Archive for February 2021

Friday, February 26, 2021

Apple Documentation and SwiftUI for Mac

Alexander Grebenyuk:

I wrote a post yesterday about triple-column navigation in SwiftUI. It felt a bit awkward posting it because this really shouldn’t be some obscure knowledge. This is hardly a challenging problem. But to me and to many other people, this was challenging.

Why was it challenging? The NavigationView documentation page doesn’t mention a triple-column layout or macOS at all. But the lack of content is not the only problem with Apple Documentation.

The intention of the article isn’t to complain, but rather to review the documentation system and point out some of its issues.

Alexander Grebenyuk:

This is a native macOS app written entirely in SwiftUI, from @main to bottom. Not a prototype, not a toy. A full-featured app. The intention is to deliver the best macOS experience possible.

[…]

The relationship between SwiftUI and AppKit are not documented and not guaranteed to be supported. This workaround is useful for now, but might stop working in the future.

[…]

I had to compromise in a few places. But I don’t have a lot of bugs to report. Maybe I’m just getting better at avoiding things that don’t quite work as expected. There are some limitations, but the AppKit integration is always there for me.

Wil Shipley:

SwiftUI is an amazing way to prototype interfaces quickly but when you hit a wall you hit it hard and there’s almost nothing you can do.

It’s also telling to me that, for instance, nobody seems to have figured out how to make two Buttons in SwiftUI be the same width.

(Yes, I’ve seen various posts about it, but so far haven’t found a solution that works in all cases.)

Previously:

Update (2021-03-14): Alexander Grebenyuk:

I solved all these performance issues with one simple trick – rewriting the list using NSTableView.

[…]

Unlike iOS, macOS needs to know the size of every cell. It allows precise control using a scroll indicator. It appears that List attempts to implement self-sizing on top of NSTableView, but it’s destined to fail on macOS.

[…]

There is always a risk with SwiftUI. It is an exceptional tool, but you never know when you are going to hit a wall. My pure SwiftUI app uses NSTextView, NSSearchField, and now NSTableView and NSMenu.

Update (2021-03-19): Steve Streza:

SwiftUI is two things. It is 1) a declarative, reactive UI paradigm similar to React or Jetpack Compose, and 2) a new set of controls and views that mimic AppKit/UIKit.

1 is brilliant. 2 is absurdly frustrating at every turn, and feels like hacking non-native UI.

Update (2021-04-07): Alexander Grebenyuk:

Some basic things that are unproblematically done with Auto Layout are hard in SwiftUI, for example, matching views size or aligning views. SwiftUI layout system is simply less expressive. The good things about it (stacks, grids, spacers) are easy to add to Auto Layout. And I still can’t build a complete mental model around the SwiftUI layout system. Auto Layout, on the other hand, makes total sense – it’s just math.

Dave Wood:

#SwiftUI is a disaster. I know of a team about to ship a production app built 100% with SwiftUI and it’s a UI shit show. Basic things that have worked fine since iPhone 2.0 just don’t work correctly with SwiftUI.

Update (2021-04-14): Ken Case:

Some things we wanted to do were easier than ever. Some things were much harder than one would hope. (E.g., SwiftUI will happily reclaim views which are scrolled offscreen, which can play havoc when one of those views is the first responder.) Creative experimentation required.

Update (2021-04-15): Marcin Krzyzanowski:

For the past 2 days, I’ve been dealing with a SwiftUI issue where NSViewRepresentable does something different than SwiftUI views and the hierarchy does not update properly. The same hierarchy and if I just replace component with SwiftUI.Button - everything starts working.

Now I need to reimplement native NSSegmentedControl purely in SwiftUI views to make it work, and still, it won’t look as good as the native component (SegmentedPickerStyle is not enough for my needs)

SwiftUI is faster until it’s not.

Update (2021-06-07): Peter Steinberger:

Sometimes SwiftUI is just so random. Compare the two images. The context menu does work in one and doesn’t work on the other. Can you tell which one is the right one?

Outdated Software Keeps Inmates Beyond Their Release Dates

Jimmy Jenkins (via Hacker News):

According to Arizona Department of Corrections whistleblowers, hundreds of incarcerated people who should be eligible for release are being held in prison because the inmate management software cannot interpret current sentencing laws.

[…]

According to the sources, the entire inmate management software program, known as ACIS, has experienced more than 14,000 bugs since it was implemented in November of 2019.

The article calls this one of the bugs, but it sounds like the state changed the requirements without appropriating any funds to update the software. The estimated “2,000 additional programming hours” seems rather small given the scope of the program:

The ACIS software system replaced an older program called AIMS that had been in operation for more than three decades. According to a 2019 presentation to the Joint Legislative Budget Committee, the Department of Corrections has spent more than $24 million replacing the inmate management system. A department spokesperson testified that requirements for the project were poorly scoped from the beginning, resulting in a contract that went millions of dollars over budget.

frompdx:

Software is simultaneously infallible and the perfect scapegoat. The inmate who lost their phone privileges for 30 days is an example. They did nothing wrong but the computer says so and nothing can be done. The computer is right in the sense that its decision cannot be undone, and solely to blame since no human can undo its edict or be held accountable, apparently.

Previously:

Clubhouse Wants to Upload Your Contacts’ Phone Numbers

Will Oremus:

When you join the fast-growing, invite-only social media app Clubhouse — lucky you! — one of the first things the app will ask you to do is grant it access to your iPhone’s contacts. A finger icon points to the “OK” button, which is also in a bolder font and more enticing than the adjacent “Don’t Allow” option. You don’t have to do it, but if you don’t, you lose the ability to invite anyone else to Clubhouse.

Via Nick Heer:

The permission dialog iOS presents users before an app is able to access their contacts is, in a sense, being presented to the wrong person: can you really consent on behalf of hundreds of friends, family members, and acquaintances? From a purely ethical perspective, the request ought to be pushed to every contact in the directory for approval, but that would obviously be a nightmare for everyone.

There are clearly legitimate uses for doing this. Allowing people to find contacts already using a service, as Clubhouse is doing, is a reasonable feature. It does not seem like something that can be done on-device, so the best solution that we have is, apparently, to grant apps permission to collect every contact on our phones. But that is a ludicrous tradeoff.

Guilherme Rambo:

Just had a poke at the Clubhouse app with a proxy, given the recent concerns about contacts usage. The bad part is that it uploads all of your contact’s phone numbers (surprise!). The good part is that that’s the ‘only’ thing it uploads about them.

[…]

Another problem is that the API used to upload the phone numbers doesn’t seem to be using SSL pinning.

Dave Verwer:

I saw some suggestions that Apple should solve this with a Photos.app style “select which contacts can be accessed” permission, but is anyone going to go through their contacts manually, picking and choosing? I have just under a thousand records in mine from many years of personal+work life, and I bet that’s nothing compared to some people. It’s not practical. Maybe a solution would be to let the permission be on groups rather than individual contacts, but who’s contact database is that well organised? Mine isn’t.

The other popular theory on how to solve this is that Apple should provide an API to hash contact information, allowing apps to match people without getting access to personal information. That’s one of those ideas that feels better and solves one aspect of the problem, but bad situations are inevitable when you match a full contacts database.

Previously:

Update (2021-03-15): Jane Manchun Wong:

Clubhouse no longer requires contacts access for sending invites in the latest update!

You can now directly enter the number, or use the iOS contact picker (which doesn’t require contacts access) to send invite

Excessive Mac SSD Wear

Hartley Charlton (Hacker News):

Across Twitter and the MacRumors forums, users are reporting that M1 Macs are experiencing extremely high drive writes over a short space of time. In what appear to be the most severe cases, M1 Macs are said to be consuming as much as 10 to 13 percent of the maximum warrantable total bytes written (TBW) value of its SSD.

[…]

It is not known how widespread the TBW issue is, but reports of strange SSD behavior are also now emerging from users with Intel-based Macs, suggesting that the TBW issue may not be exclusive to M1 Macs.

Dan Moren:

I ran the command-line tests on my own M1 MacBook Air versus my 2017 iMac, and it certainly did seem as though some of the numbers on the Air were higher than they should be, given the amount of relative use.

The numbers for older Macs reported on Accidental Tech Podcast also seem higher than I would have expected.

Update (2021-03-11): Ben Lovejoy (tweet):

Second, he says than SSD vendors have to be very conservative in their wear ratings, as it leaves them on the hook for warranty claims if a drive fails before reaching its rated wear limit. In practice, SSDs can commonly cope with four times as much wear.

Regardless, I think we need to figure out why macOS is writing (or reporting that it’s writing) so much more data than intuitively seems reasonable. And this is not an issue limited to M1 Macs.

Update (2021-05-25): Hector Martin:

Update on the macOS SSD thrashing issue: It seems the issue is fixed in 11.4. Feel free to try the betas if you’re adventurous, or wait for the final release.

It’s going to be interesting diffing the XNU kernel source once it drops and seeing what the bug was…

Previously:

Thursday, February 25, 2021

Steve Jobs Stories

Juli Clover:

Apple co-founder and former CEO Steve Jobs was born on February 24, 1955, and if he was still alive, today would mark his 66th birthday.

Dave Mark:

The Computer History Museum pulled together a Clubhouse visit with some Apple luminaries, all on the occasion of Steve Jobs birthday[…]

Fry’s Electronics Closing

Bill Reynolds (via Hacker News):

Fry’s Electronics is closing business nationwide effective tonight.

Om Malik:

We applaud fashion designers like Paul Smith for creating a unique look for their stores across the world, but this is one area where Fry’s innovated as well. Fry’s was ahead of the curve in their belief in experiential retail. Each store had its unique theme. Palo Alto store (my favorite) was straight out of the Old West. The store in Fremont had an 1893 World’s Fair theme. It was all kitsch, but it made visits even more memorable. And it attracted customers.

[…]

Thirty-six years is a long time for any company to exist, especially for a retailer. A lot of the vendors who sold their products on the shelves of Fry’s are long gone. The name “Zoom” belonged to a modem maker back in the day. And how many people remember AST? Undeniably, Fry’s had a good run. But we can’t forget the ultimate truth: Change is constant. And these days, things change more quickly than ever before. No place exemplifies that reality quite like Silicon Valley.

One-to-One IP Targeting

El Toro:

Specifically, El Toro offers: Targeting without having to use cookies, census blocks, or geo-location tools.

John Gruber:

Why doesn’t Apple build a VPN into its OSes? Or as an offering of paid iCloud accounts at least? At this point, if privacy truly is a paramount concern, it might be necessary to do everything over a trusted VPN. IP addresses are inherently not private.

I’ve wondered about this, too. Privacy as a service seems like a natural fit for today’s Apple. Sure, there are already lots of VPN services, but it’s hard to know which ones can be trusted.

Previously:

Anker PowerCore Magnetic 5K Wireless Power Bank

Joe Rossignol:

First previewed at CES 2021, the PowerCore battery pack magnetically attaches to the back of any iPhone 12 model and provides 5W of wireless charging. With a 5,000 mAh capacity, the battery pack is capable of charging the iPhone 12 mini from 0% to 100%, the iPhone 12 and iPhone 12 Pro from 0% to around 95%, and the iPhone 12 Pro Max from 0% to 75%, according to Anker. The battery pack itself recharges via USB-C.

While the battery pack is compatible with the MagSafe system, it is not an official accessory, so charging is limited to 5W. Apple’s rumored MagSafe battery pack would likely be able to charge an iPhone 12 model at up to 15W, in line with the MagSafe Charger.

This is pretty cool, although I wonder whether the battery is thick enough to get in the way of the camera lens. You can also use the USB-C jack to charge other devices or the iPhone itself (more efficiently than wireless). Presumably you can also use a single cable to charge the PowerCore at the time time it’s charging the phone.

Previously:

macOS 11.2.2

Juli Clover:

According to Apple’s release notes, the macOS Big Sur update prevents 2019 or later MacBook Pro models and 2020 or later MacBook Air models from being damaged when connected to certain third-party, non-compliant powered USB-C hubs and docks.

There have been several reports on Reddit from Mac users who have connected USB-C hubs and docks to their machines, resulting in the machine becoming non-functional. Affected Macs appear to go blank and unresponsive shortly after connecting the dock. Many of the users who experienced issues were using hubs and docks not purchased from reputable companies.

Howard Oakley:

The update is 2.6 GB for Intel models, and Apple doesn’t provide any details of changes which affect other models.

Are even minor updates huge these days because of the dyld_shared_cache?

Previously:

Update (2021-03-14): See also: Mr. Macintosh.

Tuesday, February 23, 2021

The Context and the Logic

Soroush Khanlou:

How much of your time at your job is actually spent on writing the logic, and how much of it is spent preparing an environment in order for that logic to run? I wouldn’t be surprised at all if I found out that 98% of my time was spent on context.

[…]

First, that we all tell ourselves a lie: this job is primarily about the logic, interview candidates should mainly be tested on their ability to think about the logic, a “good” programmer is someone who can write the logic really well. In fact, an overwhelming amount of the job is making the context work.

And it seems like there’s more context to deal with now.

Previously:

Similar Detritus Not Allowed

Daniel Jalkut (tweet):

I’ve noticed folks on Twitter and in developer Slack’s coming up with the same problem. I don’t know if something has changed in the code signing toolchain, or we’re just having an unlucky break, but I thought I’d blog about it because it seems many people may need this advice now.

The error in question is always along these lines:

resource fork, Finder information, or similar detritus not allowed

I’ve long seen this error when there was a com.apple.FinderInfo or com.apple.ResourceFork extended attribute, but apparently it can now occur when there are no xattrs detectable by xattr. It’s a mystery what detritus is attached to the file.

Unified Office App for iPad

Nick Heer:

I am finding it difficult to adapt to increasingly unified applications on my Mac and iPad. I am not sure if this is an age and experience thing — I am used to switching between apps with multiple documents or windows open. Aside from web browsers and development environments, I use tabs infrequently within any apps because I am often juggling between many files. The advantages of thinking in an application-based model are outweighed, for me, by a document-based model.

This unified Office app has many of the same problems as, for example, Electron apps and web apps generally. Each document consumes the entire app. You can use the app in split screen, as Apple now requires, but it does not fully support multitasking within the app. So it is not possible to, for example, build a PowerPoint presentation based on a Word document outline, or reference one Excel spreadsheet while working in another.

Arizona Bill on App Store Payments

Regina Cobb and Leo Biasiucci:

The status quo is failing Arizonans, forcing us to pay inflated prices. It’s failing entrepreneurs, who are being forced to jump through hoops simply to get products to their customers. In fact, the only folks who seem to benefit from this setup are the monopolies – Apple and Google.

