Archive for August 28, 2020

Friday, August 28, 2020

Apple Terminates Epic Games’ Developer Account

Juli Clover (tweet):

Fortnite has been unavailable for a few weeks, but other Epic Games titles like Battle Breakers and Infinity Blade Stickers were still in the App Store . Now that the Epic Games developer account has been terminated, those apps are gone.


Though the Epic Games developer account is no longer available, Fortnite continues to work.

As expected. Apple also disabled IAP because customers were asking for refunds.

Last night, Epic sent out emails to Fortnite players blaming the unavailability of the new season on Apple and claming that Apple is “blocking Fortnite” in order to prevent Epic Games from “passing on the savings from direct payments to players.” Apple in turn has taken to featuring Fortnite competitor PUBG in its App Store.

It appears that the Mac version of Fortnite is signed by the separate Epic International account that Epic uses for Unreal Engine.


Update (2020-08-31): Ryan Jones:

In dueling PR statements Apple sounds over dramatic, while Epic is chillin’.

Tim Sweeney:

Apple’s statement isn’t forthright. They chose to terminate Epic’s account; they didn’t have to.

Apple suggests we spammed the App Store review process. That’s not so. Epic submitted three Fortnite builds: two bug-fix updates, and the Season 4 update with this note.

John Gruber:

The last approved version of Fortnite still runs, but along with other games from Epic, it’s no longer available from the App Store, even if you previously downloaded it. This means you won’t be able to restore Fortnite on a new or factory-reset iPhone.


The “instead they repeatedly submit Fortnite updates designed to violate the guidelines” line in Apple’s statement is interesting, though. I don’t read it as an accusation of “spamming”, as Sweeney claims. Epic submitted three builds, none of which removed their in-app purchase circumvention, so they knew Apple was never going to approve them. They were just wasting Apple’s time. But I find it interesting that Apple even mentioned it, or phrased it that way. It indicates that Epic has gotten under their skin to some degree.

But, presumably, under the new rules announced today, the bug fixes would be allowed? Somehow I doubt that.

See also: Hacker News, Accidental Tech Podcast, Cory Doctorow.

Miguel de Icaza (tweet, Hacker News):

In the end, I value my iOS devices because I know that I can trust them with my information because security is paramount to Apple.


In the battle over the security and privacy of my phone, I am happy to pay a premium knowing that my information is safe and sound, and that it is not going to be sold to the highest bidder.

It’s comforting to believe this, but it may be more marketing and information hiding than truth. We know that information is being sold and that most of the actual security benefits are due to the design of iOS rather than the App Store itself.

Facebook Rejected for Mentioning App Store Fee

Sam Byford (tweet, also: ArsTechnica, MacRumors):

Apple blocked Facebook from informing users that Apple would collect 30 percent of in-app purchases made through a planned new feature, Facebook tells Reuters. Apple said the update violated an App Store rule that doesn’t let developers show “irrelevant” information to users.

The feature lets Facebook users buy tickets for online events directly through the app.

Note that Facebook itself is not getting a cut, nor was it breaking the rules and linking to an alternate payment method. I think it’s quite relevant for customers to know when they buy something where their money is going. It’s hard to see how this unwritten App Store policy benefits anyone but Apple, who doesn’t want their customers to know how the system works. And it’s hard to see what Apple did to deserve the 30%. It’s not the one putting on the event, it’s not the one who helped the buyer discover the event, and it’s not the one transmitting the information. It’s more like Panasonic, back in the days of landlines, expecting 30% from the Sears Catalog orders you placed using the handset that you’d already paid them for.


Update (2020-08-31): See also: Hacker News.

Juli Clover (also: Hacker News):

In a company-wide meeting, Facebook CEO Mark Zuckerberg on Thursday referred to Apple’s App Store as monopolistic and harmful to customers. Apple “blocks innovation, blocks competition,” and uses the App Store to “charge monopoly rents.”

Zuckerberg’s comments, which were said to 50,000 Facebook employees over a webcast, were shared by BuzzFeed News. Apple, said Zuckerberg, has a “unique stranglehold as a gatekeeper on what gets on phones.”

App Rejected for Using Unofficial Tesla API

Filipe Espósito:

Watch app for Tesla” is a popular app that lets users check useful information and send commands to a Tesla vehicle directly from an Apple Watch. However, the availability of this app may be threatened as Apple has been reinforcing its guidelines related to third-party APIs, which may require the developer to remove their app from the App Store.


The company has argued that the only way to have an app with an unofficial third party API approved in the App Store is by having the written consent of the owner of that service, which in this case is Tesla.


Although the rejection of the app has only occurred now, Apple’s decision is based on an old policy — which for some reason is sometimes ignored by the company. Section 5.2.2 of the App Store Review Guidelines emphasizes that apps are not allowed to use third-party services without prior authorization due to intellectual property issues.


Apple once again reached out to the developer and the company agreed to release the latest update of Watch app for Tesla on the App Store until this situation is thoroughly investigated.

This seems like a straightforward violation of the guidelines, but (a) it is not evenly enforced, and (b) I’m not sure the guideline makes sense. In the general case, it’s not possible to prove that you have permission to use an API. Why is it Apple’s business to investigate this? And what about apps like Paw that can be used with arbitrary APIs? Does an IMAP client use an API of an unlimited number of third-party services?


