Archive for September 9, 2020

Wednesday, September 9, 2020

iMac’s Nano-Textured Glass

Mark C:

Side-by-side, you can actually see the reflective differences between the two screens.

Looks great, but I thought the old matte displays were fine without the price premium.


Update (2020-09-22): Dave Wiskus:

I got the nano and non-nano-textured XDR displays so I could pick a winner and return the loser.

Nano-textured is going back. Easy choice.

Nano looks fuzzy and sparkly. Like someone spilled something on the screen and didn’t quite clean it all off. I’m told this is great for high-glare environments, but in my office it looked terrible. Crazy that Apple calls this an upgrade.

Epic Barred From “Sign in With Apple”

Epic (tweet, Hacker News, MacRumors):

Apple will no longer allow users to sign into Epic Games accounts using “Sign In with Apple” as soon as September 11, 2020. If you have previously used “Sign In with Apple”, please update your Epic Games account email address and password immediately so that you can still login after September 11, 2020.

Apple doesn’t retaliate, but it considers it more important to hurt Epic (and make an example of it) than to help its own customers who placed their trust in its service. As a user, I would rather rely on a password manager than a login provider. As a developer, it’s a harder choice because many users like universal logins. Apple doesn’t let you support other third-party login providers without also supporting Sign In with Apple.

Riley Testut:

Lesson: Don’t use “Sign In with Apple” unless you want Apple to be able to remotely kill all your user accounts…

Nathan Lawrence:

If you’re Epic, it stinks, but you know it’s coming — you can scarcely retain API keys without a dev account — and can prepare. Not so if you’re an indie accidentally flagged for abuse by one of the large companies in control of these sign-on systems. You just lose customer data.

The entire point of open authentication standards once was that auth could be democratized and open, and you could choose an identity provider that worked for you and fit your personal standards — even your own server.

Now, it centers even more power on large companies instead.

Tanner Bennett:

Apple is really shooting themselves in the foot here, just to spite someone…

They’re NEVER going to fully recover from this battle, not in the next 20 years at least. Their new reputation for being a petty, spiteful bully is basically set in stone at this point.

Not to mention all the developer trust they’re eroding with this. They now also have a reputation for offering services that can be revoked at any time (not to mention having the ability to remove your app at any time and make you go bankrupt…), which is not appealing.


Update (2020-09-11): Viruthagiri Thirumavalavan:

This “Sign in with Apple” issue with epic games is not “personal” as you think. It’s because of the patent claim I wrote to protect my invention.

He developed a service called Dombox, which he says Apple copied. Whether or not that’s actually the case, the interesting part is that Dombox’s pending patent only applies to services that don’t have a native mobile app. And Apple, perhaps not coincidentally, says that “An app on the App Store is required” in order to use the Sign In with Apple API. Well, thanks to Apple closing Epic’s developer account, they no longer have an app on the App Store.

I’ve also seen speculation that it’s technically not possible to use Sign In with Apple without a developer account, e.g. because of certificate renewal. This is probably true, but I don’t think it really changes anything with the story. Apple is the one that tied its service to an account that does so many other things. And it’s the one who chose to terminate the account, when that was not necessary to block the offending app from the App Store.

Fortnite Status:

Apple previously stated they would terminate “Sign In with Apple” support for Epic Games accounts after Sept 11, 2020, but today provided an indefinite extension.

I guess Apple’s not afraid of the patent, or perhaps that’s why they are calling it an indefinite extension.

Francisco Tolmasky:

Forget what developers think of Sign In with Apple, as a customer, I’m never going to use it again. I was already skeptical of routing all my email communications through Apple, but the fact that Apple can drop it arguably affects me more than the developer.

In the best case scenario, it’s a hassle for me to have to transfer my account in an event like the Epic situation. In the worst case, it seems like I could potentially lose my account? Maybe that doesn’t matter for a game, but I certainly won’t trust it for stuff that matters.

I’m really not impressed with this “it’s such a weird edge case!” excuse either. Only at Apple is it considered an edge case that your service could possibly also exist outside the AppStore, and thus someday possibly exist only outside the AppStore.

Update (2020-09-14): Jay Peters:

When reached for comment about yesterday’s news, Apple told The Verge that it was not doing anything to stop “Sign In with Apple” accounts from working with Epic Games. So there’s some kind of discrepancy in who is telling the truth, as Epic is maintaining that Apple was previously enforcing the shutoff (and the way Epic is talking about it, still possibly could). Apple did not immediately reply to a request for comment about today’s development.

Since we know that Sign In with Apple requires a developer account, which Apple terminated, it seems like Apple is trying to make it look like Epic was lying, while actually working behind the scenes to either lift that technical requirement or provide some sort of limited functionality account.

Update (2020-09-30): John Gruber (tweet):

I spent a few hours back on September 9 digging into this SIWA story, and multiple sources at Apple told me Epic’s claims were simply false. There was never a September 11 deadline for their SIWA support to stop working, and in fact, Apple’s SIWA team performed work to make sure SIWA continued working for Fortnite users despite the fact that Epic Games’s developer account had been revoked. There was no “extension” because Apple was never going to revoke Epic’s SIWA access.

