? Let third parties implement it, clients could connect to any compatible service, communication between services would evolve as needs evolve, you end up with something designed naturally (see HTML5 vs XHTML).

Manton Reece (Hacker News):

Twitter isn’t necessarily interested in decentralizing content or even identity on their platform. Why would they be? Their business is based around having all your tweets in one place.

Rather, it sounds like they want to “outsource curation to shared protocols” and not have to deal with the messy stuff.

Nick Heer:

This is a spitball at this stage — barely more than a napkin sketch. There might be something to show for it, sometime, in some capacity, but there’s a lot of buzzwords in this announcement without any product. That suggests a high likelihood of vapourware to me.

Previously:

“Link in Bio” Is a Slow Knife

Anil Dash (Hacker News):

We don’t even notice it anymore — “link in bio”. It’s a pithy phrase, usually found on Instagram, which directs an audience to be aware that a pertinent web link can be found on that user’s profile. Its presence is so subtle, and so pervasive, that we barely even noticed it was an attempt to kill the web.

[…]

With billions of people using the major social platforms, and the people who remember a pre-social-media web increasing in age while decreasing as cultural force on the internet, we’re rapidly losing fluency in what the internet could look like. We’re almost forgotten that links are powerful, and that restraining links through artificial scarcity is an absurdly coercive behavior.

Wednesday, December 11, 2019

Linea 3 to Switch to Subscriptions

The Iconfactory (tweet):

We tried hard to avoid a subscription, but the costs to maintain the app are much higher than the income from new sales. This is obviously not a sustainable situation!

[…]

A majority of that time was not even spent adding new features, instead it was spent making sure that everything looked right with the operating system’s new Dark Mode!

[…]

All of this comes at a low price: 99¢ per month or $9.99 per year (a 20% savings.) Additionally, if you purchased Linea at any time in 2019, you’ll also get a free one year subscription.

It sounds like they are going to replace the old app with the new one, like with Twitterrific 6.

It’s going from $10 one-time to $10/year. On the one hand, that’s a hefty increase, but on the other hand $10/year is not a lot for an app that you regularly use. I haven’t seen many other developers choosing subscriptions this cheap. It seems like it could become a sweet spot between steady recurring revenue and a price that customers are willing to pay.

Previously:

Update (2019-12-16): Eric Blair:

Reading this, I’d assumed Linea 2 had been a paid upgrade. Apparently not - looks like the last time I paid for Linea was 2017.

It’s a little nuts that I got ~3 years of use and major upgrade out of the original $10.

Sustainable software is a good thing.

The Success of Intelligent Tracking Prevention

Michael Potuck (Hacker News):

Executives in the online publishing industry speaking with The Information say that Apple has been “stunningly effective” with its goal of Intelligent Tracking Prevention stopping websites from knowing what users are doing on the web. One of the results of this over the last two years is that costs for advertisers have dropped significantly for Safari users while they’ve gone up for Chrome.

[…]

While that might sound like a positive thing for advertisers, the reason the price for Safari ads has gone down is that they’re less desirable. Because of Intelligent Tracking Prevention (ITP), marketers can’t focus on specific demographics, for example like those in higher-income brackets.

This sounds great, but I would also like to see a report on how many sites don’t work in Safari because of ITP.

John Wilander:

Any kind of tracking prevention or content blocking that treats web content differently based on its origin or URL risks being abused itself for tracking purposes if the set of origins or URLs provide some uniqueness to the browser and webpages can detect the differing treatment.

To combat this, tracking prevention features must make it hard or impossible to detect which web content and website data is treated as capable of tracking. We have devised three ITP enhancements that not only fight detection of differing treatment but also improve tracking prevention in general.

Previously:

Update (2020-01-03): Peter Steinberger:

Disabling Intelligent Tracking Prevention on Safari is now Zendesk’s official recommendation, just so you can log in.

Update (2020-11-27): Maxwell Swadling:

I just searched for a product on pbtech.co.nz (has a fb js tracker) in a private browsing safari window on my mac and now the fb website in a private browsing tab on my phone is serving ads for it. So they are just tracking with IPs now?

it doesn’t matter how good safari’s intelligent tracking prevention is, fb will just track with IPs it seems.

SuperDuper 3.3 for Catalina

Dave Nanian:

In order to replicate this new volume setup, system backups of APFS volumes must be to APFS formatted volumes. SuperDuper automatically converts any HFS+ destinations to APFS volumes for you (after prompting), so you won’t have to do anything manually in most cases.

That’s too bad given APFS’s poor performance on spinning disks, which is what I mostly use for backups.

Those two volumes are further linked together with “firmlinks”, which tunnel folders from one volume to the other in a way that should be transparent to the user. But they can’t be transparent to us, so we had to figure out how to recreate them on the copy, even though there’s no documented API.

[…]

You can’t turn an already encrypted APFS volume into a volume group. As such, you’ll have to decrypt any existing bootable volumes.

Dave Nanian:

On some user systems, Full Disk Access doesn’t take after install, and they have to restart after installing the new version. This is because our bundle ID has changed due to notarization and the OS doesn’t handle it well.

