Archive for September 24, 2021

Friday, September 24, 2021

iOS Safari Extension: Achoo

Christian Selig:

Quickly view the HTML for a given page in Safari on iOS/iPadOS 15. Customizable, beautiful, easy to use, and you can tweak the page too!

It’s $0.99.

iOS Safari Extension: Amplosion

Christian Selig:

Amplosion automatically redirects from AMP links to normal websites.

[…]

  • A great deal of the time the website loads weirdly or incompletely, potentially missing parts or acting differently than you’re used to
  • AMP links add another opportunity for AMP providers to track you
  • The URLs often become really gross for sharing with friends, with a bunch of weird extra stuff shoved into them, or sometimes not even from the correct website

Parker Ortolani:

The app also lets you keep track of how many times you’ve visited an AMP link and how many times you’ve used Amplosion to avoid one. Amplosion is priced at just $1.99 and if you hate AMP as much as I do it’s well worth it.

Update (2021-09-29): Nick Heer:

Do not miss Selig’s announcement video.

See also: Hacker News.

Christian Selig:

Safari extensions require your permission to run, so in the interest of transparency I wanted to make the app completely open source. Amplosion’s Privacy Policy already states that it’s completely private (everything is handled locally, on-device) but why trust my words when you can go through the code itself? My intention is for this to serve as an extra layer of validation that Amplosion is a privacy-first app, and seeks simply to make your web browsing experience more pleasant.

Misty:

The fact that so many people hate AMP the $3 iOS plugin to get rid of it is #1 in the app store is kind of an incredible sign of what a bad technology it is.

Nick Heer:

More notable, I think, is that it is the third most popular paid app of any kind in the Canadian App Store as I write this, sitting just behind Procreate Pocket and well ahead of Facetune, Wolfram Alpha, and at least four moose hunting apps.

Federico Viticci:

AMP is a user-hostile, useless technology that has harmed the mobile web and publishers who fall for it

Rob Ruenes:

current mood: you worked on the initial AMP launch and then bought this app 😌

John Wilander:

As I said, the Google AMP cache is the cross-site tracking stunt of the decade.

Valentino Volonghi:

[If] you click this link from macOS, it will open Apple News and ask for subscription, but if you open from iOS Twitter client it will open up people.com on the news. I would argue this is much worse than what AMP does as well

Previously:

iOS Safari Extension: StopTheMadness

Jeff Johnson:

People have been requesting StopTheMadness on iOS for literally 3 years!

I never thought it would be possible, but I was pleasantly surprised, to put it mildly, by the announcement of Safari extensions on iOS at WWDC.

I thrilled to finally be able to release it!

Jeff Johnson:

StopTheMadness is a web browser extension that stops web sites from making your browser harder to use. And it protects your privacy on the web! StopTheMadness works in Safari on iOS and iPadOS, and in all major web browsers on macOS, including Safari, Firefox, Google Chrome, and any other Chromium-based web browser, such as Microsoft Edge, Brave, and Vivaldi. StopTheMadness is sold separately on the iOS App Store and Mac App Store.

Jeff Johnson:

[U]nfortunately App Store is very inflexible when it comes to cross-platform purchasing. It’s only possible in certain limited circumstances that don’t fit my apps.

The iOS version is $7.99, and the Mac version is $9.99.

Jeff Johnson (tweet):

I won’t screenshot the App Store page here, because I’d like people to judge the experience for themselves. There are a few featured extensions at the top, and below that there’s a list of “Must-Have Safari Extensions”. When I select “See All”, there’s a list of 22 extensions, written by 20 developers (2 developers have 2 extensions in the list). The featured extensions at the top of the previous Safari Extensions page are all included in this list too. Here’s my question: Where are the rest of the Safari extensions for iOS? An iOS user might understandably get the impression that these are the only Safari extensions available for iOS, because they’re the only Safari extensions shown by the App Store.

[…]

I’m complaining that there’s no comprehensive list of Safari extensions in the App Store. If an app isn’t featured, then it effectively doesn’t exist. […] Apple claims that the App Store gives developers access to over a billion customers, but what kind of “access” is it when the only way that customers find your app is if they follow a direct URL link to your app or search for your app by name (and hopefully see it below the irrelevant ads)?

