Archive for September 7, 2021

Tuesday, September 7, 2021

How to Hard-Lock Your iPhone


Apple today announced that it is working with several states across the country, which will roll out the ability for their residents to seamlessly and securely add their driver’s license or state ID to Wallet on their iPhone and Apple Watch.

John Gruber:

When you pay with Apple Pay, you never hand your phone to an employee. It wouldn’t even work, because no one else can authorize an Apple Pay transaction without your biometric authentication. This ID feature for Wallet is exactly like that: it doesn’t work without your biometric authentication, and your phone does not unlock when you use it.


With a Face ID iPhone, you hard-lock your iPhone by pressing and holding the side button and either volume button. Two seconds or so — just long enough to make the “Slide to power off” screen appear. (That screen also has sliders for Medical ID and Emergency SOS.) With a Touch ID iPhone, you just press and hold the power button.

Once you do this, your iPhone will require your passcode to unlock. You can’t use Face ID or Touch ID to unlock until after you’ve unlocked with your passcode. That means even if someone confiscates your phone by force, they cannot unlock it by pointing it at your face or by forcing your finger onto the Touch ID sensor. Remember to put your iPhone into this mode every time you’re separated from it as you go through the magnetometer at any security checkpoint, especially in the airport.

Super Follows and IAP

Juli Clover:

Twitter today announced the official launch of Super Follows, a new feature that allows creators to provide subscriber-only content that requires a paid fee to access.

Hartley Charlton:

Each Twitter Super Follow subscription is an individual in-app purchase for every account with the feature set up, it has emerged.

The unusual system, spotted by Jane Manchun Wong, means that for every Super Follow there is an individual in-app purchase for that account specifically. Some observers are speculating that each Super Follow in-app purchase will have to be set up manually by Twitter on the App Store, making the system even more unconventional.


The App Store does not allow for multiple instances of the same subscription, leading other platforms such as YouTube and Twitch to get around this by effectively allowing users to buy a sub-token that can be directed toward a specific creator.


Apple only allows developers to create up to 10,000 in-app purchases, so it is not clear if Twitter will limit the users eligible to sell Super Follows at 10,000 minus Ticketed Spaces and Twitter Blue.

And yet Apple expects Amazon to use this system to sell 9 million Kindle books.

John Gruber (tweet):

This is incredible. Ostensibly, Twitter is doing what Apple wants them to do. Right now Super Follows payments are even exclusive to iOS. (Once you pay on iOS, you can see Super Follow content on Twitter’s Android and web clients, too, but the only way to pay is on iOS through IAP.) But Apple’s IAP system is so brittle that Twitter has to make a discrete SKU for each and every Super Follow user, and pay Apple 30 percent of the price for the privilege. (Twitter, per its published terms, takes just 3 percent of the first $50,000 in lifetime earnings, then 20 percent after that.) Also, because Apple’s IAP listings in the App Store rank IAP offerings by popularity, Twitter is being forced to reveal data that they quite likely would prefer to keep to themselves.

Buzz Andersen:

This is bonkers and really illustrates the ways that Apple’s IAP rules severely constrain the possible business models on its platform.

Steve Troughton-Smith:

This whole system seems designed to showcase just how ridiculous the hoops Apple makes apps jump through with IAP policies are. App Review, too, theoretically has to review each individual in-app purchase, and each one has to include a screenshot.

Steve Moser:

Twitter’s latest beta update introduces support for providing content creators with Bitcoin tips using the “Tip Jar” feature that Twitter introduced earlier this year. Bitcoin isn’t yet available to select as a tip option for beta users, but code in the beta suggests that Twitter is in the process of rolling it out.


Update (2021-09-08): frijole:

reminds me of when comixology had to list every comic via IAP -- and the rejections

ProtonMail Turned on IP Logging for User

Natasha Lomas and Romain Dillet (Hacker News, 3):

ProtonMail, a hosted email service with a focus on end-to-end encrypted communications, has been facing criticism after a police report showed that French authorities managed to obtain the IP address of a French activist who was using the online service. The company has communicated widely about the incident, stating that it doesn’t log IP addresses by default and it only complies with local regulation — in that case Swiss law. While ProtonMail didn’t cooperate with French authorities, French police sent a request to Swiss police via Europol to force the company to obtain the IP address of one of its users.