[…]

In some circumstances, ownership wouldn’t be properly enabled for the system volume of an external Catalina volume group, which made the backup not boot. […] I could go into detail on the latter problem, but rather than bore you, I’ll refer you instead to this old post from 2005[…]

Dave Nanian:

We’ve got a few users whose systems are in a bizarre state where the loader is outputting […] when we run certain system command-line tools.

[…]

We also added a diagnostic that detects a rare situation where a user’s system has broken scripting tools (like a bad Perl install), which can cause problems.

Dave Nanian:

The unexpected part is that just before the beta, we made a change to the installer to try to improve our workaround for systems that required rebooting post-install to make Full Disk Access work. After we made the change, we didn’t re-run the full suite of tests because we (incorrectly) thought the change was isolated to the install process.

However, it was made in a runtime element that was shared with the way we executed bless.

Dave Nanian:

With volume groups, though, there are two potential volumes to mount...but keychain passwords might be under either the Data volume or the System volume, depending on what the user does.

Dave Nanian:

Eject would sometimes not eject both volumes of a volume group.

[…]

Some people were impatient and didn’t realize HFS+ to APFS conversion might take a while! We now tell them to get a tasty beverage!

Dave Nanian:

I’m happy to announce the release of v3.3 of SuperDuper, our fully Catalina-compatible version: happier, perhaps, then even you are in reading the news. It’s available via the normal update mechanism, or by downloading it from the web site.

[…]

The whole idea of the new version is, if we did our job right (and I think we did), things should just work the way you expect them to. […] But despite that, SuperDuper is doing a lot more things.

Dave Nanian:

There’s one remaining issue for 10.10 and 10.11 users: Erase, then copy backups are failing due to some unexpected “volume transformation” events that are occurring. When we validate the result, we’re being quite cautious, and we’re not seeing what we expect, so we fail the copy.

Previously:

Tuesday, December 10, 2019

macOS 10.15.2

Apple:

Restores the column browser view for managing the music library

[…]

Addresses an issue that may cause Mail preferences to open with a blank window

I’ve heard a lot about both of these. From what I’m hearing, 10.15.2 doesn’t fix the Mail data loss bugs.

Previously:

Update (2019-12-12): The combo update is available.

Mac Pro Available to Order

Juli Clover (Hacker News):

More than two years after Apple promised a new modular high-end desktop machine for its professional users, the new Mac Pro is now available for purchase, as is its companion display, the Pro Display XDR.

Apple is accepting orders for the Mac Pro and the Pro Display XDR, with Mac Pro delivery estimates at one to two weeks after an order is placed.

So it looks like some people may receive them just before the end of the year. I’m happy that the new Mac Pro exists, but for my purposes it feels like they built the wrong product, too late. Apple has a great history of making modular desktop Macs, at sane prices, and this is not that. It’s also not the developer Mac that you might have expected given Apple’s 2017 statements about that pro market. It seems like there’s still a hole in the lineup. People will make do with iMacs and MacBook Pros, or buy the Mac Pro if they really need it, but that’s not the same as being able to buy the computer that you want. External Thunderbolt peripherals could in theory address a lot of needs, but that market just doesn’t seem to have developed very well, and Macs don’t have enough Thunderbolt ports. Meanwhile, the iMac Pro hasn’t been updated since 2017 and is likely slower than the regular iMac.

Juli Clover:

Below, we’ve listed the available upgrade options from the base machine, which is equipped with a 3.5GHz 8-core Intel Xeon W processor, 32GB RAM, Radeon Pro 580X, 256GB SSD, no Apple Afterburner, and no wheeled frame.

The base model’s SSD is half the size of the minimum SSD on the 16-inch MacBook Pro, and it can only be upgraded to 4 TB of storage (vs. 8 TB for the MacBook Pro). I wonder how the base model’s CPU will compare with the iMac and MacBook Pro, given that it only Turbo Boosts to 4 GHz.

Paul Haddad:

Just a reminder before it goes live, the Mac Pro $6k base model has equivalent performance of a < $1500 commodity system. Apple hardware/software deserves a premium, just not 4x.

Martin Pilkington:

I ended up going for a 27” i9 iMac after first seeing the price and it's faster than the base Pro will be at half the price 🤷‍♂️

Josh Centers:

If you’re an audio professional considering a new Mac Pro, be aware of how its T2 chip can mess with audio recording.

See also: High-end users on “Why I'm buying the new Mac Pro”.

Previously:

Update (2019-12-12): Martin Pilkington:

Now the problem with these groups is they all have different needs. Some need a lot of CPU power but not much GPU. Some are almost entirely GPU bound in their workflows. Some can get by with a few dozen GB of RAM, but some may find even the 1.5TBs a maxed out Mac Pro can handle to be limiting. And then there are some who need all of these things at once. However, the one thing almost all of these users can agree on needing is expandability and upgradability, to be able to modify the hardware after purchase to suit their needs and to extend the life of their purchase.

Unfortunately, the new Mac Pro doesn’t really cater to all these groups. It is certainly capable of supporting the needs of any Pro user, but the budgets of these groups are often wildly different.

[…]

Remembering that these figures are for a faster chip than the base Mac Pro has, they’re not exactly painting it as having blistering performance to justify its cost. In fact you’re paying $2600 more and just getting increased expandability in return (and losing a 5K display).

Josh Centers:

Most people complaining about the Mac Pro just want an Apple gaming PC. I do, too, but they just ain’t ever going to make that.