Previously:

Update (2021-10-04): Jeff Johnson:

StopTheMadness has a lot of features. From a marketing perspective, maybe too much a good thing! I want to highlight a few features often overlooked:

1) Allows PiP on YouTube (“Video controls” website option)

2) Deletes tracking tags from clicked links

3) Stops Google AMP

Previously:

iOS Safari Extension: 1Password

Sami Fathi:

With iOS and iPadOS 15, Apple allows Safari extensions developers to release their previously exclusive Safari for Mac extensions to the iPhone and iPad, allowing users to use extensions on all of their devices. 1Password was one of the first to tease support earlier in June, and with its latest App Store update today, it’s bringing it to all users.

With its Safari extension on iPhone and iPad, 1Password users now have immediate access to all their passwords and 1Password entries right inside of Safari, including in-page suggestions. 1Password for Safari uses on-device machine learning to automatically fill in the login process of complicated websites and even automatically fills in two-factor authentication codes.

Too bad it doesn’t work with standalone vaults.

Update (2021-10-04): Mike Rockwell:

With the introduction of 1Password’s Safari extension, they’ve also discontinued their share sheet extension. This has managed to irritate quite a few users, including myself.

While the Safari extension is great, it doesn’t replace all of the functionality of the previous share sheet extension.

[…]

So if they had already stopped maintaining it, the claim that it would require additional work to maintain doesn’t really hold water. The sensible solution would have been to keep the share sheet extension in the app for some period of time alongside the Safari extension and then notifying users of its imminent retirement.

What irritates me the most is the lack of messaging. I had no idea the share sheet extension was even in consideration for retirement. One day I just updated the app and it was gone — it wasn’t even mentioned in the 7.8 release notes.

Update (2021-10-05): Damien Petrilli:

1Password removal of the share sheet is also preventing it to work with Firefox on iOS as it was used as a a workaround as they provide no plugin

iOS Safari Extension: Vidimote

Felix Schwarz:

This iOS 15 Safari Extension can:

🏃‍♂️ change the speed of videos in Safari

⏯ control playback, jump ±10s

🍿 enter picture-in-picture & fullscreen

🎯 pick an AirPlay target

It’s $4.99.

European Union USB-C Mandate

Tom Warren (tweet, Hacker News):

The European Commission, the executive arm of the European Union, has announced plans to force smartphone and other electronics manufacturers to fit a common USB-C charging port on their devices. The proposal is likely to have the biggest impact on Apple, which continues to use its proprietary Lightning connector rather than the USB-C connector adopted by most of its competitors. The rules are intended to cut down on electronic waste by allowing people to re-use existing chargers and cables when they buy new electronics.

In addition to phones, the rules will apply to other devices like tablets, headphones, portable speakers, videogame consoles, and cameras.

[…]

Efforts to get smartphone manufacturers to use the same charging standard in the EU date back to at least 2009, when Apple, Samsung, Huawei, and Nokia signed a voluntary agreement to use a common standard. In the following years, the industry gradually adopted Micro USB and, more recently, USB-C as a common charging port. However, despite reducing the amount of charging standards from over 30 down to just three (Micro USB, USB-C, and Lightning), regulators have said this voluntary approach has fallen short of its objectives.

Apple was a notable outlier in that it never included a Micro USB port on its phones directly. Instead, it offered a Micro USB to 30-pin adapter.

I think Apple is right that mandating a connector will stifle innovation. And I think that, in isolation, Lightning is a better connector than USB-C. However, it’s annoying that I have to carry multiple cables and adapters because, even with exclusively up-to-date Apple gear, my iPhone and AirPods don’t use the same connector as my MacBook Pro and iPad.

Hartley Charlton:

The directive now needs to be greenlit by the EU Parliament and national governments, who may suggest amendments, before it can come into law. The European Commission hopes that this will occur in 2022. From that point, companies will have two years to transition to USB-C on their devices.

Steve Troughton-Smith:

As somebody with an iPhone, iPad, and Kindle on his bedside table, all with different, incompatible, ports, I’m 1,000% behind standardizing on USB-C for everything. Apple had the chance to push the Lightning connector as standard for USB-C; maybe they’ll reconsider that next time

See also: Dithering.

Previously:

Update (2021-10-20): Peter Maurer:

Why am I in favor of the USB-C mandate for phones and other small devices?

There are two upsides, in my opinion: Standardization means fewer cables, which benefits the environment. The second upside is that this also makes life easier by reducing the number of cables we have to carry around.