It seems that the Apple sources lied to Gruber because Epic’s court filings include e-mails stating that Apple is “terminating SIWA for the Epic Games, Inc. account” and giving an “extra two weeks” extension. Apple has a history of misleading the press when defending itself.

Apple Countersues Epic

Juli Clover (Hacker News, 9to5Mac):

In a court filing today [link], Apple says that Epic’s lawsuit is “nothing more than a basic disagreement over money,” highlighting the revenue that Epic Games has earned through the Fortnite iOS app and Apple’s developer tools.


Epic, says Apple, has used more than 400 of Apple’s APIs and frameworks, five versions of the Apple SDK, has had its apps reviewed more than 200 times, and has pushed more than 140 updates to Apple customers. Apple says that it also provided advertising each time Epic released a new season for Fortnite, offering “free promotion and favorable tweets” to more than 500 million end users.

This idea that Apple is owed because a developer “used” its APIs is bonkers.

Also, it’s hilarious that, in the Spotify case, Apple argued that “Spotify wants all the benefits of a free app without being free. A full 84 percent of the apps in the App Store pay nothing to Apple[…]. That’s not discrimination, as Spotify claims; it’s by design.” Now it argues that “Epic decided it would like to reap the benefits of the App Store without paying anything for them.”

Steve Troughton-Smith:

Apple: Epic only looking for a free ride

Epic, according to Apple, has given Apple $257,000,000 in commission fees in two years over in-app purchases that Apple has no hand, act, part in, doesn’t host on their servers, just for the privilege of existing on their OS. ‘Free ride’.

Tim Sweeney:

Presumably they’re just posturing for the court, but if Apple truly believes the fight over the App Store’s distribution and payment monopoly is a “basic disagreement over money,” then they’ve lost all sight of the tech industry’s founding principles.

Foremost among those principles: the device you own is yours. You’re free to use it as you wish. Configure it as you like, install software you choose, create your own apps, share them with friends. Your device isn’t lorded over by some all-powerful corporation.

Marco Arment:

Dev relations are at an all-time low as you continue to make statements to the effect of “Developers’ only value to our platform is IAP commissions.”

People buy the iPhone — you know, that hardware you make tons of money from — because of OUR APPS.

(Not even addressing the false and disproven “everyone plays by the same rules” lie you keep repeating, as well as the massive elephants in the room: Facebook, Instagram, Twitter, and every other free app that offer no App Store purchases, yet are somehow OK under this logic.)

Nick Heer:

It seems like these two corporate giants — though “giant” at different scales — are very happy to test how much they can piss off users and regulatory bodies. Epic is being belligerent in its steadfast refusal to play by the iOS App Store rules. Apple is going all-in on whatever it can get away with.


One of the things I keep wondering about everything here is what it would take for Apple to change course if the law were not involved. I wonder how much control it would be able to exert before users began to switch away in large enough numbers that it would cause consternation in Cupertino. But, then, I also wonder why it would even get to that level — no company should be pushing so hard as to test customer loyalty and trust. This Fortnite thing gets awful close for some players, I imagine. Some will simply stop playing; others will play on another console. But some might decide that they no longer want to be a part of Apple’s ecosystem. You can have all of the gaming consoles you want and switch between them, but most people only have one phone.


So far, everything is more-or-less holding: many developers need Apple’s platforms and I doubt they are shedding users in meaningful numbers. But it is bizarre and troubling that we are having this conversation. It suggests that Apple is increasingly finding ways to financially exploit its products for self-enrichment at the expense of users and developers. From a strategy perspective, as far as I am concerned, that is not as inspiring as make great products that practically sell themselves.


Mac App Store Sandbox Escape by Bypassing Initialization

Saagar Jha (via Jeff Johnson):

In January I discovered a flaw in the implementation of the sandbox initialization procedure on macOS that would allow malicious applications distributed through the Mac App Store to circumvent the enforcement of these restrictions and silently perform unauthorized operations, including actions such as accessing sensitive user data. Apple has since implemented changes in the Mac App Store to address this issue and the technique outlined below should no longer be effective.


Apple checks for the presence of the entitlement in all apps submitted for review, and its mere existence magically places the process in a sandbox by the time code execution reaches main. But the process isn’t actually magic at all: it’s performed by a function called _libsecinit_initializer inside the library libsystem_secinit.dylib, also located at /usr/lib/system[…]


As you may have guessed, this process is problematic. In fact, there are actually multiple issues, each of which allows an application with the entitlement to bypass the sandbox initialization process.

But it sounds like Apple’s fix is via the App Store approval process, rather than enforcing at runtime that apps with the entitlement are sandboxed, so it may not work in all cases.

Csaba Fitzl:

To disable sandbox via Interposing is a long known technique. +SB on macOS is voluntary, except the platform profile, that applies to everyone.

Adam Chester:

Few nights working on this but finally found another sandbox escape for Microsoft Word on MacOS 10.15.6. Chains a few techniques, MS locked it down well since last time.