Thomas Grove Carter:

So I’m not @MKBHD but I’ve been using the new #MacPro & #ProDisplayXDR for the last few weeks.

Here’s a thread of my thoughts....

TL:DR it’s SO f**king good. But most probably don’t need it.

See also: Mac Power Users.

Tim Hardwick:

In an interview with Popular Mechanics, Apple engineers Chris Ligtenberg and John Ternus have detailed some of the innovative cooling features included in the design of the Mac Pro and Pro Display XDR, both of which launched earlier this week.

Update (2019-12-16): Paul Haddad:

There’s some Geekbenches for the base model Mac Pro. Calling it underwhelming would be kind, a $150 CPU beats this.

Steve Troughton-Smith:

Mac Pro being good value ‘for a workstation’ doesn’t negate the obvious fact that Apple should have a modular desktop that doesn’t start with workstation components. People talk about an ‘xMac’ like it’s some mythical unicorn instead of the most basic computer Apple should offer

’But the profit margins!’ was the traditional response to the ‘xMac’ idea, but Apple could offer a $4000 non-workstation desktop tower and it would still both be a huge steal compared to the Mac Pro, and outrageously expensive compared to any other faster, better PC

I don’t for a second think the market for a Mac tower is 0 like Apple has convinced pundits. The market for Apple’s towers for the past 16 years has been tiny because the machines have been so expensive and way-outclassed for the broader userbase

I personally don’t need Xeons, or this-many PCIe lanes, or ECC RAM, or a 1400W PSU, though I have nothing against those who do; I’m pressured into mortgaging a €8,400 Mac Pro because that’s literally the only option if I want to stay on macOS and get a desktop that fits me

Steve Troughton-Smith:

A Mac mini-specced device, with user-accessible RAM, a GPU slot, and a spare PCIe slot, would do everything I need

Michael Rockwell:

Imagine if Apple sold a desktop computer with iMac-class components in a Mac Pro-style case for $2000-3000. I would love to have that as an option.

Michael Rockwell:

Room for additional internal hard drives would be nice too. The key attributes I want in a machine like this is cool, quiet operation and the ability to keep everything internal. I don’t want a bunch of hard drives hanging off my home server.

Colin Cornaby:

The number that you’re looking at to be competitive in the prosumer tower market is a MSRP of around $1500 base.

Apple could do that, and they used to (Power Mac G4). But there is no future where they sell a consumer tower for $3000 and it’s successful.

Update (2019-12-19): Colin Cornaby:

Starting CPU in the 2013 Mac Pro (the E5-1620v2) cost $294 at introduction.

Starting CPU, from same Xeon series, in the 2019 Mac Pro (W-3223) costs $749.

Joe Rossignol:

iFixit has shared its full teardown of the new Mac Pro, calling it “beautiful, amazingly well put together, and a masterclass in repairability.”

John Gruber:

I get it that iFixit is going to be iFixit, and that they might value a just-plain-easily-replaced-SSD over the security of the T2 subsystem. But I think they conveniently avoid mentioning the security of the T2 subsystem. Merely calling it “proprietary” and leaving it at that is ignoring just how significant a system the T2 is.

John Gruber:

The problem isn’t with the $30,000–50,000 models. The people who can make good use of those machines will do so. I think what’s bothersome to many traditional Mac Pro users is the lack of a Mac Pro in the, say, $2,500–5,000 range. There are a lot of pro users who want a desktop system that’s less expensive than these new Mac Pros but more performant and expandable than a Mac Mini.

[…]

But in theory it would have been nice to have a new Mac Pro similar in scope — and pricing! — to the old pre-2013 Mac Pros, and to have these new Mac Pros occupy a new “hypercar” slot above the Mac Pro in the lineup.

See also: The Talk Show, Accidental Tech Podcast, TidBITS.

Paul Haddad:

I expected the 8 core Mac Pro to be slower than the iMac, but surprised its also slower than the iMac Pro. Also those high core iMac Pros sure are thermally constrained.

The 12/16 core Mac Pros have reasonable performance for that class of CPU, the comparable Ryzen chips are a bit faster, but probably not noticeably so. The Ryzen chips are about 1/3 the price, and that part is quite noticeable.

Francisco Tolmasky:

The Mac Pro IS a prosumer box, just sold at super high end prices. Base model has a 3 year old $169 GPU that can barely power the Pro monitor & an 8 core 3.5Ghz Xeon when at that price you’d be better served by an 8 core 5Ghz Intel 9900K. Not even proposing the audacity of AMD...

Captain Barf (via Hacker News):

The Mac Pro isn’t a symbol that Apple is serious about its platform. Quite the opposite; it’s a symbol of how unserious the company is. Serious companies don’t have to get screamed at by their big-money clients to make something that isn’t hot garbage, to actually make something “professional grade” that is actually professional grade.

Michael Rockwell:

If it was 2012, the Mac Pro would be the perfect computer for the job. There would be no question about it. I could buy the base model at a relatively affordable price with the idea of upgrading it in a year or two to increase its lifespan and overall performance. I could load it up with a bunch of internal hard drives to store our photos, media, and the Time Machine backups from my work laptop — no messy external drives necessary. And it could handle just about any task we threw at it while performing all of its other duties. I wouldn’t even need an additional display because I could simply connect the one I already use for work whenever I needed to use the Mac Pro directly.