John Gruber:

Gartenberg summarizes a commonly-held theory here: that Apple is sticking with its proprietary Lightning port on iPhones because they profit from MFi peripherals. That it’s a money grab.

I don’t think this is the case at all.

[…]

My theory is that Apple carefully weighs the pros and cons for each port on each device it makes, and chooses the technologies for those ports that it thinks makes for the best product for the most people.

[…]

Now, I know what you, someone reading Daring Fireball, might be thinking — I own dozens of USB-C cables already — because you own other products, perhaps several from Apple itself, that do use USB-C. But that’s not true for most iPhone owners around the world. They have Lightning chargers in their kitchens, cars, purses, backpacks, and bedrooms. All things considered, they do not want to replace any of them, let alone all of them.

Nick Heer:

I think this also helps explain why Apple’s “Magic” accessories — keyboard, mouse, and trackpad — and the Siri Remote continue to use Lightning. Lots of people have lots of Lightning cables laying around.

iOS Vulnerabilities Either Unfixed or Uncredited

illusionofchaos (via Kosta Eleftheriou):

I want to share my frustrating experience participating in Apple Security Bounty program. I’ve reported four 0-day vulnerabilities this year between March 10 and May 4, as of now three of them are still present in the latest iOS version (15.0) and one was fixed in 14.7, but Apple decided to cover it up and not list it on the security content page. When I confronted them, they apologized, assured me it happened due to a processing issue and promised to list it on the security content page of the next update. There were three releases since then and they broke their promise each time.

Ten days ago I asked for an explanation and warned then that I would make my research public if I don’t receive an explanation. My request was ignored so I’m doing what I said I would. My actions are in accordance with responsible disclosure guidelines (Google Project Zero discloses vulnerabilities in 90 days after reporting them to vendor, ZDI - in 120). I have waited much longer, up to half a year in one case.

[…]

Here are links to GitHub repositories that contain PoC source code that I’ve sent to Apple. Each repository contains an app that gathers sensitive information and presents it in the UI.

Khaos Tian:

This is kinda bad given Core Duet tracks a lot of user activities on device. Maybe Apple’s security team really believe that App Review will capture this 🙃

Felix Krause:

Three 0-day iOS vulnerabilities for unauthorized access to medical data, iMessage, third party messengers, device usage, ...

Previously:

Upgrading Your iOS Device

Jason Snell:

The problem is that most people don’t buy a new iPhone every year. The primary upgraders to the iPhone 13 will be coming from the iPhone 7, or 8, or X, or XS, or XR. For them, several years of Apple innovations will be rolled into a single purchase. But reviews of the new iPhones will not address what happened in 2018, or 2019, or 2020.

Here’s an attempt to provide a little more of a big-picture overview for owners of older iPhones who are wondering what’s new in the iPhone 13.

[…]

Face ID replaces Touch ID, so if you’re frequently masked and don’t have an Apple Watch, you’ll need to enter your passcode more often.

John Gruber:

Device-to-device is better because it moves over all your login credentials. When you restore from an iCloud backup, you wind up logged out of a lot of apps on the new device. When you restore device-to-device, almost everything moves over. I know there are exceptions, but I don’t think I bounced into a single app that didn’t keep me fully logged in this week. If you tried device-to-device a few years ago and found it lacking, try it again now — Apple has improved this process every year since it debuted. Worst case scenario, you can always start over and use iCloud backup.

Previously:

Update (2021-10-20): Marco Arment:

I think the only way to include downloaded podcast files in phone transfers is to ALSO set them to be included in your iCloud Backup.

I’ve never set that flag because most people don’t want to waste a lot of their limited iCloud space for most podcasts, which are redownloadable.

Some Web Sites Will Stop Working With El Capitan and Older

Scott Helme (Hacker News):

On 30th September 2021, the root certificate that Let’s Encrypt are currently using, the IdentTrust DST Root CA X3 certificate, will expire. You may or may not need to do anything about this Root CA expiring, but I’m betting a few things will probably break on that day so here’s what you need to know!

[…]

In normal circumstances this event, a root CA expiring, wouldn’t even be worth talking about because the transition from an old root certificate to a new root certificate is completely transparent. The reason we’re having a problem at all is because clients don’t get updated regularly and if the client doesn’t get updated, then the new root CA that replaces the old, expiring root CA is not downloaded onto the device.