VMware Fusion 12

VMware (tweet, also: MacRumors):

Fusion 12 Player replaces Fusion 11.5 ‘standard’, and follows the same pricing and licensing model as Workstation Player, meaning that it is both free for Personal Use, but requires a license for Commercial Use.  Fusion Player has the same features as Fusion 11.5.x ‘standard’ and more.

However, for business use the price is increasing from $79 to $149.

Matthew Guay (tweet):

So last year we picked 100 popular business software, dug through blog posts and the invaluable Wayback Machine, checked each year’s pricing for the decade from 2009 to 2019, and calculated the software inflation rate.


If pricing did go up, though, on average it went up 47% since its last price change (which, on average, came 4 years ago). Asana, Teamwork Projects, and PivotalTracker each went up around 10%—so Asana now costs a dollar more per user each month. Others saw a 30-50% price bump. PieSync went up the most, with its price nearly tripling since its acquisition by HubSpot.

You had nearly as good of odds of your software getting cheaper this year, as 8% of products saw their price reduced an average of 32%. Notion made their personal plans free, as did GitHub along with reducing all their plans’ prices. AWS took 1-12% off their services. GoToMeeting costs less than half what it did last year. Drip and LucidChart had raised their prices in 2019, then brought them back down this year.


Blanked-Out Spots on Baidu Maps

Allison Killing et al.:

Our breakthrough came when we noticed that there was some sort of issue with satellite imagery tiles loading in the vicinity of one of the known camps while using the Chinese mapping platform Baidu Maps. The satellite imagery was old, but otherwise fine when zoomed out — but at a certain point, plain light gray tiles would appear over the camp location. They disappeared as you zoomed in further, while the satellite imagery was replaced by the standard gray reference tiles, which showed features such as building outlines and roads.


Having established that we could probably find internment camps in this way, we examined Baidu’s satellite tiles for the whole of Xinjiang, including the blank masking tiles, which formed a separate layer on the map. We analyzed the masked locations by comparing them to up-to-date imagery from Google Earth, the European Space Agency’s Sentinel Hub, and Planet Labs.

Governments Buying Phone Location Data

Joseph Cox:

In March, tech publication Protocol reported that multiple government agencies signed millions of dollars worth of deals with Babel Street after the company launched its Locate X product. Multiple sources told the site that Locate X tracks the location of devices anonymously, using data harvested by popular apps installed on peoples’ phones.


A myriad of smartphone apps, from weather predictors, to games, to flashlights, collect location data. Sometimes this may provide some benefit to the app’s operation itself, such as being able to route directions from a users’ current location, but many of these apps often sell that information as well to data brokers or other companies who incorporate it into their own products.


Many agencies have filed so-called reverse location warrants to ask Google to hand over information on what Android devices were in a particular area at a given time, for example. But an agency does not need to seek a warrant when it simply buys the data instead.

Daniel Sinclair:

Apple needs to open up telemetry to give users control & purview, as well as attack the problem from the other side by creating a separate app review process for SDKs that demands code review and data audits.

I don’t know exactly how this would work, but it’s a real problem that users have no visibility or control over what happens to their data. Some apps legitimately need location access, and once that’s granted there’s little that can be done to protect you.

Via Dan Grover:

If Apple’s strength is being a walled garden, we might as well demand better walls.


Update (2020-08-31): Rosyna Keller:

Far less specific location data is a feature of iOS 14…

Tyler Lacoma:

Approximate Location is a new tool that can be enabled in iOS. Instead of switching off location-based data, this feature will make it…fuzzy. Apple reports that it will limit the location data sent to apps to a general 10-mile region.


Not all the details are certain yet, but we do know that apps will be able to track when a device moves from one region to another. Apps will probably be able to extrapolate on that data and know that you were somewhere along a particular border between one region and another.

Update (2020-09-07): Nick Heer:

Yesterday, the U.S. Court of Appeals for the Ninth Circuit unanimously confirmed that the NSA’s bulk collection of Americans’ phone records was illegal, and found no evidence that it ever found or convicted a single terrorist. But, even if it had helped, the program would still have been illegal because bulk surveillance is antithetical to a healthy democracy. If anything, this decision demonstrated that federal agencies are more constrained than private companies in their ability to collect information like this. That makes sense — the state should not be spying on citizens — but Cox’s reporting shows that the private sector has provided a convenient workaround.

Update (2020-11-27): Joseph Cox:

A Muslim prayer app with over 98 million downloads is one of the apps connected to a wide-ranging supply chain that sends ordinary people's personal data to brokers, contractors, and the military.

Can Thieves Crack 6-Digit iPhone Passcodes?

Henrique Prange:

So, how could the wrongdoers do all of that in less than 5 hours? After considering many options, the only reasonable explanation is they cracked the 6-digit passcode on the stolen iPhone using some kind of device like the GrayKey.

The passcode gave them access to the keychain. They searched for the iCloud credentials, disabled the Lost Mode, and turned off the Find My.

Via John Gruber:

I mention this in the wake of the aforelinked piece on Face ID vs. face masks because months ago, when I first started grocery shopping while wearing a mask, I switched my iPhone from an alphanumeric passphrase back to a 6-digit passcode for convenience. I did so thinking, basically, that even though a 6-digit passcode is less secure, anything truly dangerous like disabling Find My iPhone requires my iCloud password as well.

It simply never occurred to me that if a thief (or law enforcement, or any adversary) has the device passcode, and your iCloud password is in your keychain, they can get your iCloud password from your keychain. All you need is the device passcode to access all of the passwords in iCloud keychain.

I really hope this year’s iPhones have Touch ID.