But because of the current Mac Pro’s pricing, I’m left having to make compromises. I either buy a Mac Mini and deal with the fan noise coming from the corner of my office and the messy rats nest of cables from the external drives or I get an iMac. And that would come with its own set of compromises — the iMac comes with a built-in display that I don’t need, restricting where I can place the computer, I’d still have to deal with external drives, and I wouldn’t have the option of a 2TB internal SSD because Apple doesn’t offer it in the iMac.

Update (2019-12-26): Steve Troughton-Smith:

The base model Mac Pro’s GPU gets an OpenCL Geekbench result of 80% the performance of the GTX 1080 in my 2014 gaming PC The upcoming BTO optional Radeon RX 5700 XT beats the GTX 1080 by 14% though. Still. That’s a lot of money in 2020 just to par with a 2016 graphics card

Quinn Nelson:

I know I likely open the Mac Pro more than the average user, but this stupid piece of aluminum that requires me to remove every single cable every time I want to open it is the most infuriating design decision ever.

See also: Accidental Tech Podcast and The Talk Show.

Update (2020-01-10): Captain Barf (via Eli Schiff):

Mac Pro isn’t a symbol that Apple is serious about its platform. Quite the opposite; it’s a symbol of how unserious the company is. Serious companies don’t have to get screamed at by their big-money clients to make something that isn’t hot garbage, to actually make something “professional grade” that is actually professional grade. If Apple were changing, we’d see a big mea culpa over what a piece of junk the Macbook Pro has become. We’d have a come-to-Jesus moment over the embarrassing degradation in iPad quality. We’d see some serious overhaul in QA for new iOS and OSX updates. Instead, all we see is Tim Cook dragging his feet and begrudgingly throwing the professional community the machine they’ve been begging him to let them pay for.

Ben Szymanski:

There’s been a lot of despondency amongst loyal Mac users in the last five years or so, and recently it came to a blistering wildfire across Twitter, MacRumors and HackerNews, with members of this “community” bickering with each other over the intended audience of the extremely pricey 2019 Mac Pro. Even though I have no plans to buy a Mac Pro, these events are influencing - and cementing(!) my decision to move off the Mac platform.

Apple Suing Former A-series Chip Lead

Shaun Nichols (Hacker News):

In a complaint filed in the Santa Clara Superior Court, in California, USA, and seen by The Register, the Cupertino goliath claimed Gerard Williams, CEO of semiconductor upstart Nuvia, broke his Apple employment agreement while setting up his new enterprise.

Williams – who oversaw the design of Apple’s custom high-performance mobile Arm-compatible processors for nearly a decade – quit the iGiant in February to head up the newly founded Nuvia.

Apple’s lawsuit alleged Williams hid the fact he was preparing to leave Apple to start his own business while still working at Apple, and drew on his work in steering iPhone processor design to create his new company. Crucially, Tim Cook & Co’s lawyers claimed he tried to lure away staff from his former employer. All of this was, allegedly, in breach of his contract.

Ben Lovejoy:

Williams is fighting the lawsuit, arguing that the alleged ‘breach of contract’ claim is unenforceable and that Apple illegally monitored his text messages.

Presumably it wouldn’t be illegal if the recipients of his messages gave them to Apple. So it sounds like he’s alleging that Apple directly accessed them somehow.

Previously:

Update (2020-01-24): Tim Hardwick:

However, Bloomberg today reports that Santa Clara County Superior Court Judge Mark Pierce said the law doesn’t permit an employee “to plan and prepare to create a competitive enterprise prior to termination if the employee does so on their employer’s time and with the employer’s resources.”

The judge also dismissed a claim by Williams that Apple invaded his privacy by reviewing text messages he wrote to coworkers that were critical of the company.

[…]

The judge sided with Williams in dismissing Apple’s bid for punitive damages, saying the company has failed to show how Williams intentionally tried to harm Apple by being disloyal.

Update (2020-02-14): See also: Hacker News.

Update (2020-02-17): Juli Clover:

According to Bloomberg, Williams says that Apple is aiming to lure his staff away and is also preventing its own employees from leaving to pursue their own ventures. He claims that Apple’s lawsuit against him for breach of contract aims to “suffocate the creation of new technologies and solutions by a new business, and to diminish the freedom of entrepreneurs to seek out more fulfilling work.”

He goes on to accuse Apple of improperly deterring employees “from making even preliminary and legally protected preparations to form a new business - whether competitive or otherwise.”

Update (2020-02-18): joely:

Were the Nuvia/Apple decision to be applied retroactively, Shockley torpedoes Fairchild, hence there is no Intel, and Silicon Valley is in Richardson.

Update (2020-02-28): Shaun Nichols (via Matthew Kimball):

Incredibly, in the weeks before Apple took its ex-chief architect to court, the multi-billion-dollar behemoth privately told Nuvia to stop recruiting engineers from its ranks of techies, yet behind the scenes, the iPhone giant was trying to hire one of the startup’s top designers.

This is all according to paperwork [PDF] filed this week by Nuvia in a Santa Clara Superior Court, hitting back at Apple’s lawsuit brought against Williams in August 2019.

