Archive for October 8, 2020

Thursday, October 8, 2020

ProtonMail Forced to Add IAP

Sean Hollister:

But also, one app developer revealed to Congress that it — just like WordPress — had been forced to monetize a largely free app. That developer testified that Apple had demanded in-app purchases (IAP), even though Apple had approved its app without them two years earlier — and that when the dev dared send an email to customers notifying them of the change, Apple threatened to remove the app and blocked all updates.

That developer was ProtonMail, makers of an encrypted email app, and CEO Andy Yen had some fiery words for Apple in an interview with The Verge this week.


Yen tells me there was a month-long period where ProtonMail couldn’t update its app at all, even for security reasons, and Apple was threatening to remove the app if his company continued to delay. So ProtonMail decided to raise the cost of its entire service on iOS by roughly 26 percent to satisfy Apple’s needs, eating the rest itself.


Apple’s own head of app review from 2009 to 2016, spoke to Congress for its bombshell antitrust report, too. He testified that Apple’s senior executives would find pretexts to remove apps from the store[…]

Recall that Tim Cook told Congress that Apple had only exempted additional categories of apps from fees and that Apple does not retaliate or bully developers.

Jason Snell:

The more consistent the stories, the less Apple can claim this was all just a big misunderstanding.


Update (2020-10-09): See also: MacRumors.

Date Format Change in App Store Receipts

Frank Illenberger:

After some sweat and tears we have found the reason for the installation failures in the Mac App Store: At some point in the last weeks, Apple has changed the format of the date values in its ASN.1 receipt files.

They used to look like “2020-10-03T07:12:34Z”. Now they added millisceonds like in “2020-10-03T07:12:34.567Z”. Apple’s specification only states that dates follow RFC 3339, which does not specify if there should be milliseconds or not.


To make it even harder, Apple still sends out receipts containing dates WITHOUT milliseconds if an app has been originally bought before October.

Daniel Jalkut:

More on this: as far as I can tell the documented IAP dates are still returning dates that don’t have milliseconds. I don’t think there is a documented date field for Mac App Store receipts for the main app, as installed in the app binary.

These are the documented fields for local (on a Mac) receipt validation.

For server side receipt validation, there are host of other fields, including one that exposes the original purchase date in timestamp format.

Rosyna Keller:

The dates on the receipt documentation pages all mention they’re in ISO 8601, so you’d want to use that data formatter to read them instead of specifying an entirely manual, hand-crafted format string.

Hilariously, the documentation only promises that the date format will be “similar to the ISO 8601.”

Pádraig Kennedy:

A base ISO8601DateFormatter will parse the non-ms version only. To avoid this issue, devs would have to make two date parsers and try them one after another.

Daniel Jalkut:

If anybody thinks ISO8601 datetime strings are a well-defined format, here’s the code in @MarsEdit that handles ISO8601 dates from various blogging platforms.


We Hacked Apple for 3 Months

Sam Curry (via Steve Troughton-Smith, Hacker News):

Between the period of July 6th to October 6th myself, Brett Buerhaus, Ben Sadeghipour, Samuel Erb, and Tanner Barnes worked together and hacked on the Apple bug bounty program.


During our engagement, we found a variety of vulnerabilities in core portions of their infrastructure that would’ve allowed an attacker to fully compromise both customer and employee applications, launch a worm capable of automatically taking over a victim’s iCloud account, retrieve source code for internal Apple projects, fully compromise an industrial control warehouse software used by Apple, and take over the sessions of Apple employees with the capability of accessing management tools and sensitive resources.

There were a total of 55 vulnerabilities discovered with 11 critical severity, 29 high severity, 13 medium severity, and 2 low severity reports.

Most have already been fixed.

One example:

During testing the iCloud application we noticed that you could open up certain attachments from the iCloud mail application in the iCloud pages application via the “Open in Pages” functionality. When you submitted the form to do this, it sent an HTTP request containing a URL parameter which included the URL of the mail file attachment in the request.[…] If you attempted to modify this URL to something arbitrary[…] Our proof of concept for this report was demonstrating we could read and access Apple’s internal maven repository which contained the source code for what appeared to be hundreds of different applications, iOS, and macOS.

Brandon Azad:

It’s with both bittersweet sadness and excitement that I say goodbye to Project Zero, as I’ll be joining Apple next week to continue my work improving Apple device security.


Update (2020-10-09): Sam Curry:

Within the article I’d mentioned that Apple had not yet paid for all of the vulnerabilities. Right after publishing it, they went ahead and paid for 28 more of the issues making the running total $288,500.

Swift “Algorithms” Package

Nate Cook:

I’m excited to announce Swift Algorithms, a new open-source package of sequence and collection algorithms, along with their related types.

Algorithms are powerful tools for thought because they encapsulate difficult-to-read and error-prone raw loops. The Algorithms package includes a host of powerful, generic algorithms frequently found in other popular programming languages. We hope this new package will help people embrace algorithms, improving the correctness and performance of their code.


It’s our ambition for the standard library to include a rich, pragmatic set of generic algorithms. We think the Algorithms package can help realize this goal by serving as a low-friction venue to build out new families of related algorithms—giving us an opportunity to iteratively explore the problem space and learn how different algorithms connect and interact—before graduating them into the standard library.

I love how each one is documented and includes links to the source and tests.


Windows XP Source Code Leaked

Dan Thorp-Lancaster:

Alleged source code for Windows XP leaked online this week. The leak was spread in a thread on the anonymous forum 4chan, which linked to archives of both the alleged Windows XP source code along with source code for other Microsoft products. Notably, the archive includes the Windows NT 3.5 and original Xbox source code dumps that appeared online in May.


If the leak is legitimate, it could expose any remaining Windows XP-based systems to new attacks. However, Microsoft hasn’t supported Windows XP in any meaningful way since it reached its end-of-support date in 2014, which marked the end of security updates for the aging operating system.


Interestingly, while this would be the first time Windows XP source code has gone public, Microsoft already shares its code with governments and university researchers around the world.

Tom Warren (via Hacker News, MacRumors):

Microsoft created a secret Windows XP theme that made the operating system look more like a Mac. A recent Windows XP source code leak has revealed Microsoft’s early work on the operating system and some unreleased themes the company created during its early XP development back in 2000.

One is labeled “Candy” and includes a design that closely resembles Apple’s Aqua interface that was first introduced at the Macworld Conference & Expo in 2000. Although the theme is incomplete, the Windows XP Start button and various buttons and UI elements are clearly themed to match Apple’s Aqua.