ProtonMail’s founder and CEO Andy Yen reacted to the police report on Twitter without mentioning the specific circumstances of that case in particular. “Proton must comply with Swiss law. As soon as a crime is committed, privacy protections can be suspended and we’re required by Swiss law to answer requests from Swiss authorities,” he wrote.


As detailed in our transparency report, our published threat model, and also our privacy policy, under Swiss law, Proton can be forced to collect info on accounts belonging to users under Swiss criminal investigation. This is obviously not done by default, but only if Proton gets a legal order for a specific account. Under no circumstances however, can our encryption be bypassed, meaning emails, attachments, calendars, files, etc, cannot be compromised by legal orders.


Second, ProtonMail is one of the only email providers that provides a Tor onion site for anonymous access.


Third, no matter what service you use, unless it is based 15 miles offshore in international waters, the company will have to comply with the law. This case does illustrate one benefit of ProtonMail’s Swiss jurisdiction, as no less than 3 authorities in 2 countries were required to approve the request, which is a much higher bar than most other jurisdictions. Under Swiss law, it is also obligatory for the suspect to be notified that their data was requested.

Robert Graham:

ProtonMail has always been clear: they abide by Swiss law and don’t track IP addresses until forced to. Now people are upset at ProtonMail because it works as claimed, not how people assumed because they weren’t paying attention.


[They] provided the IP address and information on the type of device used to the police

Now, of course Protonmail has to comply with Swiss law, but is that what you mean by “No personal information is required to create your secure email account. By default, we do not keep any IP logs which can be linked to your anonymous email account. Your privacy comes first.”

It was confirmed by @andyyen that in criminal cases, Protonmail can log IP addresses, their documentation say “in extreme criminal cases”

IANAL, but I have a hard time seeing how young people squatting buildings in Paris is an extreme criminal case. In any case, I have an issue with this lack of transparency from ProtonMail, if any police service can ask them to log IP addresses, that is not anonymous

Andy Yen (Hacker News):

Under no circumstances can our encryption be bypassed, meaning emails, attachments, calendars, files, etc. cannot be compromised by legal orders.


Under current Swiss law, email and VPN are treated differently, and ProtonVPN cannot be compelled to log user data.


Due to Proton’s strict privacy, we do not know the identity of our users, and at no point were we aware that the targeted users were climate activists. We only know that the order for data from the Swiss government came through channels typically reserved for serious crimes.


We will be making updates to our website to better clarify ProtonMail’s obligations in cases of criminal prosecution and we apologize if this was not clear.

Gareth Corfield (Hacker News):

Today that boast has been replaced with a mealy-mouthed version: "ProtonMail is email that respects privacy and puts people (not advertisers) first. Your data belongs to you, and our encryption ensures that. We also provide an anonymous email gateway."

Regarding Yen’s first point, rogers18445 writes:

Each time you visit protonmail you re-download (cache can be invalidated) their client. It would be trivial for them to serve a specific user a modified client which uploads their encryption keys.

This problem is not specific to protonmail, any service which contends to be secure with respect to some server (the protocol relies on the client to decrypt stuff the server cannot) can be compromised this way because of implicit trust in the client software which can be modified at any time with no notice - making any auditing entirely meaningless in the case of targeted attacks.


Fission Exits the Mac App Store

Paul Kafasis (tweet):

We want to be sure to our customers who previously purchased Fission via the Mac App Store are taken care of as well. To that end, we will be transitioning you over to our directly distributed version.


For almost twenty years, we’ve sold our software directly to our customers via our online store. Our fast and secure purchase process has served our customers very well. Since the Mac App Store opened in 2011, we’ve also experimented there. However, despite a decade of feedback from countless developers and users, Apple has made scant few changes and the store remains beset with issues. When you couple the many shortcomings and issues with Apple’s restrictive policies that preclude most of our software from appearing there, the Mac App Store is clearly a poor fit for us. With the removal of Fission, we no longer have any products in the Mac App Store.