Attorneys for the upstart said that not only did its co-founder wait until after leaving Apple to start his new venture, but he did so after nearly a decade of trying to convince execs in Cupertino to take up the server microprocessor project themselves.

Update (2023-05-01): Joel Rosenblatt (via Hacker News):

Apple Inc. dropped its lawsuit against a former chip executive the company sued for allegedly poaching its employees for a startup.

Gerard Williams III left his job as lead chip architect at Apple in 2019 and co-founded Nuvia Inc. In response to Apple’s complaint, Williams filed his own claiming Apple tried to stop his firm from hiring its engineers while simultaneously recruiting staff from Nuvia.

Apple’s request to dismiss the case was filed this week in state court in San Jose, California. The filing doesn’t explain why the suit was dropped.

Previously:

Third-Party Apple TV Remote

Chaim Gartenberg (tweet):

The remote that comes bundled with the Apple TV is infamous for its difficult-to-use design and controversial touchpad for navigation. It’s so bad, in fact, that Swiss TV and internet provider Salt — which provides Apple TVs as the set-top boxes for its internet TV service — has developed a more traditional remote to replace Apple’s model, via MacRumors.

The optional remote (which costs 19.95 francs, or roughly $20.16) was reportedly developed in collaboration with Apple due to complaints from users who were confused by Apple’s touchpad controls. Salt’s remote natively supports the Apple TV right out of the box, with no pairing or setup required — just like Apple’s remote.

This sounds great, although now that Apple’s content is available on Amazon and Samsung devices, I’m not sure there’s much reason to buy an actual Apple TV. The Fire TV Stick 4K is only $50 and comes with what looks like a decent remote.

Previously:

Update (2020-01-02): Juli Clover:

There’s also no Home button available on the Salt remote. On Apple’s version, the Home button lets you get to the Home screen quickly and access the app switcher to close out apps or swap between apps. Holding down the menu button on the Salt Remote brings you to the Home screen of the Apple TV, but there’s no way to replicate the other missing Home button functionality.

Given that this is an inexpensive remote option, it is powered with two triple A batteries that need to be replaced every six months on average, but that’s a minor inconvenience.

All in all, the Salt Remote is clean, simple to use, and has no fiddly touch interface to deal with.

Update (2020-10-15): Glenn Fleishman:

I have never liked the slippery Siri Remote that Apple shipped with the fourth-generation Apple TV HD in 2015 and continues to offer as the default option for the Apple TV HD and Apple TV 4K. But only recently did I spot a replacement that seemed worthwhile: the Function101 Button Remote for Apple TV.

Monday, December 9, 2019

The Information’s App Store Ordeal

Jessica Lessin (tweet):

The last two weeks have been a crash course in Apple’s gatekeeper status over consumers’ digital lives. Apple rejected our app four times. Some of the pushback we received was so specific—such as not being allowed to underline the words “free trial”—I was stunned. Other requirements seemed arbitrary, such as the rule that we couldn’t require users to enter their email (while Disney and the New York Times could).

[…]

The copy we submitted read “Annual + 7 day free trial, $29.99.” The reviewer told us it wasn’t clear that you would be billed after 7 days.

[…]

If we wanted to launch, we had to disable a part of the app that allowed Tech Top 10 users to preview The Information articles and subscribe to read them.

[…]

Next, our app reviewer had also determined that some of the news briefs in the app were available for free on our website, which wasn’t allowed.

[…]

This time their objections related to our About Page, among other things. It couldn’t mention our website because our website is a link and that link might eventually take someone to a page where they could subscribe to The Information (similar to the article issue).

[…]

Our Android app launched Wednesday as well. All that took was a push of the button and a short waiting period. But so far, 86% of our usage is coming from iPhones.

Ryan Jones:

You didn’t hit on the fact that they revealed rejection issues 1-by-1, wasting days and days, instead of listing multiple issues at once.

The issue you’ll see - all their rules exist for a defensible reason, but in aggregate, it’s maddening. Rock and a hard place.

Previously:

Fetch 5.8

Jim Matthews:

Fetch 5.8, the 64-bit version of Fetch, is now available for download. The primary feature of this release is compatibility with macOS 10.15 Catalina. Fetch 5.7 users should only upgrade to Fetch 5.8 if they have moved, or will soon move, to Catalina.

A number of features of previous Fetch versions — AppleScript and Automator support, non-English localizations, Kerberos and Bonjour support — are not present in Fetch 5.8. We hope to restore some of these features in future updates.

Previously:

CGImageSource Memory Leak

Gus Mueller (tweet):

This sample shows how CGImageSourceCreateThumbnailAtIndex leaks something akin to the memory behind a CGImageRef when asked to create a thumbnail for a 16bpc TIFF image if one isn’t present.

I wonder whether ImageIO got rewritten in Catalina. I’ve found multiple bugs where basic stuff like setting an image’s metadata doesn’t work reliably (FB7435415).

Sam Rowlands:

I’ve confirmed with other devs that 16-Bit imaging is funky on 10.14 and above. The most common issue I’ve seen is 16-Bit images end up with rainbow colors when drawn into a 16-Bit context.

iPhone 11 Location Data Puzzler

Brian Krebs (tweet, Hacker News):

One of the more curious behaviors of Apple’s new iPhone 11 Pro is that it intermittently seeks the user’s location information even when all applications and system services on the phone are individually set to never request this data. Apple says this is by design, but that response seems at odds with the company’s own privacy policy.

