Archive for May 18, 2020

Monday, May 18, 2020

Magic Lasso Adblock (Sponsor)

My thanks to Magic Lasso for sponsoring the blog this week.

Magic Lasso Adblock is an efficient and high-performance ad blocker for the iPhone, iPad, and Mac.

It allows you to experience a cleaner, faster web—without ads. As a native Safari content blocking extension, Magic Lasso blocks intrusive ads, pop ups, and trackers when browsing the web.

Magic Lasso Adblock

Magic Lasso Adblock provides a 2.0x speed increase on common websites, improves your privacy and security by removing ad trackers, and works with Safari across all Apple devices. It’s as if Apple themselves had designed an ad blocker.

And unlike some other ad blockers, Magic Lasso Adblock respects your privacy, doesn’t accept payment from advertisers, and is 100% supported by its community of over 150,000 users.

Download for free today via the Magic Lasso website, the App Store, and the Mac App Store.

Security Theatre in Safari Download Permissions

Nick Heer:

Twitter’s URL shortener works by creating 301 redirects, but Safari apparently doesn’t follow those to their destination URL. In some cases, that probably makes sense — large file downloads are often hosted on CDNs with inscrutable addresses. It does, however, mean that however this is supposed to benefit security or privacy is easily defeated if downloads are redirected through common URL shorteners.

Update (2020-07-30): jleedev:

It probably doesn’t change Safari’s behavior at all, but Twitter’s URL shortener uses a meta refresh & location.replace call, not a 301 redirect.

Looks like it sniffs the user agent[…]

Edison Mail Bug Allows Access to Other Users’ Data

Eric Slivka:

Several users of popular email app Edison Mail this morning are reporting that they are able to see email accounts of other users within the iOS app. In what appears to be a major privacy breach, users report that after enabling a new sync feature, they have full access to these other email accounts.

Via Cabel Sasser:

All I wanted was a modern email client that downloaded directly from the server — like they have forever — with no risky middleman. The Edison privacy policy said “we store as little of your email on our servers as possible”.


What an interesting butterfly effect

Apple wants to preserve your battery life > email clients can’t check in the background > email clients set up servers to store credentials and check email to push notify you of new email > everyone’s email now exposed to huge security vector

Apple should lift this restriction on checking in the background. This would bring a better user experience and better privacy. Its own Mail app is allowed to do that, with apparently acceptable effects on battery life and RAM use. For many users, iOS devices already offer plenty of battery life, and some are operated while plugged in.

Edison (via John Gruber):

No account credentials were compromised; issue was fully resolved within 30 hours of first report by ‘bricking’ access to potentially impacted Edison iOS app users and any email messages from the app.

Kudos to them for a quick fix and for revealing the exact number of affected accounts.


Facebook to Buy Giphy

Axios (via Hacker News):

Facebook has agreed to buy Giphy, the popular platform of sharable animated images, Axios has learned from multiple sources. The total deal value is around $400 million.


Giphy is a massive video library, with hundreds of millions of daily users that share billions of GIFs, that generates revenue via branded content.

Vishal Shah:

GIPHY, a leader in visual expression and creation, is joining the Facebook company today as part of the Instagram team.


50% of GIPHY’s traffic comes from the Facebook family of apps, half of that from Instagram alone. By bringing Instagram and GIPHY together, we can make it easier for people to find the perfect GIFs and stickers in Stories and Direct.

John Gruber:

Of course Giphy is going to retain its own brand. If they renamed it to “Facebook Tracking Pixels”, usage might drop off.

Owen Williams (via Will Oremus):

GIF search engines like Giphy have become a core part of how we collectively discover and share animated images. Giphy’s tools can be found embedded in apps from Slack to Signal, allowing users to instantly find the right GIF to reflect the moment. All told, Giphy has some 300 million active users every day across those platforms.


What might not be obvious, however, is that each search and GIF you send with Giphy is also a “beacon” that allows the company to track how and where the image is being shared, as well as the sentiment the image expresses. Giphy wraps each of its animated GIFs in a special format that helps the image load faster, and also embeds a tiny piece of Javascript that lets the company know where the image is being loaded, as well as a tracking identifier that helps follow your browsing across the web.

When embedded into third-party apps, Giphy can track each keystroke that’s searched using Giphy tools. Developers who install Giphy tools into their apps are required to give the service access to the device’s tracking ID.

Moxie Marlinspike:

Now that Giphy has been acquired by FB, many have reached out to ask whether we should be concerned about Giphy search in Signal.

Signal already uses a privacy preserving approach to prevent gif search providers from receiving user data[…]

John Gruber:

I believe this is basically how Apple’s Giphy search in Messages on iOS (through the built-in “#images” app) works.

Slack VP Brian Elliott (quoted by John Gruber):

Giphy doesn’t receive any information about users or even companies using the Giphy for Slack integration, and only sees Slack usage of the Giphy API in aggregate.

See also: Nick Heer.

Update (2020-05-19): Matt Haughey:

I was surprised since I participated in their early investing experiment, through Alphaworks, but never got any emails about this. In July of 2014, I invested the minimum, $2,500 in GiPHY. I want to show you investments rarely pan out in this thread[…]

Update (2020-05-22): Josh Constine (tweet):

GIPHY could let it learn about what apps are growing quickly (increased GIPHY searches), what types of content or influencers it might want to add to Watch or its Live streaming deals (what’s searched for), what visual media is most appealing (which GIFs get picked), and possibly tie this interest data to users’ identity (since developers have to send device Tracking IDs to GIPHY).


But then I got a very different perspective from an animation startup founder and GIF maker who’s been waging a campaign against the startup for years, accusing GIPHY of piracy.


For years, multiple sources say GIPHY would scrape Tumblr GIFs, rename the files as giphy.gif, and make them available with no attribution. Later it encouraged artists to claim profiles of their GIFs. But it’s still tough for an end user to find out who made the GIF they just tweeted.

What’s New in Swift 5.3

Tibor Bödecs:

SE-0279 [multiple trailing closures] is one of the most debated new proposal.


Enum types don’t have to explicitly implement the Comparable protocol thanks to SE-0266.


SE-0269 aka. Increase availability of implicit self in @escaping closures when reference cycles are unlikely to occur is a nice addition for those who don’t like to write self. 🧐


SE-0270 adds a RangeSet type for representing multiple, noncontiguous ranges, as well as a variety of collection operations for creating and working with range sets.


SE-0263 adds a new String initializer that allows you to work with an uninitialized buffer.

See also: Paul Hudson.

Ted Kremenek:

The new APIs in SE-0270 (RangeSet) are going to bake a bit longer and likely won’t be part of Swift 5.3. They are still in the Standard Library preview package.