Jeff Johnson:

I remember putting Fission in the Mac App Store, and it sucked, mainly because we had to mangle it and make the app worse for sandboxing.

Steve Troughton-Smith:

A damning indictment of the Mac App Store.

Jonathan Deutsch:

I’d love to see a follow-up to this piece about overall revenue with any other apps/app-makers that have left the Mac App Store.

Frank Reiff:

I’m thinking of removing my apps from the Mac App Store, the revenue from that source is constantly dropping and I’m really only offering it as a convenience for potential customers, especially those with a Mac App Store preference.

James Thomson:

When I was selling via both the Mac App Store, and Kagi, it got up to around 80% MAS sales, and the direction was pretty clear. For something like PCalc which is (less) unlikely to fall foul of App Review, I think it’s still the best place to be.


Update (2021-09-08): Steve Troughton-Smith:

Alternate take on the Mac App Store: I only joined the MAS in the past two years after years of my apps being iOS-only. It has since grown to ~30% of my revenue, a chunk that didn’t exist before, and, as competition is low, the App Store editors are eager to show off great apps.

Mike Rockwell:

How can anyone watch so many developers leave and/or completely ignore the Mac App Store and continue to think that the iOS App Store is actually good for the platform?

Apple Delays Child Safety Features

Joseph Cox (tweet, Hacker News, The Verge, MacRumors, TechCrunch):

“Last month we announced plans for features intended to help protect children from predators who use communication tools to recruit and exploit them, and limit the spread of Child Sexual Abuse Material. Based on feedback from customers, advocacy groups, researchers and others, we have decided to take additional time over the coming months to collect input and make improvements before releasing these critically important child safety features,” Apple said in the statement.

It sounds like they are delaying, indefinitely, both the Messages and iCloud Photos components.

Matthew Green:

My suggestions to Apple:

(1) talk to the technical and policy communities before you do whatever you’re going to do. Talk to the general public as well. This isn’t a fancy new Touchbar: it’s a privacy compromise that affects 1bn users.

(2) Be clear about why you’re scanning and what you’re scanning. Going from scanning nothing (but email attachments) to scanning everyone’s private photo library was an enormous delta. You need to justify escalations like this.

(3) As Nick says, client-side scanning is icky to people. There is a reason for this. Considering the number of privacy invasions users have learned to live with, the pushback on this line means something. Learn from it.

(4) Privacy-preserving cryptographic protocols aren’t going to distract people from the fact that what you’re trying to do is uncomfortable.

And (5) if you’re going to make your system design public, make all of it public. Withholding NeuralHash and then having it REed, broken: that was a catastrophe.

There’s also the issue of the secondary server-side hashing algorithm, which Apple seems not to have mentioned until after people started criticizing NeuralHash. Are there other key components not mentioned in the whitepaper?

Kyle Howells:

To me client side scanning is THE issue. Server side, do whatever you want. But MY device should be MINE, and only do what I tell it and/or act for my benefit.

Scan things on “sharing” them, not on “storing” them.

Cindy Cohn (via Edward Snowden):

EFF is pleased Apple is now listening to the concerns of customers, researchers, civil liberties organizations, human rights activists, LGBTQ people, youth representatives, and other groups, about the dangers posed by its phone scanning tools. But the company must go further than just listening, and drop its plans to put a backdoor into its encryption entirely.

Nick Heer:

If you think Apple lacks the backbone to resist political pressure for expanding the CSAM matching database, you definitely cannot hope for wholly encrypted iCloud storage without any way of detecting abuse.


I am curious about the company’s next steps, though. […] I look forward to a solution that can alleviate many researchers’ concerns, but if — as with the App Store — trust has been burned. Only Apple can rebuild it.

Adam Engst:

The other possibility is that the entire effort is now tainted, making this “delay” just a face-saving way for Apple to drop the technology like the hot potato it became. Would there be a massive public outcry if 2022’s Worldwide Developer Conference came and went with no mention of CSAM detection in iOS 16?

Paul Haddad:

It’s a loss for Apple because all they managed to do is piss off everyone.