The privacy policy available from the iPhone’s Location Services screen says, “If Location Services is on, your iPhone will periodically send the geo-tagged locations of nearby Wi-Fi hotspots and cell towers (where supported by a device) in an anonymous and encrypted form to Apple, to be used for augmenting this crowd-sourced database of Wi-Fi hotspot and cell tower locations.”

Brian Krebs (Hacker News):

Today, Apple disclosed that this behavior is tied to the inclusion of a short-range technology that lets iPhone 11 users share files locally with other nearby phones that support this feature, and that a future version of its mobile operating system will allow users to disable it.

[…]

What prompted my initial inquiry to Apple about this on Nov. 13 was that the location services icon on the iPhone 11 would reappear every few minutes even though all of the device’s individual location services had been disabled.

“It is expected behavior that the Location Services icon appears in the status bar when Location Services is enabled,” Apple stated in their initial response. “The icon appears for system services that do not have a switch in Settings”.

[…]

It is never my intention to create alarm where none should exist; there are far too many real threats to security and privacy that deserve greater public attention and scrutiny from the news media. However, Apple does itself and its users no favors when it takes weeks to respond (or not, as my colleague Zack Whittaker at TechCrunch discovered) to legitimate privacy concerns, and then does so in a way that only generates more questions.

Nick Heer:

This makes complete sense to me and appears to be nothing more than a mistake in not providing a toggle specifically for UWB. It seems that a risk of marketing a company as uniquely privacy-friendly is that any slip-up is magnified a hundredfold and treated as evidence that every tech company is basically the same.

Jeff Johnson:

I never want any data sent to Apple unless I’m directly, intentionally using an Apple service such as browsing an online store, or manually checking for software updates.

Previously:

Update (2019-12-17): Dr. Drang:

As with the release notes, the instructions here focus more on connection history than connection maintenance. I suspect Panic doesn’t want to oversell connection maintenance because it’s not entirely under their control; they know Apple could kill it with another point release.

But until that happens, I’m enjoying SSH connections that last as long as I want them to.

Friday, December 6, 2019

NativeConnect 1.0

Vadim Shpakovski (via Daniel Jalkut):

NativeConnect is a desktop client for App Store Connect. It allows you to edit metadata, generate promo codes, and work with customer reviews in the native and modern 100% AppKit interface.

If you are tired of signing in to App Store Connect, digging through its slow navigation or configuring multiple filters for sales and trends, you should greatly benefit from our app.

Basic features are free; uploading changes, generating promo codes, and replying to reviews are $100/year.

Unfortunately, the public App Store Connect API is too limited to provide all this functionality. Hopefully the API isn’t as slow as the site itself.

Hopefully someday they’ll find a way to send you a notification when an uploaded build has finished processing and can be added to an app version.

Previously:

1 TB microSD Card

Western Digital (via Peter Hosey):

Get extreme speeds for fast transfer, app performance, and 4K UHD. Ideal for your Android™ smartphone, action cameras or drones, this high-performance microSD card does 4K UHD video recording, Full HD video, and high-resolution photos. The super-fast SanDisk Extreme® microSDXC™ memory card reads up to 160MB/s* and writes up to 90MB/s.

Amazing that these tiny cards can how hold 1 TB. It would be great to have a microSD slot on the MacBook Pro.

The 1 TB version costs $250, whereas Apple charges $400 to upgrade from 1 TB to 2 TB of storage on the 16-inch MacBook Pro. You’re getting very different things, though. The MacBook Pro’s internal SSD is much faster, but it can’t be expanded later, and you have to pay for it all up front. SD Cards keep your data separate, so you can use them for backups and transfer them between Macs. You can keep adding more to store more files.

Previously:

Dash 5

Kapeli:

New Search and Navigation Interface – The search and navigation interface was completely redesigned to be more intuitive and fast

New Search Result Sorting and Nesting – Search result sorting and nesting were completely rethought and redone.

[…]

Dash 5 uses WKWebView, the latest browser engine from Apple. Supporting WKWebView required rewriting a huge part of Dash, some of which to JavaScript, so please make sure to report any bugs you might encounter, no matter how small

$20 upgrade to an essential app for developers. I like how the search is now in the middle rather than on the side. It feels more like LaunchBar, with more width to see the search results.

Before, you could type a class name and a space and then a keyword to scope the search to that class. Now, there’s a separate field that both searches within the current page and filters the list of methods at the left.

Previously:

Apple’s Technology Transitions

Martin Pilkington:

While this saving of disk space and RAM usage certainly benefits the Mac, there are arguably more important reasons to Apple for dropping 32 bit on the Mac. They don’t actually have much to do with 32 bit itself, but more with decisions that were made in 2007 when 64 bit was finalised.

[…]

When Apple introduced 64 bit with Mac OS X 10.5, they also introduced Objective-C 2.0. Part of this was a new and improved runtime, designed to fix problems with the old runtime. Unfortunately, these fixes were not compatible with existing apps, so they made the decision to only make this runtime available in 64 bit. However, this meant the (now) legacy runtime would have to stick around as long as 32 bit apps existed.