[…]

In the last year alone, Let’s Encrypt have grown their market share quite a lot and as a CA becomes larger, it’s certificates enable more of the Web to operate and as a result, when something like this comes along they have the potential to cause more problems. This is nothing to do with what Let’s Encrypt have done, or have not done, this still comes down to the same underlying problem that devices out in the ecosystem aren’t being updated as they should be.

[…]

Because old Android devices don’t check the expiration date of a root certificate when they use it, Let’s Encrypt may be able to continue to chain down to the expired root certificate without any problem on those older devices.

Howard Oakley:

If you’re still running El Capitan, or any version of Mac OS X prior to 10.12.1, then you’re about to run into problems with some popular security certificates.

macOS 10.11 was only superceded five years ago, and some older hardware can’t run 10.12. On the iOS side, an iPhone 4S can’t update to iOS 10. I get that Apple doesn’t want to provide security bug fixes that far back, but how hard would it be to have a mechanism for updating the root certificates? (Then again, even the Mac App Store no longer works properly on macOS 10.13 due to a bad CSS URL.)

Let’s Encrypt is quite popular now, and there are other certificates issued using the same root. Lots of sites will break, and users won’t know what to do.

This blog and the C-Command forum use Let’s Encrypt, and they are set to redirect HTTP to HTTPS. I haven’t decided how to handle this yet. So far, it seems like the only options are to accept the breakage or to buy a certificate from another provider.

The main C-Command site (which my apps use for automatic software updates) uses a different certificate that should continue to work. One of the mirror download sites does use Let’s Encrypt; if you get an error due do that you could try again until you get the non–Let’s Encrypt mirror.

Previously:

Update (2021-10-04): Commenter “a” and Stefan Reitshamer have posted instructions for how to download a new root certificate so that certificates from Let’s Encrypt and others can still be trusted on macOS 10.11.

Howard Oakley:

A few days ago I warned that those still using older versions of Mac OS X are likely to have problems making secure HTTPS connections with many websites, because of a security certificate due to expire on 30 September. Unfortunately, it has turned out that this isn’t confined to older Mac OS X, and can even affect Monterey betas. And there’s more than one certificate which has now expired.

[…]

Although this is a Let’s Encrypt certificate chain, the first of the certificates to expire wasn’t its DST Root CA X3 which we were warned about, which remained valid at the time that this happened to me. The first certificate to expire was the intermediate R3, which expired on 29 September, a day earlier.

[…]

So how come two different Macs connecting to the same site get such different chains of trust?

The answer I suspect lies in the caching of certificate checks. Both my iMac and iPhone have connected to this site previously, and rather than performing a full certificate check every time, macOS is just using old results, which still refer to the old intermediate and Root certificates. My M1 Mac mini had never connected to that site, so had to perform a fresh check on the chain of trust, which then traced back to the current chain with its replaced intermediate and Root certificates.

Howard Oakley:

In the rest of this article, I’ll focus on the use of security certificates for one of their most common purposes, in establishing a secure connection to a remote server using the HTTPS protocol, using Transport Layer Security (TLS), which long ago was known as the Secure Sockets Layer (SSL) and is still occasionally referred to incorrectly as being SSL.

Howard Oakley:

Since the first of those security certificates expired on 29 September, there’s been a steady stream of comments from ordinary users, those operating small websites, developers, and system administrators, documenting far more extensive consequences than any of us had anticipated.

[…]

When your browser blocks or warns you about a site you want to visit, don’t just blunder on assuming that you’re right. You might be, but you have at least to wonder what’s wrong, and whether that’s a warning in itself. Check the site’s certificates and think through the implications of any error messages. If the identity on the leaf certificate doesn’t match the site you’re trying to connect to, be extremely wary, as that’s a common ploy of impersonators.

Howard Oakley:

To understand why current versions of Safari appear to be having problems connecting to some sites, particularly those affected by the recent Let’s Encrypt certificate changes, I’ve been exploring what’s recorded in the Unified log. This article casts more light on the checks which Safari runs, and how they can fail.

See also: Reddit.

Previously:

Update (2021-10-08): See also: Reddit, Let’s Encrypt.

Update (2021-11-12): Howard Oakley:

Many users are continuing to report problems trying to connect to some websites, which reportedly have broken certificates. This comes a month after the fiasco with the Let’s Encrypt root certificate, and affects some other root certificate authorities, including IdenTrust. This article explains how you can deal with these and similar problems in both current and older versions of macOS.