Archive for July 2, 2020

Thursday, July 2, 2020

Using SVGs in Asset Catalogs

Marc Edwards:

SVGs can now be used as assets for iOS, iPadOS, macOS, and watchOS apps. The most exciting part of this new feature is that there’s not much to say — it’s full SVG support, and it just works.

Xcode 12 is required, but deployment targets of iOS 13, iPadOS 13, macOS 10.15 or later are supported.


Unlike PDF assets, SVGs seem to always be bundled in their native format and rendered at runtime. As a result, many apps will be able to save a lot of space by moving appropriate assets over to SVGs.


A Huge Year for SwiftUI

Swift by Sundell:

Josh Shaffer and Eliza Block from Apple join John to talk about what’s new in SwiftUI, how Xcode Previews work under the hood, the new home screen widget system, Apple’s internal process of adopting and improving SwiftUI, and much more.

See these WWDC sessions:

See also: John Sundell and Majid Jabrayilov.


App Store Requires Opting Out After Trial Subscription

Down Dog (Reddit, Hacker News):

Apple is rejecting our latest update because we refuse to auto-charge at the end of our free trial. They can choose to steal from their customers who forget to cancel, but we won’t do the same to ours. […]

We’ve experimented with auto-charging trials in the past and they lead to (1) fewer users trying the product (2) a huge number of refund requests by users who forget to cancel and (3) complete disbelief from those users when we explain that Apple won’t allow us to issue refunds.

It’s particularly bad because (1) cancelling a subscription is notoriously hard to find in Apple’s settings (2) Apple requires users to cancel at least 24 hours before the trial is over and (3) their site for requesting a refund often returns an error after logging in!

Nathan Lawrence:

Apple shouldn’t require devs to auto-charge after trials, but this rule exists for a reason: Free trials have historically been a real danger zone and misleading area for online services.

Apple’s system can be just as misleading and messy, but this isn’t just a power grab.


I think auto renewing subscriptions after free trials are generally pretty lousy UX, but Apple isn’t actually against not having those. Apple is against building your own skunkworks setup to make that happen.

Ken Case:

For those who aren’t already aware of this: every one of our @OmniGroup apps has the option to start a free two-week trial which doesn’t automatically convert into any sort of purchase.

I’m so confused about what the rule actually is.

Juli Clover:

Apple is introducing a new in-app purchase server notification system that lets developers know when a customer requests and receives a refund for an in-app purchase, allowing the developer to take an appropriate action, such as revoking the purchased item.

Developers are not involved in Apple’s refund process, which is handled by the company. Prior to now, when a user requested and received a refund for an in-app purchase, developers were not notified about the refund, leading to situations where customers could get a refund for a purchase and keep the in-app purchase.


Safari Privacy Protections Bypass

Jeff Johnson (tweet, Hacker News):

The privacy protections system (also known as TCC: Transparency, Consent, and Control) was introduced in macOS Mojave, and one of its purposes is to protect certain files on your Mac from access by unauthorized apps. I’ve discovered a way for an unauthorized app to read the contents of protected files, thus bypassing the privacy protections.


It’s been over 6 months since I reported the issue to Apple. This is well beyond the bounds of “responsible disclosure”, which is typically 90 days after reporting an issue to a vendor. It’s also becoming obvious that I will never get paid a bounty by Apple for anything I’ve reported to them, or at least not within a reasonable amount of time. I’m not interested in waiting years for a bounty. I can’t speak for anyone else, but my personal experience is that the Apple Security Bounty Program has been a disappointment, and I don’t plan to participate again in the future.

An app can make a copy of Safari, modify a JavaScript file in it, and exfiltrate private Safari data. The system trusts the bundle identifier on the copy and doesn’t do a full check of the code signature (or even check the path) to make sure it’s the real Safari.

Csaba Fitzl:

you should have waited, I have worse ASB timelines than this :)

Jeff Johnson:

We know that TCC is a major burden for legitimate Mac apps. But is it a major burden for malware? That’s the question, and it seems to me the answer is no. There are so many holes in this system, it only stops the good developers who wouldn’t stoop to using the countless hacks readily available to malware developers.

He also found a sandbox escape.


Update (2020-07-06): See also: Thomas Claburn.

Update (2020-09-28): Jeff Johnson:

Safari 14 partially ameliorates this.

No credit or bug bounty for me, because Apple Product Security sucks.


Boot and Recovery Mode on Apple Silicon Macs

Jason Snell (also: MacRumors):

With the advent of Macs running Apple-designed processors, things will get a whole lot simpler. As described Wednesday in the WWDC session Explore the New System Architecture of Apple Silicon Macs, these new Macs will only require you to remember a single button: Power.


On these new Macs, Target Disk Mode will be retired in favor of Mac Sharing Mode. Rather than turning your Mac into a disk, the new Mac Sharing Mode will turn your Mac into an SMB file server.


In reduced security mode, you can boot any supported version of macOS, even if Apple’s no longer signing it. And if an app or accessory you rely on uses a third-party kernel extension to enable functionality, you’ll need to use this mode.