[…]

The behaviour of the legacy runtime effectively means that Apple can never update their existing objects with new ivars without breaking existing apps.

PDFKit accidentally did just that in Sierra, causing crashes in 32-bit apps that displayed PDFs, as the framework tried to access variables that didn’t exist.

ARC has been off-limits, too. Apple’s framework developers have been working with one hand tied behind their backs.

Previously:

Update (2019-12-17): Pierre Lebeaupin:

Leopard (10.5) only ostensibly added support for 64-bit GUI apps. It was considered still rough and very few 64-bit GUI apps shipped until Snow Leopard (10.6), but the best indicator is iTunes, which ended up requiring Lion (10.7) to run as 64-bit.

[…]

the major reason why 68k ended up being supported as long as it was was that it supported mixed-mode. This meant no duplicate use of RAM, since all apps were using the same copy of all OS-supplied code, and no duplicate maintenance effort, for the same reason.

Tuesday, December 3, 2019

VirtualHostX Pro Subscriptions

Tyler Hall:

VirtualHostX is now a subscription. You can pay $49 USD / year or $5 USD / month.

The annual price is the same as the old one-time cost. And I’ll note that I typically release a paid upgrade every 12 - 18 months. So, if you are like many of my amazing customers who do update to each new release, the cost of doing that vs a subscription are more or less the same.

[…]

If you sign up for an annual subscription, you can cancel it at any time. In fact, you can subscribe, get the confirmation email, and then immediately cancel. Your license for the app will continue to work through the entire year.

Even better. Your license will remain valid and working forever.

This sounds like the Sketch model, which I think is reasonable. Sketch’s file format issue likely won’t apply here.

Previously:

Update (2019-12-12): Matt Gemmell:

The way I see app subscriptions right now is pretty simple. Here’s a brief thread on that.

First, Apple doesn’t allow upgrade pricing. Everyone would use it if they could. They can’t. That option is off the table.

Drew McCormack:

This made me think about the subscriptions I have for apps. It’s a grand tally of one: Tower. It’s a tool I need for work, and it cannot hold my data hostage. I don’t trust any other creational tool with a subscription. Perpetually renting access to my own data doesn’t appeal.

Tyler Hall:

Drew makes a great point. It’s the “lock down” that can be the key to a sustainable balance between what’s fair to customers and you staying in business.

[…]

So when I did my big release last week and announced my new pricing model, I was extremely nervous and wary of what the response would be. But so far I’m very lucky that I’ve have had few complaints.

Reading the Resource Fork Too Often

Mark Alldritt:

This problem happens after a document has been opened in Script Debugger and changes have been saved a number of times. If the saves are done in fairly quick succession, Script Debugger will begin reporting that it cannot save document changes. In some instances, errors -54 (permErr) or -43 (fnfErr) are reported. Additionally, once this situation arises and you close the document, it is no longer possible to open the effected document in Script Debugger.

[…]

At a technical level, the problem is triggered when applications attempt to read the resource fork of a document repeatedly within a given period of time. This behaviour by an application seems to trigger a security mechanism within Catalina that prevents further access to the document’s resource fork (the resource fork is used to retain meta-data in text and compiled AppleScript documents).

You’d think that old deprecated stuff like resource forks would just keep working in its frozen state. But both Mojave and Catalina introduced resource bugs that have hit my apps. There are more modern replacements for many uses of the resource fork, but they don’t always work. And, as with the AppleScript example, sometimes the resource fork is unavoidable, and the problems even hit Apple’s own apps.

Previously:

Update (2019-12-12): Howard Oakley:

With Shane Stanley’s help, I’ve been able to reproduce this problem and to examine an excerpt of the log detailing what happened on that occasion. In this case, trying to access a resource fork in an AppleScript .scpt file which had just been repeatedly edited using Apple’s Script Editor triggered a request to the Catalina privacy system (TCC), which required the requesting app to have been granted a kTCCServiceSystemPolicyAllFiles entitlement.

[…]

One way to avoid that particular error is to add apps which need access to resource forks, like Script Debugger and Script Editor, to the Full Disk Access list in the Privacy tab of the Security & Privacy pane.

Peter Steinberger:

„After macOS 10.10, our users reported weird new crashers. As if the lock method in NSPersistentStoreCoordinator didn’t do anything anymore. Let’s look into Hopper... oh. [the lock was gone, method just was a NOP]

It’s not safe to rely on deprecated methods.

Disk Drill Guaranteed Recovery

Dave Wood:

I received feedback from my report I’d sent to Apple (Yay, they do work!). They pointed out that the issue was due to a third party app I have installed called Disk Drill by CleverFiles (which I have as part of my Setapp subscription). The app has a “feature” called Guaranteed Recovery that is supposed to help recover files later if you accidentally delete them. It “works” by creating thousands of hard links to what appears to be every file on your system in a hidden directory (/System/Volumes/Data/.cleverfiles/). This means when you delete a file, it’s not really deleted because there’s a hard link effectively creating a duplicate in the hidden folder.

[…]

Over the last month or so, I’ve been trying to free up space on my main SSD because the OS is constantly complaining that my drive is full. Because I kept getting alerts that I needed more free space, I kept moving/deleting files. Eventually I’d cleared/off-loaded over 500G of data and was still scraping by with about 30G of free space. Now that I’m aware of the issue, I’ve taken a look into the .cleverfiles hidden folder on my iMac and I see it has over 450G in it. Wow.