But we’re ready to change that – and Arizona is leading the charge. While D.C. sits on its hands, we are taking action now to challenge Big Tech’s monopoly and make Arizona a better place for every app user and app developer. We are fighting for HB2005, a bill to lower prices for consumers and free small businesses from Big Tech’s “app tax.” The legislation would allow web developers to accept payments for their apps without going through Apple or Google’s app stores, bypassing the app tax and reducing the cost for consumers without compromising security or safety.

Via David Heinemeier Hansson:

This is a more narrow bill than what was first proposed in North Dakota. It focuses exclusively on giving all developers the same kind of freedom in payment processing that Uber, Lyft, Amazon, and other physical goods apps already enjoy.

[…]

The hearing before the vote is being broadcast live on the Arizona State Legislature site.

[…]

“We we introduced the App Store in 2008, developers had to pay for the tools to build, they had to pay for their discs.” LOL. Like the internet didn’t exist in 2008? Sheesh.

“Apple: Developers had to pay 70% before the App Store was invented”, this is just terrible, horrible misinformation. Ugh. Sad to hear Apple advance this.

Apple doesn’t have the information on how much money they’ve made from the IAP cut!

Peter N Lewis:

From kagi.com’s 1997 web site Kagi’s fees in 1997 were ~12%! More than a decade before the App Store. What a bunch of lying liars!

Previously:

Update (2021-03-02): Juli Clover:

A Minnesota bill shared by Star Tribune would force Apple and Google to keep products from Minnesotan developers on their app stores even if those developers sell them directly or through other channels, skirting current in-app purchase rules.

Florian Mueller:

For state legislatures, the in-app payment part is particularly intriguing because lawmakers can directly benefit consumers in their states and, potentially, attract app development companies.

[…]

Of the three bills I’ve seen so far (Arizona, Minnesota, and North Dakota), my personal favorite is the language of the Grand Canyon State’s version of the bill, which would make it illegal for Apple and Google to “require a developer that is domiciled in this state to use a particular in-application payment system as the exclusive mode of accepting payments from a user to download a software application or purchase a digital or physical product or service through a software application” (emphasis added). As Apple and Google are based in California, not Arizona, the argument is apparently made by the bill’s opponents that this is interstate commerce and Arizona is just trying to favor its own companies, but again, the vote on constitutionality was unanimous and in favor of this proposal.

Juli Clover:

As outlined by Protocol, Apple has been working against the bill since last month. Apple lobbyist Rob Didiron began fighting the legislation before it had been formally introduced, with Apple also hiring additional lobbyists and sending lawyers to Arizona.

[…]

In a hearing last week, Apple’s chief compliance officer Kyle Andeer called HB2005 a “government mandate that Apple give away the App Store.”

Update (2021-03-11): Juli Clover:

The Arizona House of Representatives today passed HB2005, a state bill that would provide developers with an alternative to Google and Apple’s in-app purchase options by allowing developers to use their own payment solutions within apps.

Matt Stoller (via David Heinemeier Hansson):

All but one Republicans voted for it and all but one Democrat voted against it. It’s too soon to declare app store monopolies over. The bill isn’t law, it has to pass both houses and be signed by the Governor first (and Apple has hired the former chief of staff to the Governor to lobby against it). it will now head to the state Senate, and potentially the Governor.

[…]

My guess is that this bill will become law somewhere, with enforcement conflicts to follow. Apple and Google will kick and scream, but as with Facebook and Australia, they will eventually fold.

Florian Mueller:

A couple of proposed amendments failed, while a proposal by Dr. Cobb (enabling app developers to complain to Arizona’s Attorney General about any failure by Apple or Google to comply) was adopted.

[…]

This remains interesting, and meanwhile there are initiatives in various other states. Today, the Minnesota Reformer website published an opinion piece by Justin Stofferahn and Pat Garofalo, calling on the Minnesota state legislature to “curb anti-competitive tactics” in order to become, once again, “an innovation center.”

Florian Mueller:

On the other side of the Big Pond, Apple’s purely pretextual defenses of its app store monopoly are falling apart. There were not one, not two, but three news cycles this week, two of which are bad news for Apple and the third is more likely than not to portend another decision against Apple[…]

Update (2021-04-16): Nick Statt:

The Arizona State Senate was scheduled to vote on an unprecedented and controversial bill Wednesday that would have imposed far-reaching changes on how Apple and Google operate their respective mobile app stores, specifically by allowing alternative in-app payment systems. But the vote never happened, having been passed over on the schedule without explanation.

Hartley Charlton:

Arizona’s proposed state bill “HB2005", that would provide developers with an alternative to Google and Apple’s in-app purchase options by allowing developers to use their own payment solutions within apps, appears to have been abandoned after intense lobbying (via The Verge).

Monday, February 22, 2021

Epic Counterclaims, Europe, and Valve

Florian Mueller (also: AppleInsider, ArsTechnica, Hacker News):

Epic Games just reduced the potential risk it incurs from its antitrust dispute with Apple over its App Store business terms: Judge Yvonne Gonzalez Rogers of the United States District Court for the Northern District of California granted an Epic motion for judgment on the pleadings on some of Apple’s counterclaims. As a result, Apple’s counterclaims (unless an appeals court revives the ones the judge just threw out) are limited to breach of contract, which Epic already acknowledged in October it would be liable for should it lose its antitrust case against Apple.

Tim Hardwick (also: Florian Mueller, Reuters, Hacker News):

Epic Games has filed an antitrust complaint against Apple in the European Union, broadening its legal battle against the tech giant by attempting to appeal to the EU’s differing interpretation of antitrust issues compared to those in the United States (via The Wall Street Journal).

[…]

Europe uses different standards than the U.S. when it comes to antitrust issues, focusing more on fairness between competitors than their impact on consumers, which the U.S tends to focus on. Epic has also filed similar lawsuits in Australia and the U.K., accusing Apple of an abuse of dominance.

Juli Clover:

Epic Games will not be able to expand its ongoing Fortnite fight with Apple in the UK after a judge said the case could not continue in London, reports Bloomberg.

[…]

The judge ruled that Epic Games’ case against Apple Inc. was better decided in the United States, but Epic Games is allowed to sue Apple (UK) Limited, a European arm of the company, and Google.

Hartley Charlton:

Apple has subpoenaed Valve in its ongoing lawsuit with Epic Games, demanding it provides huge amounts of commercial data about Steam sales and operations dating back several years, court filings have revealed (via PC Gamer).

[…]

Apple requested that Valve provided documents to show its total yearly sales of apps and in-app products, annual advertising revenues, annual sales of external products, and annual revenues and earnings from Steam. There are also more granular requests for the name of every app on Steam, the date range when every app has been available, and the price of all apps and in-app purchases.

[…]

The company also bristled at Apple’s request for Valve’s involvement in the case since Steam is not a competitor in the mobile space, saying “Valve is not Epic, and Fortnite is not available on Steam.” Valve goes as far as to allege that Apple is using the request as a shortcut to a vast amount of commercially-sensitive third-party data.

Wil Shipley:

Well, I guess now I’ll subpoena Apple and demand they release all their sales data for each app in the App Store.

Chris R. Donnelly:

The irony being they don’t retain that data for developers’ own sales on the App Store

Previously:

Swift Proposal: ConcurrentValue and @concurrent Closures

SE-0302 (forum):

This proposal describes an approach to address one of the challenging problems in this space — how to type check value passing between structured concurrency constructs and actors messages. As such, this is a unifying theory that provides some of the underlying type system mechanics that make them both safe and work well together.

[…]

One safe way to transfer reference types is to make a deep copy of the data structures, ensuring that the source and destination concurrency domains each have their own copy of mutable state. This can be expensive for large structures, but is/was commonly used in some Objective-C frameworks. General consensus is that this should be explicit, not something implicit in the definition of a type.

[…]

This proposal introduces the concept of a “marker” protocol, which indicates that the protocol has some semantic property but is entirely a compile-time notion that does not have any impact at runtime.

[…]

The ConcurrentValue protocol models types that are allowed to be safely passed across concurrency domains by copying the value. This includes value-semantic types, references to immutable reference types, internally synchronized reference types, @concurrent closures, and potentially other future type system extensions for unique ownership etc.

Previously:

Chromebooks Outsell Macs

Johanna Romero (via ChrisLTD):

Back in November, we reported on how in Q3 of 2020 Chrome OS growth was exploding across the globe. Now, the newest report by Strategy Analytics has shown that this impressive growth has continued throughout Q4, to the point that Chrome OS has overtaken MacOS’ #2 slot with 16.4% of the global Notebook PC market share.

Sami Fathi:

The data from IDC (via GeekWire) shows that Windows continues to dominate the market, although its share declined over the course of the year as Chrome OS surged past macOS into second place.

For the full year, the market share of Windows was down 4.9% in 2020 compared to 2019, while the Mac grew from 6.7% to 7.5%. IDC’s data includes collective information about desktops, laptops, and workstations, and doesn’t provide a breakdown of specific different product types.

Previously:

A Retrospective Look at Mac OS X Snow Leopard

Riccardo Mori:

So, I used Snow Leopard on my 2009 MacBook Pro for about three years, and then again on a 2010 Mac mini that a friend gave me to maintain, as a sort of offsite backup. That Mac mini was kept on Mac OS X 10.6.8 for the whole four years it was in my custody (2011–2015) and it was switched off only twice during that period and maybe restarted four or five times in total. It enjoyed an insane uptime and it was a testament to Snow Leopard’s stability.

But back to my ‘gut-reply’, I wanted to be certain that my fond memories of Snow Leopard weren’t just nostalgia. While I am confident when I say that Snow Leopard is the most stable version of Mac OS, I wanted to make sure its user interface was really the good user interface and experience I was remembering.

Previously:

Update (2021-03-02): See also: Hacker News.

Google vs. iOS App Privacy Labels

Eric Slivka (tweet):

Google today finally updated its YouTube iOS app for the first time in over two months, becoming one of the highest-profile Google apps to see an update since early December when Apple began requiring that developers disclose privacy practices for each of their apps in order to have their updates approved.

[…]

Google has denied that it is holding back iOS app updates in order to delay revealing its privacy practices, but many users have found that hard to believe considering the sudden slowing of app updates coinciding with Apple’s disclosure deadline and continued updates for Google’s various Android apps.

Earlier this week, the Gmail iOS app even began displaying “out of date” warnings when trying to add a new account, even though there is no new version of the app available and there have been no updates to the Gmail iOS app since December 1.

John Gruber:

A few hours and seems like Google has pushed a server-side change to suppress these warnings. But the apps themselves were not updated, and Google still hasn’t supplied privacy nutrition labels.

My utterly uninformed theory is that Google somehow didn’t understand the magnitude of what these iOS privacy changes entailed. It’s not just about a single device identifier used for targeted advertising.

Ryan Jones:

Google’s first privacy label. Let’s look at their strategy:

“We collect a shit ton of private data, but we link it to an Identifier and then only use that identifier to track you.”

Deviously brilliant.

[…]

Forces Apple’s hand brilliantly… you want to take down YouTube, when no one press has even noticed?

[…]

The real question:

How did Apple App Review approve this!?

Clearly it skirts the rules, which were written overly-generic to stop this exact strategy.

Ryan Jones:

I’ve annotated the exact rule.

Read the highlighted sentences. It’s expertly written by Apple to capture exactly what Google is attempted.

[…]

Intent matters, not execution. If you use an ID for the purpose of tracking 100 other things… you are “tracking 100 other things.”

[…]

I hope that helps clarify Google’s (and Facebook’s) privacy labels are most definitely breaking these rules.

Curtis Herbert:

I don’t think you get how privacy labels work.

They don’t have to say “track” for stuff used inside Google (which their ad network is). They only have to disclose track for stuff shared outside Google Inc.

They can build up a huge profile for someone and let third parties target that with ads, all while keeping the data internal (aka not “track”).

The key here is what Google shares, not what they ingest from third parties. They can grab all kinds of data from other companies, that doesn’t count for tracking (for Google, it counts for the other companies). It only counts if they share it.

Ryan Jones:

Here, read the highlighted parts as a sentence. Notice, sharing is not needed.

[…]

They don’t have to send it to anyone! If any data in the pool of data they use is from anywhere that’s not theirs - it’s tracking.

This is confusing, but I think Jones’ interpretation—that Google’s privacy nutrition label is breaking the rules—better matches the rules as written. (It’s possible but unlikely that Google has somehow segregated the data from the YouTube app so that it’s not linked with data obtained from SDKs in third-party apps or from Web sites running AdWords or Google Analytics.)

See also: this thread between Joe Cieplinski and me.

Previously:

Update (2021-03-15): Juli Clover (tweet, The Verge):

Google today quietly added App Privacy labels to its Gmail app, marking the first of its major apps to receive the privacy details aside from YouTube.

Ryan Jones:

Gmail added the privacy nutrition label…and said ZERO data is “used to track you”.

LOL okay. Embarrassing for Apple.

Update (2021-03-23): Juli Clover (Hacker News):

There was speculation that Google’s delay meant that it had something to hide, which DuckDuckGo is leaning into with a new tweet that highlights Google’s data collection and calls out the company for “spying” on users.

Google recently added App Privacy labels to its Google Search app, spelling out the extent of information that’s collected. For third-party advertising purposes, Google collects data that includes location, search history, and browsing history. Google’s own marketing data includes all of the above information along with contact info and device identifiers, plus there’s even more data collected for analytics, app functionality, and product personalization.

Update (2021-06-07): Ole Begemann:

Google Photos on iOS doesn’t launch unless you give it full access to all your photos, circumventing the selective photo library access privacy option. Perhaps not surprising from Google, but incredibly user-hostile nonetheless.

Friday, February 19, 2021

Apple Store Polices “Irrationally High Prices”

Guilherme Rambo:

It looks like Apple has started to crack down on scam attempts by rejecting apps that look like they have subscriptions or other in-app purchases with prices that don’t seem reasonable to the App Review team.

[…]

We were initially skeptical about the veracity of this email given some of the wording choices, but looking through Apple’s App Store Review Guidelines, it’s possible to find the term “rip-off” at least twice, such as in section 3, where Apple states that “we won’t distribute apps and in-app purchase items that are clear rip-offs.”

In contact with the developer of the rejected app, we were able to verify the authenticity of the rejection email from Apple. Unfortunately in this case, it seems clear that the rejection was a mistake.

See also: Ilia Kukharev.

Paul Haddad:

“Please note that App Store Review cannot make specific recommendations on the price for your app” Isn’t that exactly what they are doing?

If Apple thinks these prices are rip-offs shouldn’t they proactively refund anyone who paid those prices?

Francisco Tolmasky:

I wonder if Apple will apply the same rule to themselves to explain their iCloud and RAM pricing decisions…

Ryan Jones:

These apps will either a) change the price for review then instantly change it back b) lower by $1 and keep submitting until they find the max.

Paulo Andrade:

Maybe it’s just me but mandating the use of Apple provided views for subscribing (with clear monthly and yearly values) as well as an Apple provided view to display in-app for unsubscribing sounds like a better solution then having app review decide what’s worthy or not.

Previously:

Update (2021-02-22): John Gruber:

This is exactly the sort of crackdown I’ve been advocating for years. A bunco squad that looks for scams, starting with apps that (a) have high-priced in-app purchases and subscriptions, and (b) are generating a lot of money. Ideally Apple will crack down on all scams, but practically speaking, all that matters is that they identify and eliminate successful scams — and identify the scammers behind them and keep them out of the store.

Kosta Eleftheriou:

Apple trying to crack down on “irrational” pricing is an admission that @AppStore ratings just don’t work.

Fix the FAKE RATINGS and people will make it clear if some app’s price-to-value offering is bonkers.

David Barnard:

Apple appears to making some changes to the “buy sheet” on iOS 14.5. Not quite as dramatic as I hope they’ll eventually do, but headed the right direction.

Nick Heer:

I have waffled a bit on whether it makes sense for Apple to be the filter for the appropriateness of app pricing. It has always been a little bit at the mercy of Apple’s discretion — remember the I Am Rich app? — but legitimate developers have concerns about whether their apps will be second-guessed by some reviewer as being too expensive. And I am quite sure that, if the hypothetical becomes a reality, it is likely to be resolved with a few emails. But developers’ livelihoods are often on the line; there are no alternative native app marketplaces on iOS.

The proof of this strategy’s success will be in Apple’s execution, but that in itself is a little worrisome. It is a largely subjective measure; who is an app reviewer to say whether an app is worth five dollars a week or five dollars a month? Apple does not have a history of wild incompetence with its handling of the App Store, but there are enough stories of mistakes and heavy-handedness that this is being viewed as a potential concern even by longstanding developers of high-quality apps.

Update (2021-09-08): Ilia Kukharev:

Now confirmed: Apple is rejecting apps with irrationally high prices for in-apps and subscriptions.

You have to explain why are you charging like $7.99 per week. Because of using 3rd-party paid services, or something similar.

Unhelpful App Store E-mail Receipts

Tyler Hall (tweet):

It’s always difficult to tell when Apple charges you for something and what it was for. Because unlike every other online retailer, they queue up email receipts for an indeterminate amount of time.

[…]

Huh. I have no idea what that receipt is for.

This is because, surprisingly, receipts don’t say which app the subscription is associated with.

Sure enough, the Apple ID in 12px font is for my 68-year-old mother. It was her purchase!

But I still have no idea what the app is. And I’m very suspicious because there’s basically zero chance she would ever willingly spend $39.99 on an app. Much less one that automatically renews.

[…]

The Order ID link doesn’t open anything in Mail.app on iOS.

On the Mac, it eventually leads to the Music app.

But there’s no way to search for your purchases. And even if you could, what would you search for? Apple’s receipt didn’t give you any meaningful information. Your only option is to scroll the list and see if you recognize the receipt’s app icon.

[…]

Let’s tap the “DOCUMENT NO.” link. (Now, if you’re a developer like me, you know exactly what comes next and why.)

iOS thinks it’s a phone number.

In the email receipt on my desktop browser, clicking the “Write a Review” link opens Chrome and once again asks if I want to open Music.app. Sure.

And there it is. Inside Music.app, right next to all my music playlists, the App Store page loads, and I can see my mom signed up for an automatically renewing $39.99 a year subscription for…

…a white noise app.

[…]

It may seem like innocuous onboarding steps, but I know for a fact - based on what comes next - that this developer is already using a dark pattern to trick customers into subscribing.

Jeff Johnson:

pologists: “iOS App Store lockdown is necessary to protect people like your mother who aren’t computer experts.”

your mother: [scammed by iOS App Store]

Paul Haddad:

I think most people would agree that $40/year for a white noise app is a troublesome price. But does anyone want Apple deciding what fair prices are? I’d say no, but then again $40/year…

Previously:

Update (2021-02-22): David Wendland:

I’ve heard these email invoices have been corrected

Safari to Support WebM Video Playback

Hartley Charlton:

Safari features support for WebM video playback in the second beta of macOS Big Sur 11.3 Beta, indicating that Apple’s browser will finally support the format after failing to do so for almost 11 years.

[…]

WebM also has a sister project called WebP for images. Last year, Apple added support for WebP in Safari 14, so the company’s approach to more niche media formats appears to be softening. WebM support still appears to be unavailable on iOS, but in light of these developments it would be unsurprising if Apple’s WebKit engine added support for it too in due course.

On Catalina, WebP files launch Preview, which can’t display them, and Safari 14 can’t open them, either.

Previously:

Update (2021-03-15): Noah Gilmore:

Turns out that WebP, the web-optimized image format developed by Google, isn’t supported natively by UIKit. Luckily it’s not too hard to implement support for it with the help of a small library and some deeper UIKit APIs.

Apple Adds Proxy for Safe Browsing Queries

Taha Broach (via Hacker News):

Apple’s privacy push is much more widespread than it seems at the surface. A perfect example is the new privacy feature in iOS 14.5 Beta 1 (V2) which redirects Google Safe Browsing traffic through Apple’s own proxy servers to enhance users’ privacy and to not let Google see your IP address.

Since Apple uses a hashed prefix, Google cannot learn which website the user is trying to visit. Up until iOS 14.5, Google could also see the IP address of where that request is coming from. However, since Apple now proxies Google Safe Browsing traffic, it further safeguards users’ privacy while browsing using Safari.

I still think that one could figure out with reasonable certainty which site the hashed prefix corresponds to. Presumably this also prevents the data from iPhone users in China from being shared with Tencent. On the other hand, now Apple gets the data and would be in a position to link it to your iPhone if it wanted to.

Previously:

Thursday, February 18, 2021

Citibank’s $500 Million UI Lesson

Timothy B. Lee (via Hacker News):

A federal judge has ruled that Citibank isn’t entitled to the return of $500 million it sent to various creditors last August. Kludgey software and a poorly designed user interface contributed to the massive screwup.

[…]

However, Revlon was in the process of refinancing its debt—paying off a few creditors while rolling the rest of its debt into a new loan. And this, combined with the confusing interface of financial software called Flexcube, led the bank to accidentally pay back the principal on the entire loan—most of which wasn’t due until 2023.

[…]

The subcontractor thought that checking the “principal” checkbox and entering the number of a Citibank wash account would ensure that the principal payment would stay at Citibank. He was wrong. To prevent payment of the principal, the subcontractor actually needed to set the “front” and “fund” fields to the wash account as well as “principal.”

Citibank’s procedures require that three people sign off on a transaction of this size. In this case, that was the subcontractor, a colleague of his in India, and a senior Citibank official in Delaware. All three believed that setting the “principal” field to an internal wash account number would prevent payment of the principal.

LastPass Pricing Changes

Dan DeMichele (via Jason Koebler, MacRumors, Hacker News):

LastPass offers access across two device types – computers (including all browsers running on desktops and laptops) or mobile devices (including mobile phones, smart watches, and tablets). Starting March 16th, 2021, LastPass Free will only include access on unlimited devices of one type.

[…]

In addition to this change, as of May 17th, 2021, email support will only be available for Premium and Families customers.

[…]

If you’d like unlimited device type access and email support, you can upgrade from Free to LastPass Premium for a limited time, for $2.25 per month (billed annually).

1Password is $2.99/month, billed annually, with a native Mac app.

m000:

A few years back, their free/premium tiers were looking similar to what they announced today. Only they charged a mere $15/year for premium, which I gladly paid.

Then, overnight, they offered syncing across all types of devices for their free tier. The premium tier was only adding some niche features. I would have continued to pay $15/year just to support them, but at the same time they bumped up premium to $36/year. That was a deal-breaker: not paying 2.5x for features I don’t use.

Now, they switch back to not syncing across all types of devices, but the premium price stays $36/year.

Previously:

Update (2021-02-19): Vítor Galvão:

This is a major (but seldom discussed) reason why so many hate subscription software. The rent price (or what it allows you) can change at any time. It’s a Darth Vader deal.

“Classic” licenses don’t suffer from that issue.

2021 State of Mac Malware

Malwarebytes Labs (MacRumors):

Overall Mac detections decreased by 38%, though Mac detections for businesses increased 31%

Malware accounted for just 1.5% of all Mac detections in 2020—the rest can be attributed to Potentially Unwanted Programs (PUPs) and Adware

ThiefQuest tricked many researchers into believing it was the first example of ransomware on macOS since 2017, but the malware was hiding its real activity of massive data exfiltration. It accounted for more than 20,000 detections in 2020

The full PDF report:

All that changed with macOS 10.15 (Catalina). We’ve entered a world in which no software in the entire industry can remove all components of these PUPs, because they’ve come under the protection of Apple.

Apple’s days of sitting on the fence are now over. With the protection involved in the system extension entitlement, there is no longer any middle ground. At the time of writing, Apple is implicitly siding with the PUPs, providing them protection against removal.

[…]

Notarization involves submitting apps to Apple. […] Adware developers responded in divergent ways. Some simply stopped signing their Adware, providing the user with instructions on how to bypass macOS security to run the unsigned installer. This means that they don’t have to bother with notarization, but they also don’t have to worry about Apple revoking their code signing certificate.

However, other Adware developers went the other way, and actually managed to get their malware notarized! In a number of cases, it appears to have passed the notarization checks without significant modification.

Previously:

Mail Search vs. Big Sur’s Fast User Switching

John Gordon:

In our case Ben and Emily both have non-admin accounts on her M1 Air running Big Sur 11.2.1 with fast user switching enabled. When Ben logs out Emily’s Mail search stops working. There’s no error message, but search does nothing and Smart Folders are inactive.

The fix is to kill corespotlightd.

See also: Marco Arment.

Ivan Pavlov:

Fast user switch also breaks Handoff/Continuity/Unlock with Apple Watch. Submitted multiple radars over the last 4 years, still not fixed. Mac needs a year of refinements and bug fixes with no new features.

Clayton Andersen:

I wonder if something fundamental to fast user switching changed with big sur. Had this bug for a while related to it too.

Code Signing When Building on Apple Silicon

Quinn:

codesign should choose the signing format based on the deployment target:

  • If your deployment target is 10.11 or later, you get sha256.
  • If your deployment target is earlier, you get both sha1 and sha256.

This problem crops up because, when building for both Intel and Apple Silicon, your deployment targets are different. You might set the deployment target to 10.9 but, on Apple Silicon, that’s raised to the minimum Apple Silicon system, 11.0. So, which deployment target does it choose?

The wrong one, if you’re trying to deploy to an older version of macOS. I’ve seen lots of posts about this problem in relation to installer packages, but it applies to apps, too.

The upshot is that you have problems if your deployment target is less than 10.11 and you sign on Apple Silicon. When you run on, say, macOS 10.10, the system looks for a sha1 hash, doesn’t find it, and complains.

You can work around this by setting OTHER_CODE_SIGN_FLAGS to --digest-algorithm=sha1,sha256.

Update (2021-02-19): Peter Ammon:

#fishshell was bitten by this, it means we can no longer use Apple’s tools to codesign, so we use xar instead.

See also: Jonathan Deutsch.

Why Reporting Bugs to Apple May Harm Software Quality

Howard Oakley (tweet):

In recent years, I’ve grown concerned – as many of you have – at the increasing number of obvious bugs in release versions of macOS. In the last week or so, I’ve come across some real howlers: the Rich Text Spotlight importer which can’t import the content of RTF documents, Bluetooth status which is never up to date when you first check it, and most recently Big Sur installers and updaters which don’t work on external SSDs connected to M1 Macs.

[…]

Although Dave tested the changes he’d made, he didn’t have time to test whether the mdimporter still indexed the content of RTF files.

It doesn’t help that recent security changes have made it more difficult to test Spotlight importers.

I’ve now reached the stage where I simply don’t have time to report all these bugs, nor should I have to. Indeed, I’ve realised that in doing so, I only help perpetuate Apple’s flawed engineering practices. […] We let Apple get away with this by devoting our time to testing and documenting for Apple. […] Above all, there’s the threat. If we don’t complete Feedback, then Apple won’t know of the bug, and it won’t get fixed.

I’m frustrated, too, and I can certainly understand not having the time to report all the bugs one encounters. But I just don’t see how filing can hurt. Apple would still “get away with it,” and the bugs would be fixed even later, if at all.

If you’re an Apple engineer, please don’t take this personally. I don’t think the current system is good for you either, but at present Apple only seems to respond to public criticism.

I haven’t seen much correlation, personally. Some very public bugs go a long time with no fix. Some obscure ones that I file get fixed right away. Some serious ones get fixed 6 months or a year after I was forced to develop a workaround. Most never get fixed and are seemingly ignored.

Dave Wood:

Got a response to a radar I filed 3 years ago, about a bug in iCloud. They say they can’t look into it now because “the server logs from that date have rolled off”.

This is why I barely file bugs with Apple anymore. Just a waste of everyone’s time.

See also: How to Report Bugs to Apple So They Get Fixed.

Previously:

Update (2021-03-15): Nick Heer:

Often, I suspect, users will not attach all of the diagnostics needed for Apple’s developers to even find the bug. But I have to wonder how effective it is to be collecting so many system reports all of the time, and whether it is making a meaningful difference to the quality of software — particularly before it is shipped. I have hundreds of open bug reports, many of which are years old and associated with “more than ten” similar reports. How can any engineering team begin to triage all of this information to fix problems that have shipped?

Tuesday, February 16, 2021

Dash 6

Kapeli (tweet):

The interface was updated to feel more native, especially in macOS Big Sur

[…]

The most requested feature is here. I think I finally found a way to make full-text search fit well within Dash, alongside the results coming from the docset index.

Full-text search is opt-in. You have to manually enable it for the docsets you want, by opening the docsets in the docset browser and choosing “Enable full-text search”

Full text search is not supported for the Apple API Reference or Man Pages. In my limited testing it worked well for Python, though. Dash 6 retains the 5.x interface of having separate search fields for searching across pages and within the current page. I still haven’t fully adjusted to that. I find myself having to think about which keyboard shortcut to press, whereas the unified search field always felt natural. It’s $30 to buy the app or $20 to upgrade.

Previously:

PodSwap

Michael Potuck (via Ruffin Bailey):

With Apple’s official battery service for worn-out AirPods, you’re looking at $49 for AirPods and AirPods Pro (per headphone), and the same rate goes for any of the AirPods charging cases.

