Archive for August 26, 2021

Thursday, August 26, 2021

jsc

Craig Hockenberry (Hacker News):

In the JavaScript framework used by Safari and other parts of Apple’s products, there is a tool called jsc. It’s a command line interface for JavaScript that uses the same code as the rest of the system.

You can find the binary at /System/Library/Frameworks/JavaScriptCore.framework/Versions/Current/Helpers/jsc. That path is unwieldy, so I have an alias set up that lets my just type jsc in the Terminal.

So what can you do with jsc? Pretty much anything you can do with JavaScript in a browser with the caveat that there aren’t document and window instances.

Previously:

Apple News Partner Program

Apple:

The News Partner Program is designed for subscription news publications that provide their content to Apple News in Apple News Format (ANF). ANF enables an exceptional reading experience on Apple News and unlocks the full benefit of the platform for publishers, and empowers publishers to create brand-forward stories, immersive issues, and audio stories, with designs that scale seamlessly across Apple devices. ANF also supports advertising, and publishers keep 100 percent of the revenue from advertising they sell within Apple News. To support publishers who optimize more of their content in ANF, Apple News is offering a commission rate of 15 percent on qualifying in-app purchase subscriptions from day one.

[…]

Participants must maintain a robust Apple News channel in Australia, Canada, the United States, and the United Kingdom, and publish all content to that channel in ANF.

[…]

The primary function of a publisher app must be to deliver original, professionally authored news content.

Benjamin Mayo:

Apple already offers all developers the chance to collect 85% commission on subscriptions for subscriptions that last more than one year. The commission is also set at 85% for apps that qualify for the Small Business Program, which take in less than $1 million in annual revenue.

[…]

At a high level, the News Partner Program is similar to the terms for the Video Partner Program, which was established last year. However, in the latter case, premium video apps are allowed to use their own existing payment methods on file. For news, it seems Apple is still requiring use of In-App Purchase unilaterally.

Steve Troughton-Smith:

Bribing developers to prop up a failing arm of Apple’s services division after decimating web ad revenue so they have no other choice

Previously:

Why Apple Asks for Your Other Device’s Password

Glenn Fleishman (tweet):

Why would Apple ask for the password or passcode for one of your other devices? Could it be some sort of scam? What exactly is going on here?

[…]

Apple has chosen to protect some data that it views as highly secure or very private with end-to-end encryption that prevents Apple from knowing anything about the contents of the synced data. Apple doesn’t possess any of the keys required to decrypt this data passing through its servers. Instead, those keys reside only on individual iPhones, iPads, and Macs.

[…]

For iCloud Keychain and similar sensitive data, Apple has your devices generate and maintain a set of public and private keys that enable interaction with the information synced across iCloud. The devices never reveal their private keys and have the public keys of all the other devices connected to an iCloud account.

[…]

The hard part isn’t syncing data privately. Rather, it comes when you want to add a new device to this set.

[…]

On at least one of the devices in the iCloud sync set, Apple adds an encrypted version of that device’s passcode or password to the set of shared information.

[…]

Apple syncs this information to iCloud, and the setup process on the new device then pulls it down, prompting you to enter the passcode or password.

This seems reasonable, although I guess it creates a slight risk in that now your device’s password has been stored in the cloud. It’s encrypted, but someone with access to the cloud could apply a lot of computing power over a long period of time in order to brute-force it. This would make it possible to break into your device during only a brief window of physical access.

Glenn Fleishman:

Apple made it more confusing by not documenting the procedure anywhere on its site. So if you Google or search to make sure it’s safe and not phishing, you cannot find any additional information about it!

He wrote that in 2019. I was not able to find this described in the 2021 Apple Platform Security document, though it’s possible I just didn’t know where to look. I also don’t know if it has a name. Apple does describe a similar “syncing circle” system for iCloud Keychain, but that seems to be different. (And the system Fleishman describes works even if you are not using iCloud Keychain.)

Update (2021-09-08): alanzeino:

I’ve always wondered why this works like this, especially since it randomly sometimes requires every device to re-login and the last device that logs in is the password used to encrypt

Maxwell Swadling:

It does this because dropped an old device from your circle and needs to generate a new key that old device doesn’t know.

He thinks that what Fleishman describes is the “syncing circle” mentioned in the Apple document. In other words, iCloud Keychain is running at some level even if you haven’t chosen to store your own passwords in it.