Wow indeed. First, the hidden folder should be excluded from Time Machine. And second, it seems like there’s a bug where it isn’t being pruned automatically.

Ordering the Typefaces in a Font

Gus Mueller:

The docs for -[NSFontManager availableMembersOfFontFamily:] say:

“The members of the family are arranged in the font panel order (narrowest to widest, lightest to boldest, plain to italic)”

Unfortunately, it looks like this is broken on MacOS 10.15.1. Running Acorn on 10.14 produces the order as described (and as seen below with Helvetica Neue).

Jiang Jiang:

As a workaround, calling CTFontDescriptorCreateMatchingFontDescriptors() with a font descriptor created from @{ kCTFontFamilyNameAttribute: familyName } should give you descriptors in the right order. Then you can get localized style names out of the descriptors.

Drinking the SK8 Kool-Aid

Cameron Esfahani (thread, via Daniel Jalkut):

One day my boss asked me to fly down to LA for the day. Apparently there was a developer there working on an app showcasing QuickDraw GX.

[…]

And right away I could tell something was weird. Structurally, most Mac apps look very similar. But this app was like nothing I’d ever seen before: heap and code were off.

[…]

“Oh, we’re writing it in SK8.”

[…]

SK8 was a weird Lisp-like multimedia authoring environment that Apple ATG was developing.

Needless to say, it wasn’t ready for production use.

Monday, December 2, 2019

VueScan and ScanSnap

Dave Kitabjian:

But the real secret sauce of ScanSnap was the accompanying software that was centered around what you were trying to do rather than making you constantly fiddle with scanning parameters. Finally, a developer was thinking like a customer instead of a scanner! The combination of a simple user interface, intelligent defaults, seamless integration with external apps, and automation of the entire workflow created a user experience that was hard to beat.

[…]

Some months ago, Fujitsu sent users of older ScanSnap models email informing them that their ScanSnap software would not be updated to 64-bit and would therefore not run under macOS 10.15 Catalina.

[…]

If you want to do simple scanning, you may have a painless experience, writing JPEG or multi-page PDF files to disk, or using some of VueScan’s many sophisticated advanced features. And as such, VueScan may well rescue your aging ScanSnap from the trash heap.

But I ran into a number of issues that you should be aware of.

It seems harder to use and has problems with deskewing, color, streaks, and profiles.

Ron Risley:

Something not mentioned in the article is that Fujitsu states that their new (64-bit) scanning software will absolutely require an always-on internet connection in order to do any scanning. This is concerning on a number of levels. Usability and availability is one issue, but in both my work as a physician and as an IT security consultant, I regularly scan documents that absolutely must not be published. (If you think there’s a functional difference between “sent to the cloud” and “published,” then you haven’t been paying attention.)

[…]

I originally licensed VueScan because I owned an expensive flatbed scanner whose manufacturer abandoned the Mac. I feel rescued by VueScan again, and will be buying more licenses for other machines at my office.

A help page says that ScanSnap does work without an Internet connection, so perhaps the connection is only needed for the “active” version of the installer.

Previously:

Fake AirPods Pro

Juli Clover:

We picked up the $95 i500 Pro TWS Earbuds, a set of AirPods Pro replicas that are remarkably similar in design to Apple’s real AirPods Pro and that even advertise some of the same features, like Apple’s proprietary H1 chip.

[…]

Wireless charging works, “Hey Siri” is functional, music playback pauses when an earbud is taken out of the ear, and battery life seems to be similar to real AirPods Pro, but the similarities end there. The i500 Pro TWS has no force sensor and does not support squeeze gestures, and the key AirPods Pro feature - active noise cancellation - is not included.

I wonder how they’re doing this.

Previously:

Web Notifications CAPTCHA

Arthur Stolyar:

Next level of Web Notifications scam.

- Allow Notifications to confirm that you’re not a robot 🙈

Ricky Mondello:

Abuse like this is why some people get uncomfortable when folks go around saying that adding new, more powerful features to the web platform is some kind of moral imperative. That kind of framing makes it hard to reason about tradeoffs and add features thoughtfully.

This is one that Safari got right, and I have “Allow websites to ask for permission to send notifications” unchecked. (Yes, Apple’s style guide says that “websites” is one word.)

Previously:

Update (2019-12-12): Thomas Pluck:

Steps for reading articles:

1. Accept cookies
2. Block notifications
3. Deny location to website
4. Decline invitation to subscribe
5. Stop auto-playing video ads/mute sound
6. Dismiss reminder of free articles remaining
7. Shrink drop down banner
8. Click “read more”
9. Give up

Lepow Portable Monitor

Paul Haddad links to this display that’s currently available for only $129.99 ($109.99 at the time of his tweet). It’s a 15.6-inch IPS display that supports 1,920×1,080. That’s a much better resolution than the AOC display I wrote about a few years ago, and it works over HDMI (plus USB power) or USB-C without needing a kernel extension.

It’s great to have extra screen space on the go, and these displays easily fit next to a MacBook Pro in a backpack. On the other hand, for shorter work sessions it would be more convenient to simply have a 17-inch internal display (again).

Previously: