Archive for July 22, 2020

Wednesday, July 22, 2020

Another Apple-Funded App Store Study

Juli Clover (Slashdot, Hacker News):

As Apple CEO Tim Cook gears up to testify in an App Store antitrust hearing before the House Judiciary Committee next week, Apple has commissioned a study from Analysis Group [PDF] that’s designed to demonstrate how similar Apple’s App Store fees and practices are to those of other digital marketplaces like the Amazon Appstore and the Google Play app.

Not mentioned anywhere in the study: Stripe, PayPal, Paddle, FastSpring, etc. Apple would rather compare itself to brick-and-mortar stores and Ticketmaster than the various online software channels that have been available since the mid-1990s. And, of course, the main issue with the App Store is that it’s the only way users can install software on their devices. You can’t opt out of it because there is no sideloading. There are no alternative stores. The whole way this is framed is misleading.

David Heinemeier Hansson:

I just commissioned a study that confirmed that I am in fact the fairest king in all of the land.

Cabel Sasser:

They keep saying the App Store changed everything because before you had to sell your apps in CompUSA or whatever. Panic ONLY EXISTS because we could sell apps, direct to consumer, via download, since 1999. The App Store arrived in 2008. Drives me crazy that they ignore this era.

Michael Love:

Also true for Palm and Windows Mobile, though they keep insisting on comparing themselves to crappy carrier-run J2ME app stores.

Also, if you didn’t want to handle payments yourself, Mac shareware developers had Kagi from way back when - I used them to sell my little Mac shareware game Ergo in 1994, rate was 5% + $1.25 I believe.

Kyle Pflug:

It’s revealing that this spends no time on whether the “other marketplaces” are the exclusive way to get third party software on their home platform.

The Microsoft Store and Steam both have commission, but they also compete with each other (and direct download, and retail...).

Matt Garber:

The 30% cut is a distraction anyway, which Basecamp also pointed out weeks ago. The real anticompetitive parts are around ridiculous things like not even being allowed to use descriptive text to say “sign up for paid accounts on our website”.

Michael Love:

a) “Everybody else does it” is not a defense

b) Brick and mortar is a meaningless comparable

c) Many of these stores were following your lead

d) Most of them are non-exclusive (except consoles, but their business model is selling HW at cost + making money on games)


Update (2020-07-23): John Gruber:

You know you’re in trouble when part of your argument is “Hey, at least we’re better than Ticketmaster.”

Peter N Lewis:

I’ve been doing this full time since 1994 - what made it easy was companies like Kagi and sources like Info-Mac, decades before the App Store.

Ron Avitzur:

Same here. Selling Graphing Calculator direct to customers online since 1998.

Brent Simmons (tweet):

But it’s worth remembering that money really does matter. […] To put it in concrete terms: the difference between 30% and something reasonable like 10% would probably have meant some of my friends would still have their jobs at Omni, and Omni would have more resources to devote to making, testing, and supporting their apps.

Update (2020-09-07): Joe Rossignol:

Apple today announced that the iOS app economy has created nearly 300,000 new jobs in the United States since April 2019, citing research shared by Dr. Michael Mandel, chief economic strategist at the non-profit Progressive Policy Institute.

Apple Security Research Device Program

Apple (via Hacker News):

The Security Research Device (SRD) is intended for use in a controlled setting for security research only. Shell access is available, and you’ll be able to run any tools and choose your entitlements. Otherwise, the SRD behaves as closely to a standard iPhone as possible in order to be a representative research target.

SRDs are provided on a 12-month renewable basis and remain the property of Apple. They are not meant for personal use or daily carry, and must remain on the premises of program participants at all times. Access to and use of SRDs must be limited to people authorized by Apple.


Participation in the Security Research Device Program is subject to review of your application. Device availability is limited. Devices will not be available for all qualified applicants in the initial application period.

If you use the device to find a vulnerability, you have to report it to Apple and are not allowed to discuss it until Apple fixes it. Unfortunately, as with the bug bounty program, there’s a giant loophole, which is that Apple could either take a long time to fix it, decide they don’t want to fix it, or purposely impose a gag for vulnerabilities it doesn’t want disclosed. There’s no automatic delay after which you can publish if Apple decided to sit it. We already have evidence of this being a problem from the bug bounty program.

It seems risky to join the program, both because you may end up muzzled and because it ties your hands regarding anything you figure out without using the SRD. Since you can’t prove you did it on your own, everything you do becomes subject to the SRD rules. You’d be setting yourself up to get sued.


Update (2020-07-22): Ben Hawkes (via Jeff Hunter):

It looks like we won’t be able to use the Apple “Security Research Device” due to the vulnerability disclosure restrictions, which seem specifically designed to exclude Project Zero and other researchers who use a 90 day policy.

Will Strafach:

no researchers or engineers on our end are participating (in an official/Guardian-affiliated capacity) due to the restriction Apple appears to impose on information disclosure.

Update (2020-07-27): Rich Mogull:

On the whole, Apple’s program requirements and restrictions appear reasonable, and I look forward to seeing how they work in practice. However, there is some risk that the program restrictions will muzzle some researchers while Apple sits on vulnerabilities. Apple’s track record for fixing issues has been pretty good in recent years, but we can’t dismiss this concern out of hand.

Peter Steinberger:

It’s sad that Apple thinks shell access is only useful for security engineers.

Update (2020-07-29): See also: Pwn20wnd.

Update (2020-08-11): David Shayer:

Based on Apple’s announcement, backed up by some logical deduction, we can speculate about how this program and the particular devices will work.

Update (2021-01-06): Juli Clover:

Apple is notifying the first researchers who will be receiving these special iPhones as of today, and the Cupertino company says that the devices will be sent out right away. Under the terms of the program, participating security researchers will be provided with iPhones that are on loan for one year, though it will be possible to extend the loan period.

A First Replicating Type

Drew McCormack:

You may be wondering why the Entry type includes a UUID identifier. It already has a timestamp, which is an identity of a sort. Isn’t that timestamp unique enough?

Maybe, but you will sleep better at night if you assume it is not unique enough. A timestamp has something like millisecond accuracy. A computing device can do thousands, even millions of operations in that time. Two changes to the same value on the same device may very well fall on exactly the same tick of the timestamp clock.

What would happen if we used the timestamp in isolation? If two changes collided — had the same timestamp — the ‘winner’ would effectively be random. Your devices could easily pick different outcomes, and your type will have diverged — your app is no longer in sync. To avoid this, we need some way to pick the same winner on all devices, even if the timestamps are exactly the same. For that, we add the UUID. It ensures a deterministic result in cases where the timestamps collide.

Local iOS Backups Without a Mac

Kickstarter (via 9to5Mac):

AnyBackup is capable of reading, backing up, transferring, and restoring your documents, contacts, photos, videos, and data from all the popular social media channels.


The Maktar Qubii Pro is an automatic flash drive that backs up your photos, files and contacts while charging your iPhone or iPad.

Both of these let you back up your iPhone or iPad to a Micro SD Card or USB storage device. However, as far as I can tell, these aren’t “real” iOS backups. The description makes it sound like you plug the device into the Lightning port and it starts backing up like when you plug an iPhone into a Mac or PC. But it’s a third-party app, not iOS, that does the backup. It only has access to copy certain types of data. You don’t end up with an iTunes-style backup that iOS can auto-restore everything from. iOS is still too locked down to support real third-party backups, and Apple’s own backup tools are still very limited.