[…]

PodSwap is a relatively new service, and it looks like a great option to get your AirPods batteries replaced at a nice discount. You can swap in your gen 1 or gen 2 AirPods with dead batteries for a refurbished and sanitized pair with “restored battery life.”

The company has indeed found a way to replace AirPods’ batteries with “specially developed equipment.” You’re not getting an official Apple battery here, but PodSwap says it’s done independent testing to make sure “The batteries we use are similar in performance to your original ones from Apple.”

This costs $60 for a pair. They don’t yet support AirPods Pro.

Previously:

Update (2021-05-24): Jeff Carlson:

To be clear, Podswap doesn’t actually recondition and return your particular AirPods—that would take longer and require additional tracking. Instead, you receive someone else’s old pair with a new set of batteries.

[…]

Podswap makes it clear that the set you receive might have minor scratches or wear and tear, but the company also points out that every pair undergoes “ultrasonic micro-removal suction of dirt and organic debris, medical-grade solution treatment, and industrial-grade low temperature sterilization.” In other words, you’re not sharing someone else’s earwax.

Overall, I’m delighted by the Podswap experience and happy I can get new life out of my original investment, even if it requires two different physical units.

Why Does the Apple TV Still Exist?

Jason Snell (tweet, 2):

First, the arrival of the Movies Anywhere service has allowed most iTunes film (not television) purchases to migrate to other devices. Then in advance of the arrival of Apple’s TV streaming service, Apple made deals with the makers of TV sets and streaming boxes to add support for AirPlay, an Apple TV app, or both.

[…]

Gruber and Thompson suggest that perhaps the way forward is to lean into an identity as a low-end gaming console. Maybe amp up the processor power, bundle a controller, and try to use Apple Arcade to emphasize that this is a box that is for more than watching video.

The thing is, that’s really been the story of the Apple TV for the last few years, and so far as I can tell, it’s basically gone nowhere.

My Apple TV 3 is long in the tooth. Now we want to watch a show on HBO, which it no longer supports. But, and I’ve been thinking this for a year or two, this is not a good time to buy an Apple TV 4. It’s still got that awful remote, and surely version 5 will be out soon. I should probably just buy a Roku, now that they support AirPlay and iTunes content. I would miss the Flickr screensaver, though.

John Gruber (tweet):

Really, Apple Arcade is the only recent evidence that Apple remains strongly committed to the Apple TV platform. Every single Apple Arcade game is available on Apple TV — which is difficult for games designed for touchscreen phones. And I will bet that it’s been difficult for some games performance-wise to achieve 30+ FPS on Apple TV 4K. I think Apple’s requirement that Arcade games not just play but play well on Apple TV is a sign that they’re committed.

Cory Zanoni:

If my Apple TV 4K packed it in today, I’d buy a new one. Options are limited here in Australia and I’m not sold on Chromecasts or Fire Sticks. Asking Siri to jump through videos is just that good. The screensavers are incredible. tvOS, neglected as it is, is smooth. Then there are the services: Music and Fitness+ have their hooks in me.

Previously:

Update (2021-02-22): John Gruber:

Also, Apple TV is the only box known to protect your privacy. I think Roku is pretty bad in that regard — that’s how they sell for such low prices.

Jason Snell:

I think this is overstated. Roku defaults to tracking, you can turn it off.

Dman:

You can’t fully turn off Roku tracking. All you can do is turn off the most egregious kinds of profiling but Roku still tracks your usage patterns and what you watch / search for and there is NO WAY to turn that off.

John Gruber:

But even on an Apple TV box, you’re at the mercy of each app you use, and the major streaming services all collect information on everything you do.

[…]

But Roku (and similar boxes, and smart TVs) track you at the system level.

Benjamin Mayo:

What I want, what everyone wants, is a modern Apple TV with an updated processor. We will pay for the niceness. At $99, we’re sold. Like all of Apple’s products, the Apple TV should aim to fill the segment of the market that toes the line between being accessible to the masses and being aspirational luxury.

Mike Rockwell:

I’ve been a fan of the Siri Remote since day one. The ability to control HomeKit devices with my voice, being able to quickly swipe through lists, and essentially acting as a universal remote is just so nice. We don’t use any other remotes in our house. The Apple TV remote turns our TV on and off, controls the volume of our receiver, and interacts with the only non-game console connected to our television.

I would argue that it’s actually the best TV remote I’ve ever used.

[…]

If Apple wants to be in the living room, they need to make their own box to ensure a rock solid, predictable experience. I’m actually surprised that companies like Netflix and Hulu aren’t building their own boxes too.

Swift for TensorFlow Canceled

TensorFlow (via Francisco Tolmasky, Hacker News):

Swift for TensorFlow was an experiment in the next-generation platform for machine learning, incorporating the latest research across machine learning, compilers, differentiable programming, systems design, and beyond. It was archived in February 2021.

skohan:

It’s a shame. I had high hopes at the beginning that S4TF - and the investment in Swift from Google - would help Swift break out of the iOS ghetto and cement it as a mainstream language.

Alexis Gallagher:

Was very saddened to learn, in the Swift for TensorFlow design meeting this morning, that the project had been canceled.

But as this thread notes, much of the tech that was developed is freestanding and usable without tensorflow.

Fan Jiang:

[The] Differentiable Swift part made into mainline and should be available in the official toolchain pretty soon. In retrospect, and from a user’s perspective, I think the team did a great job in modularizing the whole effort so a lot of the products will thrive, like the PythonKit and the Swift Jupyter kernel. One of the unfortunate (and fortunate) aspect is that S4TF is a bit too close with TF - TF is the reason why S4TF even exists, but it also tied the project image to TF, and makes contributing to S4TF libraries require understanding TF and XLA, which is by no means a simple job, especially in a market where elegance in code is yet not a first-class citizen.

See also: Swift: Google’s bet on differentiable programming (Hacker News).

Previously:

The Long Hack

Jordan Robertson and Michael Riley (Hacker News, 9to5Mac):

Bloomberg Businessweek first reported on China’s meddling with Supermicro products in October 2018, in an article that focused on accounts of added malicious chips found on server motherboards in 2015. That story said Apple Inc. and Amazon.com Inc. had discovered the chips on equipment they’d purchased. Supermicro, Apple and Amazon publicly called for a retraction. U.S. government officials also disputed the article.

With additional reporting, it’s now clear that the Businessweek report captured only part of a larger chain of events in which U.S. officials first suspected, then investigated, monitored and tried to manage China’s repeated manipulation of Supermicro’s products.

[…]

“In early 2018, two security companies that I advise were briefed by the FBI’s counterintelligence division investigating this discovery of added malicious chips on Supermicro’s motherboards,” said Mike Janke, a former Navy SEAL who co-founded DataTribe, a venture capital firm. “These two companies were subsequently involved in the government investigation, where they used advanced hardware forensics on the actual tampered Supermicro boards to validate the existence of the added malicious chips.”

The story has more than 50 sources, most anonymous. All the companies and the NSA still deny it. I guess the truth could be so bad that everyone is conspiring to cover it up, but in that case I still would have expected Bloomberg to present some more convincing details and evidence. I started reading this thinking they were going to go back and lock down the 2018 story, but that’s not what this is.

Nick Heer:

Robertson and Riley’s new report concerns the three specific incidents in the quoted portion above. There is no new information about the apparent victims described in their 2018 story. They do not attempt to expand upon stories about what was found on servers belonging to Apple or the Amazon-acquired company Elemental, nor do they retract any of those claims. The new report makes the case that this is a decade-long problem and that, if you believe the 2010, 2014, and 2015 incidents, you can trust those which were described in 2018. But if you don’t trust the 2018 reporting, it is hard to be convinced by this story.

This time around, there are many more sources, some of which agreed to be named. There is still no clear evidence, however. There are no photographs of chips or compromised motherboards. There are no demonstrations of this attack. There is no indication that any of these things were even shown to the reporters. The new incidents are often described by unnamed “former officials”, though there are a handful of people who are willing to have quotes attributed.

John Gruber:

It’s a 4,000-word exercise in journalistic sophistry. It creates the illusion of something being there, but there is nothing there.

Matt Tait:

tl;dr is a source misunderstood an FBI defensive briefing on China’s supply chain activities, leaked it to the press, and bloomberg has again failed to do the work necessary to verify the sensational claims, because they mistake impressive credentials with domain expertise.

[…]

Articles like this are constructed out of parts. There are a series of claims attributed to collections of sources, grouped into an overall story. The way to read them is to read carefully to break out the specific claims and the corresponding sourcing.

Previously:

Monday, February 15, 2021

Arq 7

Stefan Reitshamer:

Arq 7 is fully backward-compatible with backup data created by older versions of Arq, but it’s packed with new features. It’s been through 4+ months of internal and beta testing, so it’s solid.

Many of the features listed on that page were also in Arq 6. The more detailed change notes are here. The biggest change is that it’s no longer an Electron app. The new interface is a big improvement, much better than Arq 6 and in most respects better than Arq 5, too. (I’m not crazy about the new, unsorted, list of the paths to back up or the way exclusion rules are handled and duplicated.) You can once again navigate backup settings and restores without having to repeatedly enter your password. The backup logs are now integrated into the main part of the app, and you can jump from a backup’s settings to its latest log. And the global Arq menu clearly shows what’s happening with each backup. I did run into an issue where the ArqAgent process consumed 7.6 GB of private memory. After restarting my Mac and doing a few (smaller) backups, it so far hasn’t recurred. Overall, a smooth and trouble-free upgrade, unlike last time.

Previously:

Update (2021-02-22): Arq 7 costs $50 and includes one year of updates. You can optionally subscribe beyond that for $25/year. It continues to work well for me with the following exceptions:

Nicholas Riley:

A warning if you’re upgrading to Arq 7: check your retention settings first. Several of my family’s Macs ended up deciding everything was new from the Arq 5 backup, then this pushed the overall backup size over quota to the point that ALL of the backup history was deleted.

Thomas Clement:

Why does Apple keep restraining the snapshots API to select developers? Aren’t all developers treated equally?

All the apps that might have been but never will...

(and yes I applied to get access at some past job and we got refused for trivial reasons)

Previously:

Update (2021-03-14): I’m currently using Arq 7.2, and the memory use issue seems to be resolved. The app is apparently more efficient now about which changed files it tracks in RAM.

Friday, February 12, 2021

FastScripts 3 Beta

Daniel Jalkut:

Over the years I’ve had a lot of ideas about how FastScripts might evolve, and have worked on new features intermittently. As part of my recent decision to reinvest in Red Sweater, I decided to focus on finally shipping some of those features in a major 3.0 upgrade. Today, I’d like to share what I’ve got so far, as a public beta[…]

[…]

The major changes in this upgrade are the introduction of a search feature so you can easily sift through all the scripts in the menu, and a major overhaul to the way scripts are executed so that multiple scripts can be fired off in rapid succession without interfering with one another.

[…]

Apart from the changes listed above, I hope to soon offer the ability to monitor and cancel long-running scripts are launched from FastScripts.

This great app is free while in public beta. I’ve been using the beta for a several days with no problems.

Previously:

The Evolution of “safe” and “unsafe” in Swift

Joseph Heck:

One of the interesting take-aways is that the terms “safe” and “unsafe”, or at least the specific implications of when they’re used in the swift language, are broadening what they cover with the upcoming changes. You could start to see it as early as last October when the Swift Concurrency Roadmap was published, but the wording wasn’t fully in place, more of just conceptual frameworks. The details of the broadening of the definition didn’t hit home for me until I caught up with the recent discussion on the pitch for task local values.

[…]

Across the recent pitches and proposals, some of the language terms that use safe are now being used to imply concurrency safety, somewhat independently of memory safety. The goal looks to be to provide APIs that have some guarantees about thread-safe access and updates. And along with the safe versions, there are some potential “unsafe” variants to use when you need the escape hatch and are willing to take on the thread safety guarantees yourself.

Paulo Andrade:

If you’ve ever encountered the dreadful UnsafeMutableRawBufferPointer or one of its friends and ran to stackoverflow… then this post is for you!

Previously:

Bad AppleScript: Fake RSS, Real Newsletter

Jason Snell (tweet):

Here was my bad idea: Just because MailChimp’s RSS system didn’t work the way I wanted it to didn’t mean I couldn’t make it work the way I wanted it to. I could set MailChimp to automatically mail out an email on Friday evenings to all Six Colors subscribers, based on an RSS feed.

And then I could write a script that would generate an RSS feed with a single entry, containing exactly the newsletter I wanted to send.

[…]

Though there are some ways to parse RSS feed using the System Events app’s built-in XML parsing, it’s unreliable. Instead, I turned to the JSON format, which is much easier to work with, thanks to Mousedown Software’s excellent app JSON Helper, which converts JSON feeds into AppleScript objects.

Paul Taylor, RIP

Tom Hallman Jr. (via Hacker News):

“He saw there were old World War II teletype machines not being used,” said his daughter. “Another deaf engineer in California had come up with the way to send signals over phone lines. My dad came up with the coupler component the teletype needed. He then pressed Western Union to provide the old machines to deaf people and Bell telephone to use them on their lines.”

As rudimentary as it may seem now — both users needed a machine to type messages back and forth on what was called TTY, Telecommunications Device for the Deaf — it was as innovative when it launched in the 1960s as text messaging was when smart phones entered our lives.

[…]

In addition to teaching, Taylor advocated for a national operator relay system for the deaf to allow them to communicate with people who were not deaf and did not have a TTY machine.

Thursday, February 11, 2021

Native Mac APIs for Go

MacDriver (via Hacker News):

MacDriver is a toolkit for working with Apple/Mac APIs and frameworks in Go. It currently has 3 “layers”:

[…]

The objc package wraps the Objective-C runtime to dynamically interact with Objective-C objects and classes[…]

[…]

The cocoa, webkit, and core packages wrap objc with wrapper types for parts of the Apple/Mac APIs. They’re being added to as needed by hand until we can automate this process with schema data. These packages effectively let you use Apple APIs as if they were native Go libraries, letting you write Mac applications (potentially also iOS, watchOS, etc) as Go applications[…]

[…]

The bridge package takes advantage of this situation to create a higher-level abstraction more aligned with a potential cross-platform toolkit.

North Dakota Bill on App Stores

Juli Clover (Hacker News):

The North Dakota Senate this week introduced a new bill that would prevent Apple and Google from requiring developers to use their respective app stores and payment methods, paving the way for alternative app store options, reports The Bismarck Tribune.

[…]

Specifically, the bill would prevent Apple from requiring a developer to use a digital application distribution platform as the exclusive mode of distributing a digital product, and it would keep the company from requiring developers to use in-app purchases as the exclusive mode of accepting payment from a user.

Apple Chief Privacy Engineer Erik Neuenschwander spoke out against the bill, saying that it “threatens to destroy the iPhone as you know it” by requiring changes that would “undermine the privacy, security, safety, and performance” of the iPhone.

This argument basically assumes that it’s App Review, not iOS’s security features, that’s protecting users. Yet we have numerous examples of the App Store failing to do so, while at the same time mistakenly blocking good apps and developers. This happens both because the review process doesn’t scale and because it’s technically impossible to completely review how an app will behave. People definitely have more confidence installing software from an app store, but it’s mostly false confidence. Decades of experience with platforms like the Mac and Android that allow sideloading show that a more open approach works just fine. macOS’s anti-malware features have never been better.

See also: David Heinemeier Hansson (tweet).

Previously:

Update (2021-03-02): Juli Clover (Hacker News):

The North Dakota Senate today voted no on a new bill that would have paved the way for third-party app store options by preventing Apple from requiring developers to use its App Store and in-app purchase methods for apps.

Nick Heer:

If this bill had passed, what do you think Apple would have done?

  1. Stop offering products and services in North Dakota

  2. Construct an entirely separate iOS and App Store model for the citizens of North Dakota

  3. Upend its entire App Store business model

I know there are some developers who think the second and third options are likely, but North Dakota has less than a million residents. I think Apple could afford to forego Fargo.

David Heinemeier Hansson:

In my romantic, counterfactual dreams of Steve Jobs, I have him pulling @tim_cook aside and saying: “Do you really want to be a monopolist for the rest of your life, or do you want to change your mind and change the world?”. It’s never too late to choose to be different.

Because I simply refuse to believe that Jobs would have let himself end up in a fight to bully entire states alongside ALEC and the Koch Brothers. Letting the impression fester that Apple could pull a Facebook and cut off an entire state if it dared to govern against it.

Previously:

Facebook Ads Relied on Deprecated Chrome Feature

Shane O’Sullivan (via Hacker News):

Back in 2013 I was working in the Ads Interfaces organisation at Facebook, building mostly front end products (other people did the AI, database etc). We had an application called Power Editor which was the kitchen sink of products, and 25% of all Facebook revenue depended on it working. Every single thing you could do with ads on Facebook was supported in Power Editor (we called it P.E. for short).

[…]

I looked into the code base, and was shocked to find that the entire application depended on a technology called WebSQL. It only ran on Chrome, and Google had deprecated WebSQL over a year earlier. I kind of flopped back in my chair, dragged my manager to a room, and told him that Google could shut off 25% of Facebook’s revenue, and lose us all our large accounts, by turning off WebSQL in Chrome, and it could happen any time.

yholio:

Google couldn’t have killed Facebook by flipping that switch. The Power Editor users would have done whatever it takes to access the interface, installed an insecure older browser, ran commands in the console, build a relay computer in their back yard, and so on. They will do whatever it takes because they are not choosing that platform for its features, they are professionals doing a job, and that job is reaching the user base of Facebook with their ads. If they can’t do that they will lose their jobs and clients.

I wonder if it’s really true that you can keep using an old version of Chrome against Google’s wishes.

Wednesday, February 10, 2021

Is Apple Banning Free Analytics SDKs?

Allen Pike (tweet, Hacker News):

The most popular analytics SDKs are free because they’re owned by companies that sell ads, or share data with those companies: Google Analytics, Flurry, and Google’s Firebase. Paid competitors like Mixpanel and Amplitude can be really powerful, but often cost thousands of dollars a year or more.

Now, I can’t find this said explicitly anywhere. But it seems like, along with the incoming restrictions on IDFA and ad attribution, Apple is also enacting a de-facto ban on these free analytics SDKs.

[…]

Firebase, Google Analytics, and Facebook have been releasing updates and documentation to help developers navigate Apple’s questions, but conspiciously they don’t directly answer them. Instead they answer different, related questions that are maybe helpful but are certainly not decisive.

John Gruber:

What’s becoming obvious is that these coming changes in iOS 14.5 are about a lot more than just the IDFA tracking identifier.

Previously:

Student’s Developer Account Mistakenly Terminated

Anne Drewa (also: MacRumors, tweet):

A free Indigenous language app developed by a first-year UBC student from Prince Rupert, B.C. is up and running again after Apple mistakenly accused the young developer of dishonest and fraudulent acts.

[…]

Eshom says he received an automated email from the tech giant telling him it was terminating his status as an Apple developer pursuant to the Apple Developer Agreement for dishonest and fraudulent acts related to that agreement.

[…]

He says he reached out to Apple multiple times for an explanation, but couldn’t get answers.

So, of course, he went to the press, and that worked.

Apple says more than a half-million developer accounts were terminated for fraudulent activity last year, which resulted in their apps being removed from sale. But Apple says Eshom’s developer account was regrettably included with the removals.

Via Jeff Johnson:

It’s impossible to intelligently “curate” at this scale. Nobody should have the power.

People claim that “at least App Store is better than the wild west”, but that’s false because App Store provides a platform and honeypot for malware.

Outside the App Store, it’s hard for a scammy app to get enough PageRank or traffic to go anywhere. Inside the App Store, instead of PageRank we have ratings and reviews, both of which can be easily faked. No opinions from trusted third parties show up when you search. So it’s actually easier for scams and malware to proliferate if they aren’t caught by App Review.

Previously:

Apple Removes Apps for Pakistani Government

Megha Rajagopalan (Hacker News):

Over the last two years, the government of Pakistan has forced Google and Apple to take down apps in the country created by developers based in other nations who are part of a repressed religious minority.

The move is part of a crackdown led by the country’s telecommunications regulator targeting the Ahmadiyya Muslim community. Adherents, called Ahmadis, number about 4 million in Pakistan. Though Ahmadis identify as Muslim, Pakistan’s government views them as heretics, and a 1984 ordinance forbids them from “posing” as Muslims, adopting Islamic religious practices, and referring to their houses of worship as mosques. Pakistan is the only country to declare that Ahmadis are not Muslim.

[…]

At issue are seven religious apps created by the Ahmadi community in the United States, published under the name “Ahmadiyya Muslim Community.”

Previously:

“EDR” Brings HDR to Non-HDR Displays

Stu Maschwitz (via Hacker News):

When I watched the announcement of this display, I was curious how Apple would handle an HDR video monitor that was also tasked with the mundane duty of displaying your email and a web browser. Was Apple planning on rendering the 255-255-255 “white” of Google’s home page at one brightness level, and the HDR overbrights from a video clip at a much brighter level, right next to each other, on the same display? […] The answer is a resounding “yes,” and the effect is both impressive and a bit unnerving.

[…]

So Apple has a method of showing HDR and SDR content together on the same screen. It works on every display Apple bills as “HDR,” even though the phones are performing the stunt using a different underlying technology than the 32″ Mac display. The XDR uses “local dimming” to light up an array of LEDs brighter behind the HDR pixels, as needed. The OLED displays drive each pixel to the desired brightness individually.

Apple groups all this under one umbrella they call EDR, or Extended Dynamic Range. And even as they tout EDR as a selling point of their professional display and flagship iPhones, Apple has also quietly extended it to older Macs that were never advertised as being HDR-capable.

Michel Fortin:

My observations support that the display brightness and color mappings change dynamically when some HDR content appears on screen. Those are reverted back to normal once the HDR image disappears. So no compromise on battery life until you put HDR content on your screen: the display is only made brighter while HDR content is visible.

[…]

On macOS Big Sur, when in dark mode, I noticed some white text labels are sensitive to EDR. (This looks like a bug.) When the video becomes visible on screen and EDR activates, those white text labels will slowly brighten at the same time as the video. I’ve located two of those labels for now: Safari’s active tab text (while the window is frontmost), and Gamma Control’s text label below the tabs (when the palette is set to translucent dark appearance). There’s also the checkmark for checked items in menus that appears affected. […] Another Big Sur issue: running an app that tweaks the gamma curve can break this EDR system temporarily.

Previously:

The Battle Inside Signal

Casey Newton (The Verge, Hacker News):

But Signal’s rapid growth has also been a cause for concern. In the months leading up to and following the 2020 US presidential election, Signal employees raised questions about the development and addition of new features that they fear will lead the platform to be used in dangerous and even harmful ways. But those warnings have largely gone unheeded, they told me, as the company has pursued a goal to hit 100 million active users and generate enough donations to secure Signal’s long-term future.

Employees worry that, should Signal fail to build policies and enforcement mechanisms to identify and remove bad actors, the fallout could bring more negative attention to encryption technologies from regulators at a time when their existence is threatened around the world.

[…]

Employees have been told that for Signal to become self-sustaining, it will need to reach 100 million users. At that level, executives expect that donations will cover its costs and support the development of additional products that the company has considered, such as email or file storage.

Previously:

Tuesday, February 9, 2021

macOS 11.2.1

Juli Clover:

According to Apple’s release notes, macOS Big Sur 11.2.1 addresses an issue that could prevent the battery from charging in some 2016 and 2017 MacBook Pro models.

Juli Clover:

According to an Apple security support document, the bug, CVE-2021-3156, was addressed in the update by updating to sudo version 1.9.5p2. Apple has also fixed the bug in Supplemental Updates made available for macOS Catalina 10.15.7 and macOS Mojave 10.14.6.

Mr. Macintosh:

A Full Installer of MacOS Big Sur 11.2.1 is not available yet.

Neither is a downloadable update or combo update.

Previously:

Update (2021-03-15): Howard Oakley:

The most infuriating point about the failure of the 11.2.1 update is that it occurs at the last moment before the update should be installed: in order for that to begin, on an M1 Mac (but not Intel models), the user has to enter their password. That’s when it falls apart, because no matter what you enter, the installer refuses to accept it, shaking its dialog and refusing to progress every single time.

[…]

Because of another bug in the 11.2 installation process, which leads to the copying of the existing user as well as creation of a new account, I’ve tried updating from each of those two accounts, with identical failures.

The workaround which I tested when trying to install 11.2 was to run the full Big Sur installer.

Apple’s Supply Chain

Austin Carr and Mark Gurman (tweet, via Josh Centers, MacRumors):

Biden’s question put Cook, who’d become Apple’s CEO the previous August, in an awkward position. He was the architect of the strategy to outsource Apple’s production to China, a trend of increasing concern for the Obama administration. But Cook was also, as it turned out, extremely effective at deflecting political pressure. He was certainly more diplomatic than his old boss. Obama once asked Jobs the same question, and Jobs’s characteristically blunt reply landed on the front page of the New York Times: “Those jobs aren’t coming back.” Cook, though, was smooth and noncombative—so much so, in fact, that Riccitiello can’t recall exactly what he said to Biden. By the end of that year, Cook announced a small yet politically significant shift. Apple, he said, would start making some Macs in the U.S.

[…]

Foxconn eventually moved on to other PC parts, which it produced in sprawling factories around Shenzhen, near component suppliers. By the time Cook joined Apple, these centralized factory hubs were far more efficient than anything in the U.S. Apple sold off a huge Colorado plant in 1996, and after Cook arrived, he temporarily cut its Ireland-based manufacturing workforce, closed what was then its only remaining American production line, in Elk Grove, Calif., and outsourced more and more production to China, starting with laptops and webcams. (The Elk Grove facility is now used for refurbishing and repairs.)

[…]

Jobs’s death two years later caused skeptics to predict Apple would stagnate without a steady stream of his inventions; in fact, the real challenge was keeping supply up in China. Operations managers were scrambling to buy enough computer-controlled milling machines and laser cutters. Every millimeter was scrutinized for savings—as were even the seemingly least consequential parts. Three people familiar with the company’s supply chain say there was an Apple employee whose job consisted of negotiating the cost of glue.

iOS 14.5: Setting the Default Music Service

Jay Peters (tweet):

But users who have already installed the beta discovered another great feature: you’ll be able to select a third-party default music service when you ask to play a song using Siri — including Spotify (via MacRumors).

When you ask Siri to play a song on iOS 14.5, you may be prompted to select which app you want to use to play it, according to a screenshot shared on Reddit.

Next, how about supporting Google Maps and Alexa?

Previously:

Update (2021-03-11): Sarah Perez:

Apple has clarified that the iOS 14.5 beta is not actually allowing users to select a new default music service, as has been reported.

[…]

Apple also points out there’s no specific setting in iOS where users can configure a “default” music service, the way there is with email and browser apps.

[…]

More broadly, the feature is an attempt to help Siri to learn the listening apps you want to use for different types of audio content — not just music.

Benjamin Mayo:

Imagine instead that if upon opening Spotlight, Siri would launch the app it thought I wanted immediately. It would be infuriating. When it got it right, it would be cool but it won’t be able to get it right every time. These systems are always going to make mistakes, so you can’t go all in on a feature like that. Suggestions or recommendations are about as far as you can go without being frustrating. Even if it is was correct 49 times out of 50, that one time it is wrong will mean you will never use it again.

This latest music app situation falls directly in that latter camp. Through this TechCrunch article, Apple is very determined to say that the app picker UI is only a guide for Siri rather than a strict default app setting.

Nick Heer:

It reminds me of that button in the Twitter app that allows you to toggle between an algorithmically sorted timeline and a reverse-chronological one. If you open the app often enough, it will usually stick with the last sorting mode you selected. But if you do not, it will revert to showing an algorithmic timeline. If you prefer reverse-chronological, it sucks.

It is a bit like if you went out to your car one morning and the seat and steering wheel were in a completely different position to the way you left it. It is uncomfortable. It is no longer yours.

Scammy WatchChat Competitors

WatchChat Alex (tweet, Dave Mark):

I have spent the last four years of my life working on my very successful app only to have it ruined by scam apps with very obvious fake reviews as well as false advertising claims that Apple does not take action against. I can literally prove they are fake but Apple refuses to take action for undisclosed reasons, allowing thousands of more people getting scammed by these apps day by day.

[…]

As this app has gained more traction, we see real people rating the app, visualized by the constant stream of 1–2 negative reviews per day. Once the bad reviews get too heavy on the app, the developer just buys more than 200 positive reviews on a single day.

[…]

On their review order, they forgot to change the subject from what they usually order reviews for. The fake reviews literally comment Instagram-related stuff on a WhatsApp app.

[…]

To make these fake reviews look legitimate, the scammers have scraped reviews of MY application.

[…]

The developer uses screenshots… my screenshots!

Previously:

Remaining Issues New in Catalina

After staying on Mojave for an extra year due to the large number of issues with Catalina, I started using it on my main Mac with macOS 10.15.7. This post lists some of the problems I’ve run into that were not present in Mojave. These are user-facing bugs, not including the API bugs that I filed around the time Catalina was released. These are very unlikely to be fixed at this point, and it’s extra work to develop on Catalina and test on Big Sur, so I plan to upgrade to Big Sur soon. Xcode 12.5 will require it, but I’m hoping that a new version of SuperDuper will be released first.

Previously:

Update (2021-02-19): See also: Reddit.

Monday, February 8, 2021

Check Free Space Before Updating to Big Sur

Mr. Macintosh:

The macOS Big Sur upgrade is not checking for available HD space. The upgrade will run out of space and fail. Even worse, if FV2 encryption is enabled, you will be locked out of your data!

[…]

This isn’t the first time I’ve reported on update issues that could cause data loss. The 2019-001 Security update issue was close to this one. If you installed the 2019-001 Security Update and the Mac was encrypted, the user could be locked out.

[…]

If you have a T2 Mac, you will not be able to get into macOS recovery because your password will not work. This problem further complicates recovery efforts.

[…]

I feel for anyone who had this issue over the past 3 months. Almost every single situation ended up with an erase and reinstall losing all data.

The problem only seems to affect updating to Big Sur, not updating from macOS 11.1 to 11.2.

Previously:

Update (2021-02-19): Adam Engst:

If you or someone you know ends up in the Boot Recovery Assistant loop after attempting to upgrade to Big Sur, there are various workarounds, depending on whether or not your Mac has a T2 chip and whether or not you have enabled FileVault.

Filipe Espósito:

Apple has finally fixed the issue with a new build of macOS Big Sur 11.2.1, which properly checks if the disk has the required space before starting the upgrade process.

Intel’s M1 Benchmarks

Joe Rossignol:

Nearly three months after the launch of Apple’s rave-reviewed M1 Macs, Intel has fired back, but there are some asterisks involved.

In a slideshow shared by PCWorld this week, Intel highlighted what PCWorld described as “carefully crafted” benchmarks in an attempt to prove that laptops with the latest 11th Generation Core processors are superior to those with Apple’s custom-designed M1 chip.

Andrew E. Freedman (Hacker News, Slashdot):

Intel claims the 11th-Gen system, an internal whitebox with an Intel Core i7-1185G7 and 16GB of RAM, is 30% faster overall in Chrome and faster in every Office task. This largely goes against what we saw in our 13-inch MacBook Pro with M1 review, where benchmarks showed M1 to be largely on the same level, if not better.

[…]

Intel also claims that the i7-1185G7 is six times faster than M1 on AI-tools from Topaz Labs and Adobe Premiere, Photoshop and Lightroom functions.

[…]

In battery life, Intel switched to an Intel Core i7-1165G7 notebook, the Acer Swift 5, rather than sticking with the Core i7-1185G7 in the whitebook it used for performance testing. It also tested a MacBook Air. They ran Netflix streams and tabs and found the MacBook Air came ahead with a six-minute difference.

Jason Snell:

Inconsistent test platforms, shifting arguments, omitted data, and the not-so-faint whiff of desperation.

Previously:

Update (2021-02-19): Juli Clover:

In ads shared on Twitter, Intel has been highlighting the shortcomings of Apple's M1 Mac lineup. An ad this week, for example, points out the gaming capabilities of Intel chips. Intel mentions Rocket League, a game that is not available on Apple's platform.

Filipe Espósito (tweet):

The new campaign has been running on Twitter and other websites claiming that there are some tasks that only Windows PCs can do. In one of the new ads, Intel says that “only a PC offers tablet mode, touch screen and stylus capabilities in a single device,” which is similar to what Microsoft does in Surface ads.

Another ad in the campaign is even more aggressive by claiming that Macs are not ideal for engineers and games, as Windows has a broader catalog of software and games than macOS.

iPhone’s Adult Content Filter Blocks Anything “Asian”

Victoria Song (via Hacker News):

Enabling Apple’s “Limit Adult Websites” filter in the iOS Screen Time setting will block users from seeing any Google search results for “Asian” in any browser on their iPhone.

[…]

The search result exclusion was initially reported by the Independent, but Gizmodo was also able to independently confirm that enabling the filter means any search tangentially related to “Asian” (i.e., Asian-American, Asian food, Southeast Asian, Asian restaurants near me, etc) will return a message reading “You cannot browse this page at ‘google.com’ because it is restricted,” or, “The URL was blocked by a content filter.”

[…]

Shen also told the Independent that he had filed a report to Apple in December 2019 pointing out the issue, but that he never received a response.

I was surprised to find that it really does seem to be blocking based on the keyword being in the URL. Google and Bing searches failed for me, as did viewing various Wikipedia pages.

Update (2021-04-07): Matt Binder (via Hacker News):

Mashable has confirmed that in the latest iOS 14.5 Beta, the adult content filter no longer blocks web searches containing the word “Asian.”

Call Recorder Succumbs to Apple Silicon

Ecamm:

Call Recorder for Skype is not compatible with Apple’s M1 Macs. […] Call Recorder for Skype will not be updated for compatibility with M1 Macs.

Jason Snell:

Over the past year, nearly every Skype update has broken compatibility with Call Recorder, requiring Ecamm to issue repeated updates and even change how the app behaves so that it automatically reinstalls itself after Skype kicks it out.

John Gruber:

With the exception of unusual episodes recorded with my guest(s) in person, I’ve recorded every episode of The Talk Show using Call Recorder. It does one thing and does it well, and I love the option to record all Skype calls automatically.

Stephen Hackett:

Call Recorder not surviving the Apple silicon transition is a real bummer, as it was the easiest way to record but local audio and audio from a Skype call, all automatically.

Jason Snell:

In fact, if I’m being honest, Call Recorder hasn’t been my primary audio-recording tool for years. That distinction goes to Audio Hijack, which works with any app (not just Skype). But I have kept Call Recorder running for every Skype call I make, sometimes as my primary recorder, more often as a backup.

There’s a broader issue here, though. We rely on tools, and we build whole workflows around those tools. Remove the core tool from the bricolage of software, hardware, and mental calculation that forms a computer workflow, and you might end up never noticing—or the whole thing might collapse like a wobbly Jenga tower.

David Sparks:

I can’t recall Audio Hijack ever failing me. Nevertheless, I really felt good knowing I had that Skype Call Recorder backup. With its demise, I can make a backup of me alone using QuickTime, but it’s really not the same. I’m not capturing the entire call. I’ve been talking to other podcasters about this dilemma and the collective wisdom seems to be leaning toward moving the entire recording process over to Zoom.

Nick Heer:

I wish software were more durable over the long term, but that comes with its own baggage. That has long been the wrench in the spokes of Microsoft’s bicycle: some companies depend on software written when I was learning to walk.

On an individual level, we have to be okay with adaptation, but it is hard.

Previously:

Friday, February 5, 2021

Homebrew 3.0.0

Mike McQuaid (MacRumors, Hacker News):

The most significant changes since 2.7.0 are official Apple Silicon support and a new bottle format in formulae.

[…]

formulae.brew.sh formula pages indicate for which platforms bottles (binary packages) are provided and therefore whether they are supported by Homebrew. Homebrew doesn’t (yet) provide bottles for all packages on Apple Silicon that we do on Intel x86_64 but we welcome your help in doing so. Rosetta 2 on Apple Silicon still provides support for Intel x86_64 in /usr/local.

[…]

Particular thanks on Homebrew 3.0.0 go to MacStadium and Apple for providing us with a lot of Apple Silicon hardware and Cassidy from Apple for helping us in many ways with this migration.

AdWords Phrase Match Changes

Google:

Over the years, we’ve improved our understanding of intent to make it easier for you to reach your customers. For example, your keywords can now match to the meaning of a search, and broad match is now more effective at driving performance–especially when paired with Smart Bidding. With these improvements, we’ve seen that phrase match and broad match modifier often serve the same use cases, and that you can reach more of the right customers through a combination of the two.

That’s why, starting in two weeks, we’re rolling out changes to phrase match and broad match modifier that make it easier for you to reach your customers, no matter how they’re searching.

[…]

To give you more control and better reach, we’re bringing the best of broad match modifier into phrase match. As a result, phrase match will expand to cover additional broad match modifier traffic, while continuing to respect word order when it’s important to the meaning. This makes it easier to reach customers and manage keywords in your account.

It sounds like less control to me, because there’s no longer a way to specify an exact phrase. Google will now show an ad for different words than what you specified, and even if additional words have been added in between. It’s all subject to the judgement of their AI.

macOS 11.3 Beta

John Voorhees (tweet, MacRumors):

Similar to iOS and iPadOS, Reminders is gaining the option to print lists. Music adds a dedicated ‘Made For You’ section in the sidebar that includes your annual Replay playlists and Apple’s personalized algorithmic playlists. The Listen Now tab will also suggest upcoming live events tuned to your music tastes. There’s an enhanced News+ tab in Apple News designed to make it easier to access magazines and newspapers and manage downloaded issues. Sony PS5 DualSense and Xbox Series X/S controllers are supported too.

Finally, the experience of using iOS and iPadOS apps on the Mac got a boost too. There’s a brand new Preference pane in iPhone and iPads running on an M1 Mac that provides more keyboard control over touch commands. Apps can also be opened in larger windows.

See also: macOS 11.1 to 11.3 API Differences.

Previously:

Yottamaster 4-Bay Hard Drive Enclosure

Tyler Hall:

But it always drove me crazy giving up USB ports for multiple drives. And especially the awfulness of giant power bricks and their cables. I have no idea why I never thought to look for something like this before, but that silver box is perfect for my needs (non-affiliate link).

It’s just a hard drive enclosure with four bays. But it’s not RAID or anything fancy like that. It’s a single power cable and a single USB cable. But each drive mounts individually on my Mac as if they were all plugged in separately. I don’t want the overhead of dealing with a RAID array. I’m perfectly content spanning my data across multiple drives myself, so this is a terrific and inexpensive solution.

It’s $100 for the USB 3.0 version or $170 for the USB 3.1 version. There’s a fan, but it’s “silent.” Reviews mention the lack of a hard power switch.

See also:

Previously:

Thursday, February 4, 2021

Apple Wants Developer Transition Kits Back

Filipe Espósito (Hacker News, MacRumors, tweet):

In an email sent to developers today, Apple says that soon developers will have to return the Developer Transition Kit (DTK) as it was only designed to test the apps on the Apple Silicon platform.

[…]

As developers had to pay $500 to get the custom Mac mini with A12Z Bionic chip, Apple will offer a $200 credit for each DTK returned. This credit can be used as a discount to buy a new M1 MacBook Air, MacBook Pro, or Mac mini.

On the one hand, the DTK served its purpose, and I was able to get all my apps working with the M1 Macs by the day they were released. I think it was worth $500 to me in marketing/reputation, as well as personal piece of mind. (Of course, this also benefited Apple’s platform and hardware sales to some extent.) On the other hand, Apple’s e-mail is a bit disappointing for several reasons.

First, although the contract didn’t say that there would be any credit, a lot of people were expecting to get the $500 back, or more, based on the precedent Apple had set.

nutmac:

During the Intel transition, Apple offered Mac Pro (cheese grater design) for $999. In exchange for returning Intel Developer Transition Kit, Apple offered 17-inch iMac, which I think retailed at $1699.

Or was it $1,299? In any case, developers were able to keep the Intel DTKs until the end of 2006, i.e. about 18 months, by which point the iMac, 15-inch MacBook Pro, and Mac Pro had all been released.

This time around, the agreement said that we could keep the DTKs for 13 months (12-month term plus 30 days), but then it also said that Apple could ask for them back whenever it wanted:

You agree to promptly return the Developer Transition Kit to the Apple address designated by Apple no later than thirty (30) days after the end of the Term, or as otherwise earlier requested by Apple (including via email or announcement by Apple on developer.apple.com). At the end of the Term, You agree to immediately cease all use of the Developer Transition Kit and the Universal App Quick Start Program. Failure to return the Developer Transition Kit may result in the suspension of Your Developer account or termination of Your Developer Agreement.

A few weeks more for Apple to e-mail us, plus 30 days, would be mid-March. Apple started taking applications for the program last June, and some developers didn’t receive their DTKs until July or August. So that’s much less than a year of actual use.

The main issues for me are:

I had been hoping to keep my DTK for the full year, until I could replace it with the actual M1 Mac that I plan to use. But it looks as though I’ll need to buy a temporary M1 Mac just to maintain the ability to test Apple Silicon apps. Others have already bought an M1 Mac and won’t be able to use the credit unless they buy another.

Previously:

Update (2021-02-05): Tom Harrington:

Apple dev support confirmed to me that the DTK return credit is not transferable, so if you can’t use it, you can’t give it to someone who could.

Update (2021-02-08): Juli Clover (tweet, John Gruber):

Apple has now reversed course and upped the credit, and will now be providing developers with $500 to put toward an M1 Mac or any other Apple product. The time limit to spend the credit has also been increased, with Apple giving developers until the end of the year to use it.

Great news. I’m surprised that Apple responded, and so quickly. It also remains surprising that Apple didn’t announce this back in November when the first M1 Macs shipped, like it did when announcing the first Intel Macs. That would have worked out better for the developers who purchased M1 Macs right away. The three-month delay makes it seem like Apple hadn’t thought about what it wanted to do, then abruptly decided that it wanted the DTKs back, stat.

Apple:

Note that the DTK will no longer receive publicly available software updates after macOS Big Sur 11.2. We encourage you to return it as soon as possible so that your development work is not interrupted. And once you return the DTK, you’ll receive your Apple credit.

Mr. Macintosh:

Just because you can update the DTK to 11.3 Beta, doesn’t mean you should🤣

Upgrading to 11.3 will disable both USB-A ports with firmware update 6723.100.321😳

This pretty much eliminates the incentive to hold onto the DTK as long as possible for testing purposes. I guess I’ll send mine back and cross my fingers that nothing breaks before Apple announces new Macs. In a pinch, MacStadium has monthly rentals. AWS is still limited to Intel-based Macs.

Update (2021-02-19): John Gruber:

I think it’s exactly what Apple’s second email states: someone at Apple thought $200 credit was a generous offer, the offer went out, Apple realized they made a mistake based on developer reaction, and they issued a new offer — 2.5× more costly in dollars, but clearly worth it to Apple in goodwill — within one day. My quibble isn’t that Apple made a mistake with the amount of the “appreciation credit”, but with why it took them so long to make the initial offer. Why not have it ready in December — especially given that the DTKs really are sort of crummy machines, and the M1 Macs are vastly superior in both performance and reliability? Apple should have done whatever it could to get developers to move from DTKs to production M1 Macs as soon as possible.

Make few mistakes, but recognize the mistakes you do make quickly, admit to them, and fix them. That’s the recipe.

Update (2021-03-09): Phil Dennis-Jordan:

Falsehoods the people at Apple running the Universal App Quick Start/DTK Programme believe[…]

Deleting DerivedData the Right Way

Jeff Johnson:

Finder is good about automatically unregistering apps with Launch Services when you put them in the trash and empty it (but not before emptying the trash). However, the rm command-line tool bypasses the trash, and thus also bypasses Launch Services. This means that any registered apps in the removed folder remain in the Launch Services database, effectively forever

[…]

I know that a lot of developers like to use a command-line tool to delete DerivedData. So the question is, how do you do this the right way? The answer is, of course, to do it like Finder! You can use AppleScript to control Finder, and you can call AppleScript from Terminal with the osascript command-line tool.

Presumably, -[NSWorkspace recycleURLs:completionHandler:] can also be used to do this programmatically.

Previously:

Update (2021-02-08): Thomas Tempelmann:

NSWorkspace recycleURLs creates a unique thread for each file to be deleted pre-10.15. And if you delete > 8200 items at once, you get a crash in 10.12 and 10.13 due to thread exhaustion.

But I think that only refers to top-level items passed as parameters, so it should be fine for this purpose.

Ali Rantakari’s trash is a command-line tool that uses Apple events to tell Finder to move a file to the trash.

SwiftDtoa v2

tbkka (via Steve Canon):

SwiftDtoa is the C/C++ code used in the Swift runtime to produce the textual representations used by the description and debugDescription properties of the standard Swift floating-point types. This update includes a number of algorithmic improvements to SwiftDtoa to improve portability, reduce code size, and improve performance but does not change the actual output.

[…]

Parsing the decimal form will yield exactly the same binary floating-point value again.

[…]

Among all accurate forms, this form has the fewest significant digits.

[…]

Algorithms that can produce this “optimal” output have been known since at least 1990, when Steele and White published their Dragon4 algorithm. However, Dragon4 and other algorithms from that period relied on high-precision integer arithmetic, which made them slow. More recently, a surge of interest in this problem has produced dramatically better algorithms that can produce the same results using only fast fixed-precision arithmetic.

Tim Cook to Be Deposed for Epic Case

Tim Hardwick (tweet):

A judge presiding over preparatory hearings in the Apple vs. Epic Games court case has ruled that Apple CEO Tim Cook must attend a seven-hour long deposition to testify about how the company views App Store competition, reports Gizmodo.

[…]

Hixon ordered Apple to make “best efforts” to produce internal payment-processing documents, after it criticized the company as “frustrating and unsatisfactory” in its attempts to stall their release to Epic.

David Heinemeier Hansson:

Presumably Cook will have learned from the meltdown Gates famously had back in Microsoft’s antitrust case. But that’s still a long time to sit and answer questions on the logical pretzel that is your company’s monopoly stances.

Previously:

Wednesday, February 3, 2021

Jeff Bezos to Step Down as Amazon CEO

Jeff Bezos (Hacker News):

I’m excited to announce that this Q3 I’ll transition to Executive Chair of the Amazon Board and Andy Jassy will become CEO. In the Exec Chair role, I intend to focus my energies and attention on new products and early initiatives. Andy is well known inside the company and has been at Amazon almost as long as I have.

[…]

Being the CEO of Amazon is a deep responsibility, and it’s consuming. When you have a responsibility like that, it’s hard to put attention on anything else. As Exec Chair I will stay engaged in important Amazon initiatives but also have the time and energy I need to focus on the Day 1 Fund, the Bezos Earth Fund, Blue Origin, The Washington Post, and my other passions.

Ben Thompson (Hacker News):

What is clear, though, is that any attempt to understand the relentlessness of the company redirects to their founder, Jeff Bezos, who announced plans to step down as CEO after leading the company for twenty-seven years. He is arguably the greatest CEO in tech history, in large part because he created three massive businesses, all of which generate enormous consumer surplus and enjoy impregnable moats: Amazon.com, AWS, and the Amazon platform (this is a grab-all term for the Amazon Marketplace and Fulfillment offerings; it is lumped in with Amazon.com in the company’s reporting). These three businesses are the result of Bezos’ rare combination of strategic thinking, boldness, and drive, and the real world manifestations of Amazon’s three most important tactics: leverage the Internet, win with scale, and being your first best — but not only — customer.

[…]

What is somewhat ironic, though, is that while the Internet is unquestionably a critical component of what makes Amazon Amazon, what makes the company so valuable and seemingly impregnable is the way it has integrated backwards into the world of atoms. Real moats are built with real dollars, and Bezos has been relentless in pushing the company to continually invest in solving problems with real world costs, from delivery trucks to data centers and everything in-between. This application of tech economics to the real world is what sets Bezos apart.

David Perell:

With Jeff Bezos stepping down as CEO, here’s a thread of the best things I’ve learned from him.

Update (2021-02-05): Dan Rose:

In 2004 I got the opportunity to work with Jeff Bezos to develop the original Kindle. It was Amazon’s first foray into hardware and I learned a ton from my interactions with Jeff. Here’s some of the stories and lessons that I took away from that experience[…]

See also:

Update (2021-02-08): See also:

LAMBDA: The Ultimate Excel Worksheet Function

Andy Gordon and Simon Peyton Jones:

The Calc Intelligence project at Microsoft Research Cambridge has a long-standing partnership with the Excel team to transform spreadsheet formulas into a full-fledged programming language. The fruits of that partnership are starting to appear in the product itself. At the 2019 ACM SIGPLAN Symposium on Principles of Programming Languages (POPL 2019), we announced two significant developments: data types take Excel beyond text and numbers and allow cells to contain first-class records, including entities linked to external data, and dynamic arrays allow ordinary formulas to compute whole arrays that spill into adjacent cells. These changes are a substantial start on our first challenge: rich, fully-first-class structured data in Excel.

In December 2020, we announced LAMBDA, which allows users to define new functions written in Excel’s own formula language, directly addressing our second challenge. These newly defined functions can call other LAMBDA-defined functions, to arbitrary depth, even recursively. With LAMBDA, Excel has become Turing-complete. You can now, in principle, write any computation in the Excel formula language. LAMBDA is available to members of the Insiders: Beta program. The initial release has some implementation restrictions that we expect to lift in the future. We discussed LAMBDA and some of our research on spreadsheets in a sponsored video presented at POPL 2021.

See also: Why Church chose lambda.

Scammy KeyWatch and Trezor Apps

Kosta Eleftheriou (Hacker News):

Just a few months ago, I was way ahead of my competition. By the time they figured out just how hard autocorrect algorithms were, I was already rolling out the swipe version of my keyboard, quickly approaching iPhone typing speeds. So how did they beat me?🤔

First, they made an app that appeared to fulfill the promise of a watch keyboard - but was practically unusable. Then, they started heavily advertising on FB & Instagram, using my own promo video, of my own app, with my actual name on it[…]

But wait, you say. People will see it doesn’t work well & not give any money - surely! Well, this is the first screen you get upon launching the app: zero explanation, no close button, no price. Tap to “unlock”, and you’re now 1 step away from confirming a $416/year subscription.

[…]

Fake ratings, and fake reviews. These quickly push the scams to the top of search results, leaving honest & hard-working developers in the dust. An old problem that’s not easy to solve, but one that’s at the core of why App Store app discovery is so problematic.

David Smith:

Stories like this are so discouraging to me. I’ve been hit by these “pump-and-junk” app schemes many times myself.

I get that defining the line between “bad app w/ high price” and “scam” is challenging but there has to be a better way than what we currently have.

Peter N Lewis:

The Apple App Store is so full of scammers and so lousy at search that if Apple ever did allow third party stores it is certain that a properly curated third party store would be much safer for users. So Apple arguing that the App Store makes users safer is utterly bogus.

Michael Love:

The fundamental problem with App Review is that it necessarily involves a lot of “I know it when I see it” decisions, and yet the volume of submissions + Apple’s treatment of it as a cost-center means reviewers have neither the resources nor the authority to make those decisions.

santisiri (via David Heinemeier Hansson):

a very good friend of mine lost his life savings because of this phishing app that was available on the app store.

Kosta Eleftheriou:

While the “KeyWatch” $300k/month scam was removed, Apple did not take down their developer account.

Not only that, but their other scam, “GPS Speedometer”, remains on the App Store stealing $200k/month from unsuspecting people, with $416/year subscriptions.😱

Previously:

Update (2021-02-05): Natasha Lomas (via Hacker News):

“They put you in contact with the other developer in question, and oversee the thread while they hope you will resolve the issue with the other party directly,” he explains. “The scammers I complained about in that dispute weren’t even the bigger scammers I mention in my Twitter thread. Yet, the complaint I had with them barely got addressed, and there was no response from Apple whatsoever on the issue of the fake ratings and reviews. Simply a ‘if we don’t hear back from you very soon we consider the matter resolved’. We even reached out to Apple privately after that but got no response.”

“What was most impressive to me, was that in the presence of the Apple legal team, the scammers did not feel threatened one bit — almost as if they know Apple is unlikely to do anything,” he adds. “In my view, Apple simply does not devote enough resources on this area.”

[…]

A core part of the USP for its App Store is the claim that Apple’s review process sums to a higher quality, more trustworthy experience than alternative marketplaces that aren’t so carefully overseen.

So a failure to do more to enforce against review scams and rating manipulations risks taking a lot more shine off Apple’s brand than Cupertino should be comfortable with.

David Barnard:

Steps to reproduce:

1. Search a high traffic keyword like wallpapers, scanner, VPN, etc.
2. Download the top 5 search results
3. At least one (often multiple) will be shady apps pushing expensive weekly subscriptions using various dark patterns
4. Get mad at Apple all over again

Nick Heer:

There is a threefold compounding problem here:

  1. There are many apps in the App Store that are effectively counterfeits.

  2. They plant fake reviews to establish legitimacy.

  3. They abuse expensive subscriptions.

Update (2021-02-08): Kosta Eleftheriou:

Up to now, I’ve been in the “Apple wants to do the right thing” camp. My viewpoint is starting to change.

How to spot a $5M/year scam on the @AppStore, in 5 minutes flat[…]

Loren Brichter:

Apple is in the business of looking the other way.

The problem is that the company isn’t going to be able to kick the addiction without making the services metrics that Tim cares about start trending in the wrong direction.

Marco Arment:

Apple could prevent SO MANY App Store misleading-subscription scams if they eliminated weekly billing as an option.

The shortest subscription interval should be monthly, since that’s how most consumers think about most ongoing costs. (That’s why the weekly subs mislead so many!)

Ryan Jones:

Fix the root cause instead:

  1. Payment terms bigger than font size 7 on confirmation screen.
  2. Universal IAP picker screen, designed by Apple and required.

David Barnard:

Here’s another stab at redesigning the “buy sheet” using the current design language.

Michael Love:

This seriously shouldn’t be hard. Every app with more than say $10k/year in IAP revenue - which is not that many! - gets looked at 2x year by someone who’s specifically charged with detecting scams; if they flag it then it goes to a more detailed review by sb with authority.

Update (2021-02-09): Tim Hardwick (also: 9to5Mac):

Since that time, Eleftheriou has been on a Twitter crusade to expose more scam apps in the App Store, such as the so-called star gazing app that goes by the name “Star Gazer+” and basically uses the same time-proven strategy of masquerading as a genuine app that’s barely functional and hoodwinks users into an exorbitant in-app weekly subscription fee.

As of writing, the scam app “Star Gazer+” is still listed on the App Store with 4.5 star average rating and over 80,000 reviews.

See also: David Heinemeier Hansson.

Update (2021-02-10): Cory Zanoni:

There’s a lot we can’t know here. We don’t know how many scam apps get taken down quickly and we don’t know how many never make it through the review process. Maybe we only ever see 1% of those submitted to the store.

Update (2021-02-22): Stanislav Dvoychenko:

I’ve been reporting to Apple the app that is copying reviews from my app - with no result.

Kosta Eleftheriou:

Dear Worldwide Developer Relations Manager who has been trying to call me and my wife multiple times:

Unscheduled calls are not the best way to reach people these days. Same goes for App Review calls.

Also, email?🤷

David Heinemeier Hansson:

We dealt with the same issue during @heyhey’s summer of stress. Apple never wanted to have anything in writing. It was all on their internal systems where messages disappear or on phone calls with people using their first name only.

Previously:

Kosta Eleftheriou:

So Apple finally publicly responded to my complaints.

Let’s take apart this embarrassingly generic boilerplate statement the gave to The Verge[…]

Paul Haddad:

Does the 500k developer account number seem off to anyone else? Sounds absurdly high to me. I know there’s plenty of fraud in the App Store but that many separate accounts? $50M worth?

Apple’s in a tough spot. They get flack if they don’t stop scams, they get flack if they flag the wrong person as a scammer. They’re probably doing a ton more to prevent scams than anyone realizes and yet seems like they should do more. 🤷‍♂️

Kosta Eleftheriou:

What Apple doesn’t want you to know about the App Store👇

“The apps you love, from a place you can trust” they tell you. But the reality is far from it.

A 4.5-star app? Might as well be a multi-million dollar scam.

[…]

The average star rating of an app can be trivially manipulated by any developer.

[…]

What follows is an incredibly buggy, ad-infested, poorly designed money-grabbing experience.

[…]

This is a third party app developed to trick people in to downloading and paying for something that’s free if you have a Roku. They buy adds for “Roku Remote” but the app is “Roki Remote”.

[…]

Because the scammers keep buying positive ratings, the app remains highly rated - giving people a false sense of trust.

See also: Brendan Hesse.

Kosta Eleftheriou:

As another indication of how *not* seriously Apple is taking fake ratings, they unequivocally state: “If you attempt to […], manipulate ratings or App Store discovery […] you will be expelled from the Developer Program.”

Yet this happened[…]

[…]

Since early January, my attempts through the proper channels to report fake ratings scams have been fruitless - to put it mildly. My last attempt, below, unanswered. Apple is now effectively condoning scam behavior on the App Store by not taking action. A total travesty.

Joe Fabisevich:

I don’t have all the answers for fixing the App Store, but I don’t think you need all the answers up front to start improving the system. Taking what we learned about incentive design above, what I see Apple having is a resource allocation problem due to them not knowing who’s complying with the rules and contributing to the public good. With that in mind, a scoring system is where I would invest resources to know who’s having a net-positive and a net-negative effect on the App Store system.

[…]

App Store Preview would work similar to Apple’s current DTS system, where you can get hands-on help with a technical problem you’re having. A developer should be able to get pre-approval for an idea, in the context of their application, without having to build an entire feature (or application) before App Review deems it worthy. This would also provide context for future reviewers, knowing what to look for and what’s changed. The more a pre-approved version matches the reviewer’s expectations come review time, the higher the score would the developer would receive. The higher their overall score over time (by some to be established scoring mechanism), the less scrutiny they would receive in the future.

More importantly though is the inverse. If someone doesn’t go through review, they implicitly receive more scrutiny.

Update (2021-03-09): Kosta Eleftheriou:

If you had any doubts at all about the Wild Wild West that are App Store ratings & reviews, someone is currently buying fake 5-star reviews for my own FlickType app - presumably so that Apple will take my app down.

Apple’s fake review detection is failing so miserably.

Jeff Johnson:

They’re coming for you like they came for @AppsExposed and they may win.

Update (2021-04-16): Sami Fathi (tweet):

Now, Eleftheriou has highlighted yet another scam app on the App Store . This time Eleftheriou is shining a light on how one scam app called “Privacy Assitant: StringVPN” uses Apple’s in-app purchasing system to trick people into purchasing either a weekly, monthly, or yearly subscription for a fake VPN service.

The scam app promises to offer a “full-featured” and “safe” VPN experience, but that’s not the case. The app has a total of 104 reviews and a 3.5/5 rating at the time of writing. The majority of reviews praise the app as being “perfect” and say it offers “the best experience ever.” The masses of fake reviews posted by the developer tricks Apple’s App Store algorithm into boosting its appearance in search results, making it easier for other users to discover and download the app.

However, there are real reviews posted by users scammed by the app in the barrage of fake reviews. One user says the app tricked them into purchasing its yearly $89.99 subscription without the option to chose weekly or monthly, and notes how the app looks like a legitimate VPN app.

Kosta Eleftheriou:

I don’t know what’s worse about this app[…]

Kosta Eleftheriou:

This App Store scam is just too funny.

Kosta Eleftheriou:

Over a third of App Store reviews considered fake!🤯

Update (2021-06-05): Kosta Eleftheriou:

All 4 VPN scams I posted are now gone.

Did @Apple refund the MILLIONS of users that got scammed?

And did they let their own customers know they need to immediately stop using these apps?

Tuesday, February 2, 2021

Chrome Browser Extension for iCloud Passwords

Tim Hardwick:

Apple has released an iCloud password extension for Google’s Chrome browser on Windows that allows iCloud Keychain passwords to be used on PCs.

Called simply “iCloud Passwords,” the extension allows users to access passwords in Google Chrome that have been generated in Apple’s Safari browser. It also enables iCloud syncing of passwords generated in Chrome, making them available on Apple devices, too.

Dan Moren:

As I wrote just this week in Macworld, Apple has used a number of strategies to encourage users to switch to its products, among them, the “ice water in hell” approach of adapting some of its own software to rival platforms. That’s at least part of the reasoning behind Apple’s iCloud Keychain extension for Chrome, which extends the password manager feature from its own ecosystem to Chrome users on Windows.

But not, interestingly, to Chrome users on the Mac, even though the extension can be installed in that version of Google’s browser. However, according to the text on the extension’s page, it appears to be designed to specifically work with iCloud for Windows, so it doesn’t actually do anything on the Mac beyond providing a broken interface.

iOS 14.5: Unlock an iPhone While Wearing a Mask

Juli Clover (tweet):

In iOS 14.5, there’s a new option to unlock an iPhone with Face ID and an Apple Watch paired together, with the Apple Watch’s authentication providing an extra layer of security.

If you’re wearing an unlocked Apple Watch and use Face ID as you normally would, the iPhone will unlock after a partial face scan. When the unlock happens, you’ll feel a haptic buzz and will receive a notification on the Apple Watch informing you that the unlocking procedure was successful, similar to how it works when unlocking a Mac with an Apple Watch.

This is the best reason I’ve seen to buy an Apple Watch.

John Gruber (tweet):

I jumped on this beta to try this feature out, and it works great. Pretty much just like the excellent longstanding feature that lets you log into your Mac automatically if you’re wearing an Apple Watch — it just works.

[…]

My understanding is that this feature was a lot trickier to implement than you might think, because of the fact that you can also use your iPhone to unlock your watch. The “chain of trust” was originally designed to work in one direction — from your iPhone to your watch.

John Gruber:

I would love to know more, but I do know they’ve been working on this all year. Think about how serious it is that you can unlock your phone from a remote device of any kind. High stakes to get it right.

Joe Cieplinski:

So the new unlock FaceID with your watch thing works on unlocking the home screen and revealing home screen notifications. But doesn’t work for Apple Pay, FaceID unlocking individual apps, and so on. Makes sense, but good to know.

Previously:

Update (2021-02-05): Benjamin Mayo:

Even for a first beta, it works really well. It’s fast. Written down, it sounds analogous to the macOS feature, but it feels very different when you try it.

Unlocking your Mac with your watch is comparatively sluggish.

Update (2021-02-22): John Gruber:

Because it’s a two-step process (step #1 first, then step #2), it does take a bit longer than Face ID without a mask (which is really just step #1). But it works more than fast enough to be a pleasant convenience experience. Regular Face ID is so fast you forget it’s even there; “Unlock With Apple Watch” is slow enough that you notice it’s there, but fast enough that it isn’t a bother.

It’s important to note that in step #2, it works with any face wearing a mask. It’s not trying to do a half-face check that your eyes and forehead look like you, or anything like that. My iPhone will unlock if my wife or son is the face in front of my iPhone — but only if they’re wearing a mask, and only if my Apple Watch is very close to the phone. I’d say less than 1 meter — pretty much about what you would think the maximum distance would be between a watch on one wrist and an iPhone in the other hand.

[…]

Also, if your Apple Watch is in Sleep mode (the bed icon in WatchOS’s Control Center), the feature does not work.

Update (2021-04-16): Joel Breckinridge Bassett:

I think performance will vary, a lot, depending on the user, the mask and the environment. For some, perhaps the majority, it will be enough. I find it fails me too often on the daily commute and in stores, usually at the very moment I need to launch dPOINT or dPay apps at checkout. I also get the feeling that Apple Watch battery life takes a hit too, but take it with a grain of salt along with my impressions.

Xcode 12.5 Beta

Apple:

Xcode 12.5 Beta requires a Mac running macOS Big Sur 11 or later.

[…]

The Reveal Build Products Folder item in the Product menu reveals the build products directory in Finder.

[…]

Code completion is more reliable in expressions that contain errors, and in expressions that are ambiguous without additional context.

[…]

Profiling XCTest with Instruments now automatically starts the recording, without a click on the record button.

This would be great if it works, but profiling Mac unit tests has been broken for me for years.

Incremental compilation is faster in many cases. When you change code within the body of a struct, class, enum, prototype, or extension, Swift now recompiles far fewer files in that module than before.

Implicit member expressions now support chains of member accesses.

Swift includes more checks when bridging data from Objective-C. In particular, the runtime library aborts your program with a suitable error message if it detects a non-nullable pointer that contains a null value.

Property wrappers are now supported on local variables.

Functions, subscripts, and initializers may now have more than one variadic parameter, as long as all parameters that follow variadic parameters are labeled.

These are from Swift 5.4.

Antoine van der Lee:

While developing apps or framework it’s common to refactor a piece of code. Although often temporary, it’s common to run into failing tests while the code is still being refactored. Up until we could use XCTExpectFailure I would disable those tests and only run them once I expected them to succeed.

In other words, there are scenarios in which you realise a failure is expected. Without letting Xcode know this is true, your tests would report a failure and your CI would no longer report green.

Another benefit is that Xcode will report a test as failed once an expected failure does not occur. You can see Xcode as a guard to make sure your tests match upon current expectations.

Previously:

macOS 11.2

Juli Clover:

According to Apple’s release notes, macOS Big Sur 11.2 addresses several bugs, such as an issue that could cause external external displays to show a black screen when connected to an M1 Mac mini using an HDMI to DVI converter and a problem that caused iCloud Drive to disable when turning off the iCloud Drive Desktop & Documents Folders option.

Apple:

There are no new release notes for this software update.

I’ve seen first-hand that the Mail bug where messages “moved” by rules bounce back to the inbox has not been fixed. I’ve not yet heard the status of these other serious Mail bugs that were present on macOS 10.15.0 through 11.1:

In the absence of release notes or responses to bug reports, I’m assuming that they are not fixed.

Howard Oakley:

Details of security fixes included in this and the concomitant Security Updates are here. They include a fix to a bug in APFS in Big Sur found by Thomas Tempelmann, 2-3 bugs in Crash Reporter, nine bugs in ImageIO and still more in Model I/O, and three in the Big Sur kernel. However, there’s no mention that I can see of the old bug which might still be lurking in sudo.

It does look like the ImageIO crashing bug that I filed is fixed.

Mr. Macintosh:

Starting with macOS Big Sur, Combo and Delta update pkg’s aka packages are not available as standalone downloads.

[…]

Installing this package will put the full “Install macOS Big Sur.app” in your applications folder.

See also: the IPSW files and open source release.

Previously:

Update (2021-02-08): I’ve now received multiple reports of Mail data loss on macOS 11.2.

Monday, February 1, 2021

Old SuperDuper for Big Sur

Dave Nanian (Hacker News, tweet):

To accomplish this, use an old version of SuperDuper—specifically, v3.2.5—to copy the Data volume, which is shown in the older version!

v3.2.5 is well tested, having been on the market for quite some time, and is reliable. So we don’t have to worry about doing a broad beta test of a partially complete new release. It’s already tested, and I’ve been busy doing the additional testing necessary to prove it works on Big Sur.

Again, this will make a copy of the data that you need to preserve your stuff, both Applications and Data, while leaving the Sealed System Volume alone.

And it’s a valid source for “restore” during a clean install or migration! So restoration is easy and fast should it become necessary.

[…]

M1 Macs can’t be copied in a way that makes them bootable. Bare metal recovery on an M1 Mac isn’t possible, since they depend on the contents of their internal drive even when booting externally. And the tools required to make bootable copies of Intel Macs are limited, often fail, and produce inscrutable and undocumented diagnostics when they do.

Previously:

CDC’s Vaccine Data System

Cat Ferguson (via Hacker News, Reddit):

Unless you’re in one of the few states using it, you may not have heard of VAMS. But it was supposed to be a one-stop shop where employers, state officials, clinics, and individuals could manage scheduling, inventory, and reporting for covid shots—and free for anyone to use.

Instead, “VAMS has become a cuss word,” Marshall Taylor, head of South Carolina’s health department, told state lawmakers in January. He went on to describe how the system has badly hurt their immunization efforts so far. Faced with a string of problems and bugs, several states, including South Carolina, are choosing to hack together their own solutions, or pay for private systems instead.

[…]

In May, it gave the task to consulting company Deloitte, a huge federal contractor, with a $16 million no-bid contract to manage “covid-19 vaccine distribution and administration tracking.” In December, Deloitte snagged another $28 million for the project, again with no competition. The contract specifies that the award could go as high as $32 million, leaving taxpayers with a bill between $44 and $48 million.

Why was Deloitte awarded the project on a no-bid basis? The contracts claim the company was the only “responsible source” to build the tool.

Previously:

Misleading and Inaccurate iOS Privacy Labels

Geoffrey A. Fowler (Hacker News, MacRumors):

I downloaded a de-stressing app called the Satisfying Slime Simulator that gets the App Store’s highest-level label for privacy. It turned out to be the wrong kind of slimy, covertly sending information — including a way to track my iPhone — to Facebook, Google and other companies. Behind the scenes, apps can be data vampires, probing our phones to help target ads or sell information about us to data firms and even governments.

As I write this column, Apple still has an inaccurate label for Satisfying Slime. And it’s not the only deception. When I spot-checked what a couple dozen apps claim about privacy in the App Store, I found more than a dozen that were either misleading or flat-out inaccurate. They included the popular game Match 3D, social network Rumble and even the PBS Kids Video app.

[…]

Apple’s big privacy product is built on a shaky foundation: the honor system. In tiny print on the detail page of each app label, Apple says, “This information has not been verified by Apple.”

[…]

Irony alert, there’s a tech giant that is more transparent: Facebook. With a setting called “off-Facebook activity” that it launched in 2020, you can actually see all the different apps and websites that are feeding your data to Facebook and ask the social network to stop using the data to target you with ads.

Previously:

Update (2021-02-19): Michael Potuck:

Now the US House Committee on Energy & Commerce is urging Apple to “improve the validity of its App Privacy labels” along with asking for more specifics on the system.

US House Energy and Commerce Committee chairman Frank Pallone Jr. (D-NJ) and Consumer Protection and Commerce Subcommittee Chair Jan Schakowsky (D-IL) penned the letter to Apple CEO Tim Cook this week about concerns over the App Store privacy labels (first spotted by MacRumors).

Update (2021-03-11): John Gruber:

Effectively PBS submitted a privacy nutrition label based on changes to their app that weren’t yet — but soon were — live in the App Store. The rest of the inaccurate nutrition labels Fowler found are rather obscure apps.

[…]

And if Apple’s new privacy labels are useless, why are so many apps making changes to their actual privacy policies? Would PBS have removed the tracking identifier from its PBS Kids app in the first place? I’m guessing not.

iMessage’s BlastDoor Sandbox

Samuel Groß (via Hacker News, MacRumors):

One of the major changes in iOS 14 is the introduction of a new, tightly sandboxed “BlastDoor” service which is now responsible for almost all parsing of untrusted data in iMessages (for example, NSKeyedArchiver payloads). Furthermore, this service is written in Swift, a (mostly) memory safe language which makes it significantly harder to introduce classic memory corruption vulnerabilities into the code base.

[…]

As can be seen, the majority of the processing of complex, untrusted data has been moved into the new BlastDoor service. Furthermore, this design with its 7+ involved services allows fine-grained sandboxing rules to be applied, for example, only the

[…]

To limit an attacker’s ability to retry exploits or brute force ASLR, the BlastDoor and imagent services are now subject to a newly introduced exponential throttling mechanism enforced by launchd, causing the interval between restarts after a crash to double with every subsequent crash (up to an apparent maximum of 20 minutes). With this change, an exploit that relied on repeatedly crashing the attacked service would now likely require in the order of multiple hours to roughly half a day to complete instead of a few minutes.

John Gruber (tweet):

This is a big deal, and from what I understand, a major multi-year undertaking by the iMessage team. Cimpanu’s report makes it sound like it’s an iOS 14 feature, but it’s on MacOS 11, too — it’s an iMessage feature.

Previously: