Archive for August 2022

Tuesday, August 30, 2022 [Tweets] [Favorites]

Making the “The Swift Programming Language” Book Open Source

Kyle Murray (Hacker News):

We’re happy to announce that “The Swift Programming Language” book is now an open source project. This new project will be the basis of publishing the book on Swift.org in the future […] and will use the open source DocC tool.

[…]

When the open source repository is able to generate a high-quality version of TSPL, we will switch over to publishing directly from that repository. At that time we’ll also start taking pull requests for more content changes.

Previously:

Active Mac Malware Scans

Howard Oakley:

In the last six months macOS malware protection has changed more than it did over the previous seven years. It has now gone fully pre-emptive, as active as many commercial anti-malware products[…]

[…]

These are orchestrated by XProtectPluginService, an XPC service which is scheduled and dispatched using the DAS-CTS system that does the same for most periodic background tasks.

[…]

The DubRobber (XCSSET) scanner is by far the most frequently run, performing scans lasting 15-35 seconds every hour or two during periods of low user activity.

Previously:

Update (2022-09-03): See also: MacRumors, Hacker News.

Update (2022-09-14): Josh Avraham:

Users on macOS Catalina and onwards can manually trigger an XProtect scan any time they want to by running /Library/Apple/System/Library/CoreServices/XProtect.app/Contents/MacOS/XProtect

Claris Pro, Go, Server, and Studio

Adam Engst:

Claris will rename FileMaker Pro, FileMaker Go (for deploying FileMaker apps on the iPhone and iPad), and FileMaker Server (for hosting multi-user FileMaker apps) to Claris Pro, Claris Go, and Claris Server. A new Web-based development environment called Claris Studio will join and integrate with the other products to provide a modern, cloud-based system.

[…]

The more important change for longtime individual FileMaker users is that there will be a freemium version of Claris Pro with free access to Claris Studio (and presumably Claris Go). Its only restriction is that databases created with the freemium version are restricted to a single user—but there are no size or time constraints.

Previously:

Janet Jackson Music Crashed Laptop Computers

Raymond Chen:

And then they discovered something extremely weird: Playing the music video on one laptop caused a laptop sitting nearby to crash, even though that other laptop wasn’t playing the video!

[…]

It turns out that the song contained one of the natural resonant frequencies for the model of 5400 rpm laptop hard drives that they and other manufacturers used.

The manufacturer worked around the problem by adding a custom filter in the audio pipeline that detected and removed the offending frequencies during audio playback.

Friday, August 26, 2022 [Tweets] [Favorites]

Lighter.swift

Helge Heß:

Lighter is a set of technologies applying code generation to access SQLite3 databases from Swift, e.g. in iOS applications or on the server. Like SwiftGen but for SQLite3.

[…]

Lighter builds upon the database schema and hence directly knows what it looks like at compile time. For common operations no mapping is necessary at all, the generated code runs as fast (usually faster) than hand written code. It directly binds Swift structures to the SQLite API.

[…]

Lighter itself is a small and convenient API to access SQLite databases. Enlighter, the code generator, can however produce code that just uses the SQLite API and doesn’t require any dependencies, i.e. tech debt.

Helge Heß:

With Lighter.swift it is often (significantly) faster to waste and always fetch full records than to do manual fragment fetches w/ runtime based SQLite libs.

Previously:

Sandboxing a Command Line Tool With Paths As Arguments

Alexandre Colucci:

In order to get access to random files outside of the app container, you can ask the user to select a folder using an Open dialog. The app will then be allowed to access any file inside this selected folder… as long as the app is running. If the app is quit and relaunched (as you might expect from a command line tool), you will need to use Security-Scoped Bookmarks to keep this access persistent.

[…]

It all sounds simple… until you realize that a command line tool can’t prompt the user to select a folder using an Open dialog. The solution I came up with, is to prompt the user in the main app and pass the Security-Scoped Bookmark to the command line, easy right?

[…]

The main app can pass non-secure bookmark to a child process. How does it help in our case where the command line tool is not a child process? Well it turns out that the main app can pass the non-secure bookmark to the command line tool as long as both binaries are running at the same time.

This is a mess. It seems like command-line tools shouldn’t need to be sandboxed. If I’m invoking the tool from Terminal, it should have whatever access my current Terminal window does. Likewise, if the containing app invokes the tool, it would be limited to what that sandboxed app can do. I’ve seen conflicting reports on what the rules are, perhaps because App Review has been inconsistent in what it approves.

See also: Using non-sandboxed XPC service from Sandboxed app extension.

Previously:

Clip Studio Paint Switching to Subscriptions

Celsys (via Jonathan Deutsch):

Customers with an Update Pass or a Monthly Plan (purchased through app stores or the Clip Studio Paint site) will be able to use the most up-to-date version of the app for as long as their plan or pass is valid. Version 2.0 will also be available as a one-time purchase (perpetual license).

[…]

The perpetual version will still get free stability updates when necessary to address major bugs in the app.

[…]

New features for the perpetual version will be included in each major version (2.0, 3.0, etc.), however, new feature updates will not be provided free of charge. Even if you have purchased the perpetual version of Version 2.0, you will still need to purchase an Update Pass in order to get access to new feature updates.

Previously:

Thursday, August 25, 2022 [Tweets] [Favorites]

Sales of Different iPhone 13 Models

canalys:

The North American smartphone market reached 35.4 million shipped units in Q2 2022, down 6.4% yearly amid economic challenges, high inflation, and poor seasonal demand. Apple grew 3% and has dominated over half the North American region for three consecutive quarters, thanks to solid iPhone 13 demand combined with a full quarter’s performance of its entry-level model, the iPhone SE (3rd Gen). Samsung’s shipments increased 4% as its S series and low-end A series devices continued to deliver. Lenovo (Motorola), TCL, and Google rounded of the top five, claiming 9%, 5% and 2% market share.

Via Matt Birchler:

  1. The SE is a beast!
  2. The really mini is such a niche iPhone
  3. Even a niche iPhone sells as much as any individual Android model

It sure seems like the mini will become the next SE.

Tim Hardwick:

With no iPhone 14 mini expected to feature in Apple’s upcoming iPhone 14 series lineup this September, we look at the best possible alternative iPhone options for those who prefer smaller form factor devices.

Previously:

Update (2022-10-06): Nick Heer:

The iPhone SE’s unique selling point is probably its price, not its form factor. Consider that the next most expensive iPhone in Apple’s lineup is the iPhone 11, which has the same 6.1-inch display as the rumoured SE 4. Why would Apple not simply slide this phone — more or less — down the price ladder?

Tim Hardwick:

Apple will base the next-generation iPhone SE on the design it used for the iPhone XR, claims leaker Jon Prosser, citing new information from his sources.

Twitter Whistleblower Peiter Zatko

Casey Newton:

On January 21, a moderately surprising headline hit the New York Times: in one of his first official acts as Twitter CEO, Parag Agrawal had fired the company’s chief information security officer, Rinki Sethi, and its head of security, Peiter Zatko. It was the latter firing that surprised; Zatko, who is known within cybersecurity circles as “Mudge,” is a veteran hacker who had previously worked at DARPA, Google, and Stripe.

[…]

In an 84-page complaint filed with the Securities and Exchange Commission, the Department of Justice, and the Federal Trade Commission, Zatko alleges severe negligence on the part of Agrawal and other company executives in protecting user data, misleading government officials, and violating a 2011 consent decree with the FTC.

[…]

The complaint alleges that about half of Twitter’s employees had access to critical systems that enabled them to make harmful changes or collect sensitive data. Historically that was true, I’m told, but began to change starting around 2018, and now access is more limited and audited more regularly.

Donie O’Sullivan (Hacker News):

First time Twitter CEO @paraga weighs in on whistleblower story.

CNN (via Hacker News, Slashdot):

The disclosure, sent last month to Congress and federal agencies, paints a picture of a chaotic and reckless environment at a mismanaged company that allows too many of its staff access to the platform’s central controls and most sensitive information without adequate oversight. It also alleges that some of the company’s senior-most executives have been trying to cover up Twitter’s serious vulnerabilities, and that one or more current employees may be working for a foreign intelligence service.

[…]

According to the disclosure, Agrawal and his lieutenants repeatedly discouraged Zatko from providing a full accounting of Twitter’s security problems to the company’s board of directors. The company’s executive team allegedly instructed Zatko to provide an oral report of his initial findings on the company’s security condition to the board rather than a detailed written account, ordered Zatko to knowingly present cherry-picked and misrepresented data to create the false perception of progress on urgent cybersecurity issues, and went behind Zatko’s back to have a third-party consulting firm’s report scrubbed to hide the true extent of the company’s problems.

[…]

Zatko’s disclosure argues that by reporting bots only as a percentage of mDAU, rather than as a percentage of the total number of accounts on the platform, Twitter obscures the true scale of fake and spam accounts on the service, a move Zatko alleges is deliberately misleading.

Zach Edwards:

First up… folks have known for awhile that tons of Chinese advertisers were/are buying Twitter ads… But no one had pieced it together that those Chinese advertisers would be using Twitter Custom Audiences to doxx VPN users who verified with real contact info…

[…]

Twitter apparently used their cookies for “all purposes” (security cookies used for advertising) ++ once told by the French CNIL to change this, they kept it on purposefully for another month “in order to extract maximum profit from French users before rolling out the fix.”

[…]

“Twitter employees were repeatedly found to be intentionally installing spyware on their work computers at the request of external organizations. Twitter learned of this several times only by accident, or because of employee self-reporting.”

[…]

“…The Indian government forced Twitter to hire specific individual(s) who were government agents… it was believed by the executive team that the Indian government had succeeded in placing agents on the company payroll…”

Nick Heer:

You can read Mudge’s whistleblower disclosure and infosec report — both PDFs — for yourself, if you would like. Both contain heavily redacted sections, especially around claims of corporate fraud.

Mike Masnick reviewed these reports in two parts at Techdirt. Masnick’s first analyzed Mudge’s claims about Twitter’s security infrastructure, its compliance with an FTC consent decree, and whether it had hired foreign spies deeply embedded in the company. The second piece, published today, is exclusively responding to the many stories claiming Mudge’s investigations will help Elon Musk’s justification for backing out of his acquisition of Twitter:

John Gruber:

Remember too that Twitter DMs are not end-to-end encrypted. They are stored on Twitter’s servers in a form that Twitter can read. The phone numbers and email addresses of anonymous dissidents are very sensitive, but I’d argue that the contents of DMs are the most sensitive information Twitter holds.

You should never put anything in a Twitter DM that you wouldn’t print on a postcard sent in the mail.

[…]

I don’t think there’s any way to overstate how damning Zatko’s allegations are. He describes a criminally corrupt company and board.

John Gruber:

Anyone inside Twitter aware of Zatko’s concerns could have leaked them to Musk. Jack Dorsey, for example, personally hired Zatko and was CEO until just a few weeks before Zatko’s firing. Musk’s allegations about Twitter misreporting bot activity might be fully legitimate, not an empty pretext for backing out of his acquisition.

See also: Bruce Schneier.

Previously:

Update (2022-08-26): John Gruber:

All I meant to imply is that Mudge’s allegations seem to back Musk’s claims that Twitter’s “mDAU” category of users is mostly a pile of horseshit when it comes to the experience of using Twitter. […] As Masnick exquisitely illustrates, the problem for Musk is that when he agreed to buy Twitter, he agreed based on Twitter’s mDAU figures.

See also: Hacker News, Dithering.

Update (2022-09-03): Elaine Atwell (via Hacker News):

Still, it’s worth asking why the economic story is overshadowing the security one. Given the amount of sensitive data the site has on its users–including and especially journalists–and the fact that its security lapses have already caused global chaos, why aren’t we all more alarmed?

[…]

What’s remarkable about Mudge’s accusations is that Twitter wasn’t just failing to guard against hypothetical scenarios; they were failing to patch holes that had already led to breaches.

Update (2022-09-14): Lorenzo Franceschi-Bicchierai:

In testimony to a Senate committee, a Twitter whistleblower said that the Chinese government had placed at least one agent of the country’s intelligence agency undercover as a Twitter employee.

Ronan Farrow (via Hacker News):

“My family and I are disturbed by what appears to be a campaign to approach our friends and former colleagues under apparently false pretenses with offers of money in exchange for information about us,” Zatko told me. “These tactics should be beneath whoever is behind them.”

Rejected for Being Too Similar to a Web Site

Alin Panaitiu (via Hacker News):

I tried to launch a simple, no-frills iOS app for party-goers and music festivals in 🇷🇴 Romania.

[…]

The app is simple, fast, does what it says without any BS unneeded complexity. I thought subsequent features would be added based on what the users would ask for.

But sure, let’s add some premature iOS native features for Apple[…]

[…]

Three more days of Waiting for review and, as before, another rejection with the same generic message.

Aren’t most iOS apps simply native wrappers for Web sites?

Previously:

Update (2022-08-29): Alin Panaitiu:

About a week after this article started spinning around the internet[…] I got an email from App Store Connect that the app is now In Review. Without me submitting anything more than what was already there from the third try.

Good for him, but again it seems like there is no actual standard being set. It just depends on which reviewers you get, how they’re feeling at the time, and whether the rejection goes viral.

Joe Fabisevich:

This story about Apple’s App Store “simple apps” policy really upsets me, the policy is completely arbitrary. Apple puts a lot of effort into getting people started with programming on iOS, but those same people will build “simple apps” and get rejected.

I recently made an app that’s just for me and my friends to play daily word games together. I was able to get them onto TestFlight but TestFlight isn’t an adequate replacement. With no alternative distribution mechanism on iOS Apple is stifling creativity on their own platform.

I say all of this not as an Apple hater but as a person who loves building for Apple’s platforms and want to see them thrive. Heck, I plan to build my business atop iOS, but there’s room for home cooked apps that surprise and delight just a few people.

Previously:

Wednesday, August 24, 2022 [Tweets] [Favorites]

See What JavaScript Commands Get Injected Through an In-App Browser

Felix Krause (tweet, Hacker News, MacRumors):

Last week I published a report on the risks of mobile apps using in-app browsers. Some apps, like Instagram and Facebook, inject JavaScript code into third party websites that cause potential security and privacy risks to the user.

[…]

Introducing InAppBrowser.com, a simple tool to list the JavaScript commands executed by the iOS app rendering the page.

[…]

Just because an app injects JavaScript into external websites, doesn’t mean the app is doing anything malicious. There is no way for us to know the full details on what kind of data each in-app browser collects, or how or if the data is being transferred or used.

[…]

While you are interacting with the website, TikTok subscribes to all keyboard inputs (including passwords, credit card information, etc.) and every tap on the screen, like which buttons and links you click.

Ryan Jones:

But they promise they don’t use it. 🤣

Damien Petrilli:

So Apple is now aware that Tiktok has a key logger in their App, and they are still in the App Store.

Feeling safe yet?

TikTok shouldn’t be rejected just for registering JavaScript key handlers. The takeaway is that it’s not possible for Apple to reliably detect this sort of nefarious behavior, so they shouldn’t represent that they do or use that as justification for locking into their payments system.

Nick Heer:

Is TikTok a keylogger? Is Instagram monitoring every tap on a loaded webpage? It is impossible to say, but it does not look good that either of these privacy-invasive apps are so reckless with users’ ostensibly external activity.

It reminds me of when iOS 14 revealed a bunch of apps, including TikTok, were automatically reading pasteboard data. It cannot be known for certain what happened to all of the credit card numbers, passwords, phone numbers, and private information collected by these apps.

Felix Krause:

This new [WKContentWorld] system was initially built so that website operators can’t interfere with JavaScript code of browser plugins, and to make fingerprinting more difficult. As a user, you can check the source code of any browser plugin, as you are in control over the browser itself. However with in-app browsers we don’t have a reliable way to verify all the code that is executed.

So when Meta or TikTok want to hide the JavaScript commands they execute on third party websites, all they’d need to do is to update their JavaScript runner[…]

Previously:

Apple’s Use of AppKit, Catalyst, and SwiftUI in macOS

Alexandre Colucci (tweet, Hacker News):

As you can see in the graph:

  • AppKit apps account for a huge percentage of apps
  • After a slow start, the number of apps using SwiftUI is quickly growing
  • The number of Mac Catalyst apps reached a ceiling [but see this]

[…]

And here is the corresponding graph if you split the apps in 6 categories:

  • Catalyst apps using SwiftUI
  • Catalyst apps with no SwiftUI
  • SwiftUI apps using AppKit
  • SwiftUI apps without relying on AppKit
  • AppKit apps using SwiftUI
  • AppKit apps with no SwiftUI

Previously:

Apple Car: Software and Money

Jean-Louis Gassée:

Initially, one asks why Apple, whose average Gross Margin is in the 54% range (40% for hardware, more than 60% for services), would want to enter a hundred-year-old entrenched industry whose gross profit margins are in the 7% range, climbing to the mid teens for premium brands. But a closer examination reveals an exception: Tesla’s Gross Margin recently jumped from 26.5% to 33%.

[…]

We now have a possible explanation for Apple’s enduring effort to make a car against such long software odds. A profitable share of the $3.8T global car industry is well worth the estimated $1B/year it costs to move the Titan project forward. And even if Level 5 automation remains out of reach for the entire auto industry, Apple still might decide to compete using its asset-light, software-heavy business model.

Previously:

Update (2022-10-14): Jean-Louis Gassée (Hacker News):

But there’s another side to the story. As the sages insist, we don’t understand a problem, an idea, a case unless we’re able to see, to plead both sides. So, I’ll attempt to argue that the Apple Car is a bad idea.

[…]

Personally, it’s jarring to think that I’ve joined the chorus of doomsayers who have repeatedly predicted Apple’s failure with the Mac, the iPhone, the iPad…whatever Apple comes up, it’s going to crash and burn. But my honest view is that the Apple Car project could be a bad idea for reasons of price, sales and service infrastructure, and technical challenges.

Removing the iOS Dictation Button

Jeff Johnson:

I consider it dickish behavior by Apple that they force you to enable dictation first in order to remove the unwanted dictation button, especially since enabling dictation seems like it might send your private information — such as contacts and location! — to Apple. So much for “Privacy is a fundamental human right.”

Fortunately, a kind person gave me a tip on how to disable dictation without first enabling it: use Screen Time! Enabling Content & Privacy Restrictions in Screen Time and disabling Siri & Dictation will also make the dictation button disappear from the Safari address bar.

Of course, then you won’t be able to use Siri at all, if you care about that.

Previously:

Yoink Rejected for Mentioning Old iOS Feature

Matthias Gansrigler:

Got a rejection for @YoinkApp for #Mac for mentioning Apple pre-release software, but I am not. They didn’t give an example or any info where I’m allegedly mentioning it, either.

Turns out they didn’t like that his app mentions support for Continuity Camera, which was added in iOS 12. But Continuity Camera is also the name of a new iOS 16 feature, and you aren’t allowed to mention pre-release stuff.

Matthias Gansrigler:

App Review’s responses are getting downright nonsensical and disconnected.

They now offered me links to “helpful” articles on how to implement features like Game Center, iCloud, and In-App purchases.

What exactly does that have to do with iOS 12’s Continuity Camera feature!?

Sure, it seems like they have no idea what they’re doing, but we’re supposed to believe this is keeping the platform safe.

He escalated to the App Review Board. Six days later:

“Your app is no longer in violation”. Great.

But now they found 3 (!) other things allegedly wrong with @YoinkApp for #Mac, which have been there “forever” and never posed a problem before. 🤦‍♂️

Previously:

Tuesday, August 23, 2022 [Tweets] [Favorites]

Implementing the Swift Parser in Swift

Mattt Thompson:

SwiftSyntax is a Swift library that lets you parse, analyze, generate, and transform Swift source code. It’s based on the libSyntax library, and was spun out from the main Swift language repository in August 2017.

Douglas Gregor:

We have started a project to reimplement the Swift parser in Swift, to become part of the SwiftSyntax library. The current implementation can parse much of the Swift grammar already.

[…]

The main goal of this project is to fully replace the C++ implementation of the Swift parser for all clients.

[…]

The parser will attempt to recover from syntax errors, maintaining as much of the program structure as is feasible. It has no side effects, and in particular produces no errors regardless of how ill-formed the input source text is. Instead, all errors are described in the syntax tree itself, and can be diagnosed by a separate pass that identifies such errors.

[…]

SwiftSyntax is designed to maintain all “trivia” (including whitespace, comments, etc.) precisely as it occurs in the source text, so that a syntax tree can be rendered back into text that is byte-for-byte identical to the original source.

See also: Swift Abstract Syntax Tree (via Helge Heß).

Previously:

Pixelmator Photo Switching to Subscriptions

Andrius Gailiunas (MacStories, AppleInsider, MacRumors):

Pixelmator Photo will now cost $4.99 per month, $23.99 per year, or $54.99 for a lifetime license but existing paid users get unlimited access for free. Also, Pixelmator Photo for Mac is coming! What’s more early subscribers will get access to it for the same monthly price, which will go up when the Mac version is out.

[…]

For now, a free app with locked features is the only way to provide a free trial on iOS and iPadOS.

[…]

[On] iOS, the prices of other, less powerful apps are so low that pricing the app at, say, $29.99 puts people off, especially with no free trial. However, the current low price ($7.99) isn’t sustainable in the long run.

[…]

We’d love to charge one price for the app across all platforms – Mac, iOS, and iPadOS – and this is only possible with a subscription.

Pixelmator Photo is their nondestructive photo editor, not the original app that’s more like Photoshop and Acorn.

Previously:

Zoom Updater Vulnerabilities

Lily Hay Newman (Hacker News):

Wardle found that he could change the name of the software he was trying to sneak through to contain the markers Zoom was broadly looking for and get the malicious package past Zoom’s signature check.

[…]

Wardle found that using a Zoom tool known as updater.app, which facilitates Zoom’s actual update distribution, he could trick the distributor into accepting an old, vulnerable version of Zoom instead, after which an attacker could exploit old flaws to get full control.

[…]

Wardle noticed that there is a moment after the installer verifies the software package—but before the package installs it—when an attacker could inject their own malicious software into the Zoom update, retaining all the privileges and checks that the update already has.

Corin Faife:

Zoom has updated its Mac app to address the vulnerability, with version 5.11.5, which is available for download now.

Ole Begemann:

Fyi, you don’t have to give the Zoom installer your admin password:

  1. Download the Suspicious Package app
  2. Open the Zoom installer file (.pkg) in Suspicious Package
  3. Drag the .app file from Suspicious Package into your Applications folder

See also: Bruce Schneier.

Previously:

Apple Silicon Virtualization Apps

Howard Oakley:

There are currently three major apps to run macOS as a guest on an Apple silicon Mac with Monterey 12.5 as a host:

There’s also my free app Viable now in beta 3.

[…]

All four of these apps currently use Apple’s Virtualization framework to download, install and run macOS guests, thus have almost identical core features and shortcomings. The one notable exception to this is VirtualBuddy, which apparently uses an undocumented method of booting a Monterey guest into Recovery mode. That’s essential if you want to downgrade or disable Secure Boot, for example if you want to turn SIP off in your VM.

[…]

None of the apps supports Apple ID connections, which is a serious problem for making the transition to Ventura: this means that a Monterey VM can’t run App Store apps at all, except for Apple’s free apps, such as Numbers.

[…]

By far the most economical solution is to create a new volume on which to keep your VMs; when that’s added to Time Machine’s exclusion list, then snapshots won’t be made of that volume either.

My main interest in virtualization is for running old or beta versions of macOS for testing. Lately, I’ve been doing this without virtualization, just using separate partitions and external SSDs on a separate Mac. However, I only bring one Mac with me when I travel, and I don’t trust installing a beta version on the internal SSD. For a while, I used an external SSD. This was kind of a pain because I couldn’t set it up using my secondary Intel Mac. It would only boot my M1 Mac if I ran the installer and each update from the M1 Mac itself—taking it out of commission for hours. With the Ventura beta, I was unable to get the beta to even install on the external SSD (neither the full installer nor updating from the Monterey beta). So, I’ve not set it up yet, but using virtualization seems like a more promising option.

Previously:

Monday, August 22, 2022 [Tweets] [Favorites]

Self Service Repair for M1 Mac Notebooks

Apple (Hacker News):

Self Service Repair for MacBook Air and MacBook Pro offers more than a dozen different repair types for each model, including the display, top case with battery, and trackpad, with more to come. Customers who are experienced with the complexities of repairing electronic devices will be able to complete repairs on these Mac notebooks, with access to many of the same parts and tools available to Apple Store locations and Apple Authorized Service Providers.

[…]

Apple will offer rental kits for $49, so that customers who do not want to purchase tools for a single repair still have access to these professional repair tools. Customers will have access to the tool kit for one week and it will be shipped free of charge.

This is great to see.

Hartley Charlton:

Apple reaffirmed that the program will expand to additional countries later this year, starting in Europe.

Jason Snell:

The cost of repair parts varies widely. An audio board replacement might cost $12, and speakers $29, while the logic board for a 32-core GPU MacBook Pro with 32GB of memory and a 1TB hard drive would run more than $1900. However, depending on the part, Apple will buy back the broken part and refurbish it for re-use in another repair, making that $1900+ logic board repair cost a little less than $600. (If Apple doesn’t reimburse you for a part, they’ll still accept it and recycle it if you want to send it back to them.)

Previously:

Update (2022-08-29): Mr. Macintosh:

Customer: I need to replace the battery in my 2021 M1 MBPro. (out of warranty)

Apple Store: We can do that for you. (parts & labor) = $199

Apple Self Service: You can buy the part from us = $527. You can now perform the repair yourself, then send the old part back = $439

Sam Goldheart (MacRumors, Hacker News):

But let’s not compare Apples to Phillips Screws—it’s not 162 pages because Apple has changed where batteries sit in the MacBook Pro. It’s that long because the manual says that to replace the battery, you’ve got to replace the entire top case. At the time of writing, Apple will not sell you a replacement MacBook Pro battery. They sell you a “Top Case with Battery and Keyboard.” And so their guide has you remove literally every component from the top case. The laptop is built on the top case, so to get to it, you’ve got to demanufacture the whole thing.

Previously:

The Hidden History of Screen Readers

Sheon Han:

Blindness made working as a mechanical engineer difficult. When he consulted Florida’s Division of Blind Services, a counselor told him that computer programming was becoming a popular career for people who are blind.

[…]

In 1987, they founded Henter-Joyce and soon released the first version of their screen reader for DOS. They called it JAWS, which stands for Job Access With Speech, but is also a playful reference to another DOS screen reader called Flipper, like the dolphin in an eponymous 1960s TV show.

JAWS was not the only screen reader in the market, but it had original features like the dual cursor — one application cursor for navigating elements on the page and another that could move freely like how our eyes move around the screen. It also had built-in Braille support and a scripting language for users to customize their workflow.

[…]

It was only in 2019 that an open-source alternative — NonVisual Desktop Access (NVDA) — finally overtook JAWS in popularity. (JAWS took back its dominant market share in 2020, but just barely).

See also: Upgrade.

Previously:

Google Account Deleted Due to CSAM False Positive

Kashmir Hill (Hacker News):

With help from the photos, the doctor diagnosed the issue and prescribed antibiotics, which quickly cleared it up. But the episode left Mark with a much larger problem, one that would cost him more than a decade of contacts, emails and photos, and make him the target of a police investigation. Mark, who asked to be identified only by his first name for fear of potential reputational harm, had been caught in an algorithmic net designed to snare people exchanging child sexual abuse material.

[…]

Two days after taking the photos of his son, Mark’s phone made a blooping notification noise: His account had been disabled because of “harmful content” that was “a severe violation of Google’s policies and might be illegal.”

[…]

A few days after Mark filed the appeal, Google responded that it would not reinstate the account, with no further explanation.

[…]

CyberTipline staff members add any new abusive images to the hashed database that is shared with technology companies for scanning purposes. When Mark’s wife learned this, she deleted the photos Mark had taken of their son from her iPhone, for fear Apple might flag her account.

The police determined that no crime had occurred, but Google permanently deleted his account, anyway. Apparently, the police now have the only copy of his data.

I don’t really want to use iCloud Photo Library, but I have it enabled now because Image Capture doesn’t work wirelessly, and recent versions have been buggy. I guess the proper way to take photos for a doctor would be to temporarily turn off iCloud Photo Library or to use a third-party camera app that doesn’t save to the camera roll. But I bet nearly every iPhone user has some photos—be they medical, sexual, or of documents—that they would like to mark as private (not just hidden). They should still be backed up but protected with an extra password or something. I don’t know how to prevent this from being abused to store actual CSAM, though.

Meek Geek:

If you are accused by Google of doing something they don’t like and have your account blocked, there is no easy way to get human support on the other side to review the issue.

Kyle Howells:

One of the things I’ve been doing the last few years is trying to slowly remove Google as a single point of failure in my life.

Spreading out my online life over more companies so no 1 company can ruin my life at the flick of a switch.

There’s no real way to remove Apple if you use an iPhone.

Previously:

Update (2022-08-26): John Gruber:

To my knowledge, no innocent person has been falsely flagged and investigated like Mark using the NCMEC fingerprint database. It could happen. But I don’t think it has. It seems uncommon for an innocent person like Mark to be flagged and investigated by the second method, but as Hill reports, we have no way of knowing how many like Mark there are who’ve been wrongly flagged, because for obvious reasons they’re unlikely to go public with their stories.

[…]

“Avoid uploading to the cloud” is difficult advice for most people to follow. Just about everyone uses their phone as their camera, and most phones from the last decade or so — iPhones and Android alike — upload photos to the cloud automatically. When on Wi-Fi — like almost everyone is at home — the uploads to the cloud are often nearly instantaneous.

[…]

The on-device vs. on-server debate is legitimate and worth having. But I think it ought to be far less controversial than Google’s already-in-place system of trying to identify CSAM that isn’t in the NCMEC known database.

See also: Dithering, The Talk Show.

Update (2022-10-10): See also: Hacker News, Ben Thompson, Nick Heer.

Too Secure

Manton Reece:

I continue to think that my devices are now too secure. Face ID shouldn’t freak out multiple times a day, requiring a pin. Safari shouldn’t scrap cookies every week, requiring needless extra web sign-ins. Any security beyond unlocking my Mac is usually unnecessary friction.

I think there’s something to this. There is often a tradeoff between security and convenience, so it’s important to find the right balance and to limit the annoying stuff to where it actually helps a lot.

Face ID requires my passcode multiple times per day, which tempts me to choose one that’s less secure. Safari is more annoying than other browsers because the “Remember me” checkbox on so many sites doesn’t work. Apple’s sites seemingly always require logging in. My old iMessages are nearly impossible to access, and cannot be directly downloaded, ostensibly because they are end-to-end encrypted. Yet, in practice, that’s a mirage, so it feels like Apple has more access to them than I do. Transparency Consent and Control (TCC) seemed like a reasonable idea but remains failure-prone and confusing—as if the thinking was that making it smoother would be less secure. And, of course, the App Store provides—at great cost—arguably much more the appearance of security than actual security.

Previously:

Update (2022-08-29): Nick Heer:

I agree with Reece’s diagnosis of the problem, but not its cause. If someone is logged into a user account on a Mac, everything in the keychain is probably unlocked and available to them as well. And if they have text message forwarding enabled on their iPhone, an SMS-based two-factor code will appear in Message. Despite what is basically security theatre, I need to reauthenticate several times weekly on websites and in applications I use all the time.

Friday, August 19, 2022 [Tweets] [Favorites]

Samsung’s Repair Mode

Ron Amadeo (Hacker News):

Handling data during a mail-in repair process is tough. You could wipe your phone, but that’s a big hassle. You don’t want to just send in a completely locked down device, as technicians can’t thoroughly test it if they’re locked out of everything. While in repair mode, technicians can still poke around in your device and test everything, but they’ll only see the default apps with blank data. When you get your device back, you can re-authenticate and disable repair mode and you’ll get all your data back.

This may provide a false sense of security because it’s probably not as private as actually wiping the phone. On the other hand, we’ve seen that most people can’t or simply don’t do that, so it seems like a useful idea that Apple should copy.

Previously:

C23 Is Finished

Björkus Dorkus (tweet):

What’s in C23? Well, it’s everything […] present in N3047.

[…]

The new constexpr keyword for C means you don’t have to guess at whether that is a constant expression, or hope your compiler’s optimizer or frontend is powerful enough to treat it like one to get the code generation you want if VLAs with other extensions are on-by-default. You are guaranteed that this object is a constant expression, and if it is not the compiler will loudly yell at you.

[…]

While default, plain compound literals have “block scope” (C) or “temporary r-value scope” (C++), with the new storage-class specification feature, you can control that.

[…]

Go read this to find out all about the feature and how much of a bloody pyrrhic victory [#embed] was.

[…]

nullptr and the associated nullptr_t type in <stddef.h> fixes that problem. You can specify nullptr, and it’s required to have the same underlying representation as the null pointer constant in char* or void* form. This means it will always be passed correctly, for all ABIs, and you won’t read garbage bits.

[…]

If you ever used __auto_type from GCC: this is that, with the name auto.

Previously:

Google Searches With Quotes

Yonghao Jin:

Google Search has a special operator for that: quotation marks. Put quotes around any word or phrase, such as [“wireless phone chargers”], and we’ll only show pages that contain those exact words or phrases.

Now we’re making quoted searches better. The snippets we display for search results (meaning the text you see describing web content) will be formed around where a quoted word or phrase occurs in a web document. That means you can more easily identify where to find them after you click the link and visit the content. On desktop, we’ll also bold the quoted material.

[…]

As referenced above, sometimes quoted searches match content contained within a web page that isn’t readily visible, making it seem like the content isn’t on the page when it actually is present.

[…]

Sometimes people use the standard Find command in a browser to jump to the phrase they want, after arriving on a page. If that doesn’t work, though, you can try using a developer tools option. For instance, in Chrome, you can search from within Developer Tools to match against all rendered text, which would include the text in drop-down menus and other areas of the site.

Via Dave Mark:

My number 1 issue with “quote search” Google searches is clicking on a link and not being able to find the quoted term.

Same.

Previously:

Garbage Collection in JavaScriptCore

Haoran Xu:

The garbage collector in JSC is non-compacting, generational and mostly–concurrent. On top of being concurrent, JSC’s GC heavily employs lock-free programming for better performance.

[…]

The inlined metadata cellState is easy to access for the mutator thread (the thread executing JavaScript code), since it is just a field in the object. However, it has bad memory locality for the GC and allocators, which need to quickly traverse through all the metadata of all objects in some block owned by CompleteSubspace (which is the common case). Outlined metadata have the opposite performance characteristics: they are more expensive to access for the mutator thread, but since they are aggregated into bitvectors and stored in the block footer of each block, GC and allocators can traverse them really fast.

So JSC keeps both inlined and outlined metadata to get the better of both worlds: the mutator thread’s fast path will only concern the inlined cellState, while the GC and allocator logic can also take advantage of the memory locality of the outlined bits isNew and isMarked.

All this engineering notwithstanding, I still find myself using Chrome for some sites like Board Game Arena, where performance, even with an M1 Mac, is abysmal compared with Chrome on a much slower Mac.

Previously:

Thursday, August 18, 2022 [Tweets] [Favorites]

iOS VPNs Are Broken

Tim Hardwick (Hacker News):

Third-party VPNs made for iPhones and iPads routinely fail to route all network traffic through a secure tunnel after they have been turned on, something Apple has known about for years, a longtime security researcher has claimed (via ArsTechnica).

Writing on a continually updated blog post, Michael Horowitz says that after testing multiple types of virtual private network (VPN) software on iOS devices, most appear to work fine at first, issuing the device a new public IP address and new DNS servers, and sending data to the VPN server. However, over time the VPN tunnel leaks data.

Both Proton and Horowitz say that toggling Airplane Mode does not work around the problem.

Michael Horowitz:

It also seems that Apple has a level of trust that they do not deserve. Back in March 2020, Steve Gibson said “… Apple’s going to fix this. I’m sure it’s already been fixed in-house. They’re probably moments away from pushing out a fix to this because it’s gotten a lot of attention in the industry … I imagine within a few days this’ll be fixed.” A slightly more skeptical John Dunn of Sophos wrote at the time that “A patch might not appear for weeks”. It has been over two years.

I emailed Apple at their special email address for reporting security issues on May 19, 2022 and, for a week, there was no response. On May 26th, I emailed again and, this time, Apple responded the next day.

[…]

To date, roughly five weeks later, Apple has said virtually nothing to me. They have not said whether they tried to re-create the problem. They have not said whether they agree on this being a bug. They have not said anything about a fix.

Still no response or fix for the Mail bug I and others reported nearly 3 years ago, where moving messages between mailboxes instead deletes them, even though it was widely reported.

Previously:

Update (2022-10-11): Ben Lovejoy:

Proton told me that it was aware of the claimed fix, and had tested it at the time. However, the company found that it was only partially effective. Insecure connections to some Apple services remain in place after a VPN is activated.

[…]

Amplifi responded to a customer query by saying that it had tested the fix, and found it caused reliability problems.

[…]

Horowitz additionally pointed out that even iOS doesn’t seem to know whether or not a VPN service is active.

See also: ArsTechnica (via Hacker News).

Update (2022-10-14): Mysk (via doekezanstra):

We confirm that iOS 16 does communicate with Apple services outside an active VPN tunnel. Worse, it leaks DNS requests. #Apple services that escape the VPN connection include Health, Maps, Wallet.

macOS 12.5.1

Juli Clover:

According to Apple’s release notes, macOS Monterey 12.5.1 improves the security of macOS and is recommended for all users. The update addresses kernel and WebKit vulnerabilities that could lead to arbitrary code execution. Apple says that it is aware that these vulnerabilities may have been actively explited in the wild, so it is important to update right away.

You can download the installer and IPSW (via Mr. Macintosh).

Howard Oakley:

Other than expected minor increments in build numbers for parts of WebKit, the only visible change is that Safari is updated from 15.6 (17613.3.9.1.5) to 15.6.1 (17613.3.9.1.16).

Previously:

Suggested Shortcuts Improvements

Matthew Cassinelli:

Today, Apple released updates to their iWork suite of apps that adds actions in Shortcuts for Pages, Numbers, and Keynote on macOS, bringing powerful first-party actions that Mac users can take advantage to automate their work[…]

[…]

One oddity worth mentioning is that the “Add Row” action requires Numbers to physically open the spreadsheet and insert the data, just like it does on iOS – Apple should make this action work in the background without opening the app, otherwise it creates an inconsistent experience with every other action in Shortcuts that doesn’t require opening the app to insert data.

Matthew Cassinelli:

One piece of low-hanging fruit that Apple could grab onto to improve the onboarding experience is to do an overhaul of the quality of action descriptions in the app.

[…]

Secondly, the flow of information throughout the Shortcuts app is still very confusing and not immediately obvious for new or even intermediate users. […] Apple should implement a step-through mode like the one implemented in their Swift Playgrounds app, which allows users who are learning coding basics to see what’s happening in between each step.

[…]

Many of the categories in the Shortcuts gallery haven’t been curated recently — I literally programmed them myself when I worked at Workflow — and there are many more examples including third-party apps from the App Store that could show people the power of Shortcuts beyond simple use cases.

Previously:

Gatekeeper Changes in macOS Ventura

Howard Oakley:

In the past, Gatekeeper has primarily been concerned with checking apps and other executable code which have been put in quarantine; once an app has passed those first run checks and its quarantine flag has been cleared, its notarization and signing haven’t been checked again in the same way. Apple has announced that’s changing in Ventura, where Gatekeeper will check that all notarized apps are correctly signed whenever they’re run. This will ensure that no unauthorised modifications can be made to them, without these checks imposing noticeable delays in launching.

Rich Siegel:

Does this mean that if (for example) a user adds or modifies something inside of a notarized application’s package, that macOS will subsequently refuse to launch it and report some helpful error (e.g. “SilverWriter.app appears to have been tampered with”)?

Rosyna Keller:

You get the “this application has been damaged” alert. Of course, like other gatekeeper features, users can disable it.

Guilherme Rambo:

Another change is that apps on macOS may no longer update/modify apps that are not signed by the same development team, unless the other app declares the third-party team ID in its Info.plist. This will lead to some scary dialogs before everyone adapts to this new model.

See also: What’s new in privacy, Phil Stokes (Hacker News).

Previously:

Update (2022-09-26): Howard Oakley:

Fast forward to Ventura in a few weeks time, and not only are there notarization checks, introduced in Catalina, but every time you run that app the same checks on its signature and notarization are made as if it was undergoing first run. If the app doesn’t pass those, you’ll see similar dialogs to those when the problem has occurred on first run, and Gatekeeper will block that app from running on your Mac.

What could possibly go wrong?

Wednesday, August 17, 2022 [Tweets] [Favorites]

Nightly Time Machine

Jack Wellborn (tweet):

Nightly Time Machine is a collection of bash scripts that limits macOS’s Time Machine to once per night by only mounting Time Machine disks just before backing up and then unmounting them when Time Machine is finished. Preventing Time Machine disks from automatically mounting when connected also ensures they can be safely disconnected throughout the day.

[…]

At its best, Time Machine is “set it and forget it” in that you should never really have to think about it until a backup is needed or a backup disk needs to be replaced. Time Machine by itself is only at its best on desktops. On laptops, where external drives are frequently disconnected, Time Machine becomes a hassle at best and a risk to data at worst. With Nightly Time Machine, Time Machine is “set it and forget it” on laptops.

Earlier this year, I tried solving these problems using network Time Machine, but I gave up with that for my main Mac. I noticed that the Time Machine volume was mounted all off the time, and there was constant network traffic, seemingly because Spotlight was never able to catch up.

For my laptop that mostly acts as a desktop, I actually want the opposite functionality. Frequent backups during the day are good, but I want it to be quiet at night.

Previously:

Smartphones: a Single Point of Failure

neverminder:

i can’t log in to any of my banks without my phone. Most of the systems in my workplace also require phone app authentication. I can’t do any of those things with just a PC or laptop. Smartphones being the smallest and portable are surely the most lost and stolen. If someone got a hold of my PC or laptop - they would be able to do some damage, but not even close to if they were able to access my phone. Everything everywhere nowadays requires some app.

It seems wrong that Macs and PCs are in some cases now second-class citizens when they should be able to support a superset of the capabilities of a phone (well, aside from SMS).

Being able to run iOS apps on an iPad or Apple Silicon Mac is a potential workaround. As is Google Voice.

Sometimes, as with Symantec VIP Access, there is also a desktop version of the app, but that doesn’t mean that your bank or service actually supports registering multiple devices.

Previously:

Mac Folklore Radio on ClarisWorks History

Mac Folklore Radio:

The story of how “the best-loved application for the Mac” took on Microsoft Works as told by programmer Bob Hearn in 2003.

Read Macworld’s roundup of integrated packages to see how ClarisWorks 1.0 stacked up against its competition.

This is great stuff. Hearn’s written history has been moved here (via Hacker News).

Mac Folklore Radio:

Steven Levy on why Macintosh developers aren’t scared of Claris, the software company backed by Apple Computer.

Original text from Macworld Magazine, June 1992.

ClarisWorks and other seemingly Macintosh-only products did indeed ship on Windows.

Don’t forget to check out the promotional video.

Previously:

How Rich Text Can Vanish in QuickLook

Howard Oakley:

Anyone who works predominantly in Dark Mode is reminded of this failure in QuickLook every day. There are workarounds, of course, and ignoring those instructions about using NSColor.textColor seems to work for Rich Text generated by apps, even though they still need to conform to the rules internally.

The root cause is that QuickLook is cutting corners, and won’t take the trouble to parse the Rich Text properly.

Tuesday, August 16, 2022 [Tweets] [Favorites]

Reorder It 1.0.007

Takaaki Onishi (via Accidental Tech Podcast):

Reorder It! is an iPhone App which helps you reorder the addresses.

It’s useful when contact has multiple e-mail address.

I don’t know why standard “Contacts.app” or other AddressBook Apps on App Store don’t have this feature. So I made it.

This is important because the first one in the list is often treated as the default. It also works for phone numbers, physical addresses, URLs, etc.

Safari Extension: Banish

Alex Zamoshchin:

Banish is an ultra-efficient Safari Extension that removes annoying ‘Open in App’ banners and other dark patterns on the web. Block annoying popups and save valuable screen real estate.

Via John Gruber:

If I wanted a long-term lease I’d go to the App Store on my own. Here I am, having already loaded their bloated, poorly-coded webpage, trying to give their site a slice of my attention, and they’re covering their own content — the content I came to their site to see — with a dickpanel suggesting that I install their app.

Sami Fathi:

The banner at the top of Safari is built into Safari and WebKit itself, so to get rid of those, you’ll have to uninstall the respective app from your device. Banish, instead, gets rid of pop-ups implemented in the websites themselves.

Previously:

Slow SwiftUI Closure Actions

Luke Redpath:

TIL - if you’re creating your own SwiftUI environment keys where the value is some kind of “action”, modelled as a closure (e.g. () -> Void) you might see unexpected re-renderings of views that use that @Environment property.

[…]

My hunch - which turned out to be correct - was that closures in Swift are reference types and SwiftUI gets confused when its environment holds reference types. As a clue - note that similar built-in values in SwiftUI are actually structs with callAsFunction() methods.

Update (2022-09-09): Rens Breur:

The underlying reason for this bug is another cool SwiftUI optimization: If a @State variable is not used in the evaluation of a body, changing this variable does not trigger a view evaluation, and does not trigger an update to the view's properties to there values as managed inside the SwiftUI framework. It is a smart optimization, and works well together with memoization: if an input variable is not used, the view does not need to be re-evaluated when it changes, and when it is used, the view only needs to be re-ealuated when it changed.

But in this specific case, it does not work correctly. When we evaluate the body for the first time and the text is collapsed, the state variable is never used, so it seems that it is not needed when evaluating the body. But when we expand the text, the state is read all of a sudden, even though the ContentView itself is not re-evaluated, and the @State is not properly prepared.

There are ways to fix this bug while keeping our content as a closure, but we are now fighting with SwiftUI optimizations instead of making use of them.

Previously:

Removing Unwanted APFS Time Machine Backups

Rich Trouton:

With APFS-formatted Time Machine backup drives, only the option to restore files is available. The Delete Backup or Delete All Backups options are not available.

[…]

You can remove unwanted backups using either the Finder, or by using the tmutil command line tool.

I like browsing and restoring from APFS Time Machine backups, and they seem much better in theory, but I’m tempted to go back to HFS+ because with APFS (at least on Monterey) Spotlight never stops indexing, and there’s no way to turn it off. Alas, Disk Utility doesn’t even make encrypted HFS+ volumes anymore.

Previously:

Monday, August 15, 2022 [Tweets] [Favorites]

XProtect Remediator

Howard Oakley:

Recent versions of macOS have come with two tools designed to detect malware and deal with it, by ‘remediation’: XProtect and MRT. This year they have been joined by a third, XProtect.app or XProtect Remediator, and Apple has dropped all references to MRT in its Platform Security Guide.

[…]

Indications are that XProtect Remediator includes the functionality of MRT, together with rapidly improving and extending support for the detection and remediation of other malware. As with XProtect and MRT, Apple conceals the identity of the malware handled by XProtect Remediator using code names, including GreenAcre, SheepSwap, SnowBeagle, SnowDrift, ToyDrop and WaterNet, although its initial executables remain named after known malware families such as Adload and Geneio.

[…]

Although Mojave and older versions aren’t unsupported, new and changed malware which isn’t reliably detected by XProtect’s updated signatures is likely to pass unnoticed on those older macOS, putting those Macs at increasing risk.

Previously:

Products’ Useful Lifespans Should Be Longer Than Their Batteries

Nick Heer:

An embedded, irreplaceable battery makes a lot of sense in many products. It means devoting less space to connectors and hatches, and does not require designers to work around available battery formats. For the length of time the batteries are usable, it can make for much better products. People clearly agree — AirPods are so good that many people who never spent more than $20 or $30 on headphones before are spending hundreds of dollars on a set. But it limits a product’s lifespan to its sole consumable part, which seems silly if you think about it.

[…]

It sure seems as though the things I like about AirPods may not be possible if the batteries were more easily swappable, but it is hard to know for sure. Would they last nearly as long? Could they be so compact? Is it possible to design AirPods around easily-obtainable batteries? I wish Apple would prioritize that sort of thing, as it does seem irresponsible to sell such a disposable product.

Geoffrey Fowler:

So let’s revive Neistat’s radical act of transparency and demand to know when gadgets are designed to die. If companies won’t come clean on their own, let’s require a label right there on the shelf that lists the battery recharge count and how much it costs to replace the battery.

Previously:

QGeeM and Hyper Thunderbolt 4 Hubs

Amazon:

QGeeM Thunderbolt 4 Docking Station is committed to providing unparalleled simplicity, the highest performance and the most reliable connectivity. Achieve 40Gbps extremely fast data transmission, 60W fast charging, support for outputting 8K/4k ultra-clear monitors, quickly improve your work quality and efficiency.

The QGeeM 6-IN-1 Thunderbolt 4 mini Dock. it’s compatible with Thunderbolt 4, Thunderbolt 3, or USB Type C port supports “DisplayPort Alt Mode” and “Power Delivery”.

There are three downstream Thunderbolt 4 ports, plus one USB-C 3.1 Gen 2, and it can charge the computer with 60W of PD.

Via Paul Haddad:

$140 for a Thunderbolt 4 hub is the best price I’ve seen by a small margin. Worth a shot since these are all just Intel reference designs.

Juli Clover:

Accessory maker Hyper, known for its range of chargers, hubs, and battery packs, recently introduced the HyperDrive Thunderbolt 4 Power Hub, which it says is the world’s first Goshen Ridge Thunderbolt 4 hub with an integrated power source.

This one is $179 for three downstream Thunderbolt ports, and it can charge the computer with 96W of PD.

Do these Thunderbolt hubs work any better than USB ones for connecting storage devices? Since getting my M1 MacBook Pro, I’ve had problems with external hard drives sometimes not mounting unless they were connected before the Mac was powered on. (Restarting the Mac is not enough; I have to power it off, which means taking the MacBook Pro out of its dock in order to access the power button on its keyboard.)

The problem occurs for hard drives connected via a USB hub—so far I’ve used hubs from Anker, Rosonway, and Apple—but not with devices connected directly to the MacBook Pro. Unfortunately, two of my MacBook Pro’s ports are used to connect displays, which leaves only one as a reliable connector for external storage. I’d really like to have more built-in ports, even if they are only USB and not Thunderbolt, but this is enough of a pain that it would be worth getting a Thunderbolt hub—if it were more reliable.

Previously:

Sloppy Epic v. Apple Judgment

Florian Mueller:

It’s unbelievable that last year’s ruling has literally hundreds of typos, punctuation mistakes, inconsistencies, and similar errors. Prior to Epic v. Apple, I had never seen anything like that in a high-profile case. Now I’ve finally found the time to document 271 mistakes of that kind (33-page PDF).

[…]

Tim Cook is described as Apple’s “Chief Executive Order.”

[…]

How could this happen? Why didn’t anyone care to proofread the document before it was published last September? Judge Gonzalez Rogers knew that a significant part of the digital economy was watching the case with great interest--not only, but also including many app developers (like me). She had no firm deadline. She could have taken another couple of days.

[…]

[It] would be possible, at least in theory, that a judge publishes a decision with hundreds of typos and similar errors, but nevertheless gets the facts and the law right. Regrettably, the absurdity of saying that Apple’s market share in smartphone operating systems is substantially greater than in smartphones[…]

Previously:

Friday, August 12, 2022 [Tweets] [Favorites]

Swift Pitch: “borrow” and “take” Parameter Ownership Modifiers

Joe Groff:

We propose new borrow and take parameter modifiers to allow developers to explicitly choose the ownership convention that a function uses to receive immutable parameters. This allows for fine-tuning of performance by reducing the number of ARC calls or copies needed to call a function, and provides a necessary prerequisite feature for move-only types to specify whether a function consumes a move-only value or not.

[…]

Looking to the future, as part of our ongoing project to add ownership to Swift, we will eventually have move-only values and types. Since move-only types do not have the ability to be copied, the distinction between the two conventions becomes an important part of the API contract: functions that borrow move-only values make temporary use of the value and leave it valid for further use, like reading from a file handle, whereas functions that take a move-only value consume it and prevent its further use, like closing a file handle. Relying on implicit selection of the parameter convention will not suffice for these types.

Previously:

iOS 16 Battery Icon and Text Out of Sync

Tim Hardwick:

In iOS 15 and earlier, battery percent has not been present on iPhones that have Face ID because of the lack of space on either side of the notch that houses the TrueDepth camera hardware. The new design adds the specific battery level to the battery icon, providing a better idea of battery status at a glance.

In Apple’s latest design, the white battery icon remains completely filled in as the battery level gradually depletes. When the semi-transparent percentage reaches 20% or lower, a fifth of the battery icon turns red and the rest of the icon becomes semi-transparent, while the percentage inverts to white.

Mikael Johansson:

Nothing wrong with what Apple released but I think I might’ve preferred something like Alternative A for the battery indicator

I like the iOS 15 indicator that only shows the percentage in Control Center. I don’t want to see the number all the time, just like I don’t set Mail or NetNewsWire to show the unread count in the Dock. It’s distracting.

Update (2022-09-14): Sami Fathi:

Apple has confirmed that users of older generation iPhone models will miss out on the ability to show their iPhone’s battery percentage directly in the status bar.

Juli Clover:

With this [iOS 16.1 beta] update, iPhone 13 mini, iPhone 12 mini, iPhone XR, and iPhone 11 users can see their battery percentage in the status bar, and battery percentage is officially available on the iPhone XR and later. Devices without a Face ID notch always display the battery percentage as well.

Meta Apps Inject Tracking Code

Felix Krause (Hacker News):

Meta injects tracking code into all websites displayed inside their app without the user’s consent, nor the website operator’s permission

This is done by the iOS and Android apps of Instagram, Facebook and FB Messenger

This introduces a range of big security and privacy implications for the end-user, with Instagram being able to steal usernames, passwords and addresses, as well as monitoring screenshots you take, hiding website encryption status from the user and more

[…]

Apple has built “App-Bound Domains”, which could help avoid this kind of platform abuse, however it’s not mandatory yet.

Unfortunately, even the iOS Lockdown Mode doesn’t prevent Instagram fetching user data from third party websites.

Here’s the post.

Kate Cheney:

Once the WKAppBoundDomains key is added to the Info.plist, all WKWebView instances in the application default to a mode where JavaScript injection, custom style sheets, cookie manipulation, and message handler use is denied. To gain back access to these APIs, a WKWebView can set the limitsNavigationsToAppBoundDomains flag in their WKWebView configuration[…]

Previously:

Apple Is Building a Demand-side Platform

Ronan Shields (Hacker News):

Apple may have blown up the digital ads business but it left enough fertile ground to build its own, more focused play for media dollars. The company is building a demand-side platform if recent job listings are to be believed.

[…]

It remains unclear if the intended DSP is geared toward serving ads solely on Apple’s owned and operated properties, such as the App Store itself or on the millions of iOS apps, or even on third-party properties such as the mobile web.

Apple would not confirm its plans to build a DSP or provide additional context as to how this would fit into the overall company’s strategy for its ad business. But the job posting is a clear signal of intent for the business that has left the impression (at least publicly) that building ad tech is the last thing it wanted to do.

Previously:

Update (2022-08-29): Tim Hardwick:

In the latest edition of his “Power On” newsletter, Gurman writes that Apple’s VP of advertising platforms Todd Teresi wants to triple current ad revenue, and the first move to achieve that could be to bring ads to the Maps app. Apple has internally tested adding sponsored spots in Maps search results, reports Gurman, and if it does roll them out to Maps users, it could just be the beginning of a wider expansion.

Gurman speculates that Apple could also bring ads to the digital storefronts of its Books and Podcasts apps[…]

Update (2022-09-09): Nick Heer:

Even so, I firmly believe an expansion of ads across its platforms concurrent with its efforts to rein in others’ tracking behaviour — and, by extension, impacting small business advertisers — will damage Apple’s credibility and users’ satisfaction. Nobody is going to not buy an iPhone because there are ads in Maps, for example, but plenty of people who use Maps are going to feel a little cheated.

The maxim “if you are not paying for the product, you are the product” is as inaccurate as it is a cliché. If Apple really is planning to put more ads in its products, it shows that you can pay thousands of dollars and still be the product — because the line on each chart must go up.

See also: Hacker News.

Thursday, August 11, 2022 [Tweets] [Favorites]

Telegram Stuck in App Review

Sami Fathi:

In his Telegram channel, Durov says that an update to Telegram for iOS that will change how people communicate has been stuck in Apple’s App Store review process for over two weeks, with no communication from the company over why or when it will be approved. Durov points out that if an app as popular as Telegram receives this treatment, one can “imagine the difficulties experienced by smaller app developers.”

Previously:

Update (2022-08-29): Jay Peters (via Hacker News):

“After extensive media coverage of my previous post, Apple got back to us with a demand to water down our pending Telegram update by removing Telemoji — higher quality vector-animated versions of the standard emoji,” Durov wrote on his Telegram channel on Friday.

[…]

Personally, I think the Telemoji look like a lot of fun. I love how they add some life to static emoji faces I’ve gotten quite familiar with. But I’m guessing Apple took issue with another company modifying its designs in this way, which might be why it asked Telegram to remove Telemoji from the update.

There is, in fact, a specific rule 5.2.5 against using Apple’s emoji designs:

Apps and extensions, including third-party keyboards and Sticker packs, may not include Apple emoji.

It’s not entirely clear what this means. Apple seems to have no issue with apps like MaskerAid using Apple emoji as design elements. I would have thought surely that embedding modified versions of Apple’s copyrighted images would be over the line, but I guess it’s not that far over because it took Apple several weeks to decide.

Durov had said that Apple held the app in limbo without any communication, however, AppleInsider writes:

Apple says it provided clear communications with Telegram throughout the review process, including that it would take longer for reviewing the app. In the case of Telegram’s rejection, Apple provided a written notice and a phone call, with the latter checking Telegram knew the reason for the rejection, and how to get back into compliance.

I initially read this as contradicting Durov, but that’s not necessarily true. Apple has a history of releasing carefully crafted statements that give the impression that the developer was lying. When you look closer, it often turns out that there is no contraction, just differing spins, or that Apple was the one lying. It could be that Apple told him up front that reviewing would take longer but never gave any specifics until weeks later, after all the press, when it finally rejected the update and explained its reasoning.

Ryan Jones (via Dave Wood):

I made an app called Animoji (yup) in 2016 for the launch of “iMessage App Store” that got rejected ~10x for this exact reason.

Basically they were too good. Even when we removed the “gloss” from the designs it was rejected repeatedly.

Kaleidoscope 3.6

Leitmotif (tweet):

The changeset window now sports a modern macOS look with a sidebar that can be hidden. The filter on the bottom now allows filtering files by type, in addition to the file name filter and the buttons that hide or show files that have been modified, added, deleted, or moved. Power user hint: try option-clicking items.

[…]

Beginning with the first update after Kaleidoscope 3.6, you should no longer need to update the ksdiff command line tool when we make changes[…] instead of installing the ksdiff tool by copying it to /usr/local/bin, we just create a link to ksdiff inside the app in /usr/local/bin.

To get the new changeset sidebar when using Tower, you need to uncheck Perform directory diff so that Kaleidoscope receives a list of file changes rather than the before and after folders.

It’s great to see Kaleidoscope getting regular updates. Unfortunately, it’s been stuck in Mac App Store review for 6 days.

Previously:

Update (2022-08-26): Christopher Atlan:

I don’t know why there is a developer category in the App Store. App Review seems not to know what to do with it. @kaleidoscopeapp is now stuck in review for over 2 weeks without any communication.

Too bad Phil Schiller’s idea didn’t work out.

Christopher Atlan:

Dev Relations whispered that App Review doesn’t know what to do with the sandboxed command-line tool and its installation via Privileged File Operations Entitlement.

Maybe I should forward them this email from PFO? Ha! Can’t! Still “In Review” so no contact option.

Previously:

Update (2022-09-14): Kaleidoscope:

After a month in App Review, Kaleidoscope 3.6 is now out on the Mac App Store! Enjoy the simplified ksdiff installation as well as the major changeset improvements.

Previously:

Facebook Ads Manager Scam Removed From App Store

Sami Fathi:

Apple has removed an app that it was unknowingly hosting on the App Store that scammed Facebook advertisers and led hackers to use advertisers’ ad budgets to run possibly malicious ads on Facebook’s platforms, Business Insider reports.

The app previously ranked highly on the App Store when searching for “Facebook ads manager,” the app used by advertisers to control their presence and ads they’re running on the Facebook platform. The app presented itself as the legitimate ads manager for Facebook but was actually a backdoor that let hackers gain access to an account.

[…]

Apple said that the app was originally submitted to the App Store as a simple document manager with no ties or functionality to the Facebook platform.

It’s crazy how genuine bug fix updates keep getting held up in review, yet apps like this are able to completely change their functionality and become highly ranked, yet nothing happens to them until there’s a big news story. The App Store makes it easier for scams like this to gain traction because it’s easier to get discovery through App Store keyword SEO and fake reviews than it would be organically, and people assume that Apple must have vetted it or it wouldn’t be in the store.

Previously:

French Publishers Make App Store Antitrust Complaint

Florian Mueller:

Well-hidden in a new 90-page U.S. antitrust complaint against Apple (even 251 pages with the exhibits (PDF)), filed on Monday in the Northern District of California, is a challenge to one of the most devious and ruthless schemes Cupertino has ever devised: App Tracking Transparency (ATT).

[…]

At first sight, Société du Figaro et al. v. Apple is just an extension of other U.S. class actions that app developers have previously brought against Apple in the Northern District of California over the 30% app tax. One might be led to think that the only difference is that previous cases--which merely led to a sham settlement the only major beneficiaries of which were Apple and both sides’ lawyers--pursued claims on behalf of U.S.-based app developers, and the Figaro case is now seeking redress on behalf of French legal entities under U.S. federal and California state law because the App Store is a global operation.

[…]

The term I just emphasized--“other policies”--does, however, include ATT. The prayers for relief include a request for “injunctive relief requiring that Apple cease the abusive, unlawful, and anticompetitive practices described [t]herein.”

Ben Thompson:

Apple doesn’t particularly care about or claim ownership of the content of an app on the iPhone, but:

  • Apple insists that every app on the iPhone use its payment system for digital content
  • Apple treats all transactions made through its payment system as Apple data
  • Ergo, all transactions for digital content on the iPhone are Apple data

The end result looks something like this — i.e. strikingly similar to Facebook, but with App Store payments attached[…]

Here’s the key point: when it comes to digital advertising, particularly for the games that make up the vast majority of the app advertising industry, transaction data is all that matters. All of the data that any platform collects, whether that be Meta, Snap, Google, etc. is insignificant compared to whether or not a specific ad led to a specific purchase, not just in direct response to said ad, but also over the lifetime of the consumer’s usage of said app. That is the data that Apple cut off with ATT (by barring developers from linking it to their ad spend), and it is the same data that Apple has declared is their own first party data, and thus not subject to its ban on “tracking.”

Nick Heer:

The actual figures tell a much murkier story. I do not think it is fair to suggest ATT does nothing, but its effect does not seem as pronounced as either its biggest supporters or its biggest naysayers suggest.

[…]

If ATT were so significantly kneecapping revenue, I would think we would see a pronounced skew against North America compared to elsewhere. But that is not the case.

[…]

Perhaps the most favourable evidence for ATT’s effects lies in the earnings reports from Publicis Groupe, which has acquired dozens of name-brand agencies — like Leo Burnett and Saatchi & Saatchi — and also runs a digital ad platform.

[…]

In theory, ATT is a very good option for users. Its biggest problem is that the company which makes it also has an advertising division, and it appears to have engaged in some quiet self-preferencing behaviours. Legal questions aside, it is disappointing to see such an obvious user benefit so easily undermined. These App Store ads give ATT’s critics a clear conflict of interest to point to, look tacky, and create an unpleasant experience. ATT’s reliance on a very specific definition of “tracking” that allows Apple to segment users based on what they read in News and what they buy in third-party apps is far more permissive than I think it ought to be for a company that so loudly trumpets its privacy bonafides.

Nick Heer:

Meta said, quarter after quarter following ATT’s release, that its ability to make money from iPhone users would be crushed, even as it raked in higher ad sales. Finally, earlier this year, it posted some disappointing figures more reflective of inflation and a strong U.S. dollar. But it still blamed Apple for some of that loss.

Previously:

Update (2022-08-12): John Gruber:

In my spitball theory here — which I think Heer shares — App Tracking Transparency is not the cause of Facebook’s troubles, but just an extra kick in the pants as they stumble downhill toward legacy media irrelevance — a decline that was in the making years before “Ask App Not to Track” was in our vernacular.

Patrick McGee:

Basic answer: the apparent lag was one of perception.

When Apple introduced sweeping ‘do not track’ changes 16 months ago, the economy was booming. Covid had caused spending habits to experience a once-in-a-century shift away from services and towards goods.

Nick Heer:

This is the most convincing argument I have seen for the discrepancy between the booming financials of ad tech firms in the face of App Tracking Transparency which should, some analysts say, have destroyed much of their business. What it does not necessarily explain is the often better performance some of these companies saw in areas where the iPhone has a stronger market presence.

Update (2022-09-09): John Gruber:

The two paragraphs above encapsulate a lot of the skepticism I expressed yesterday regarding the economic profoundness of ATT. I think only a fool would argue that ATT has had no effect on the surveillance advertising business. But I think the other extreme — the argument that everything we’re seeing in the financials for Facebook, Snap, Twitter, and YouTube is attributable largely, let alone solely, to Apple’s App Tracking Transparency rollout last year — is nearly as foolish. I think ATT is being scapegoated, and is, at best, one significant factor among many.

Nick Heer:

On Meta, I think the amount of blame to ascribe to ATT remains murky. The amount of noise created by TikTok’s rapid ascendancy and its ability to take younger users and, therefore, ad dollars away from Meta is an astonishing coup. Is ATT really the thing holding back the growth rate of platforms like Facebook and Instagram, or is it more likely that big advertising dollars are following users’ eyeballs?

Proposed Political BIAS Emails Act

SuretyMail (via Hacker News):

Named the Political BIAS Emails Act of 2022 (BIAS is short for “Bias In Algorithm Sorting”), a/k/a HR 8160 and SB 4409, the new law would require that email receiving systems such as Gmail, Outlook, Yahoo, and all the others, deliver political campaign email directly to your inbox, and they would be expressly forbidden to run it through their spam filters at all. We also include the full text of the proposed law at the end of this article.

[…]

Even though the intro heading says it applies only to email that people have elected to receive, the law would actually require [email providers] to deliver political campaign email directly to your inbox unless, and only unless, you personally mark it as spam. And we all know how effective marking something as spam can be; you can mark some email as spam until you’re blue in the face and it will still end up in your inbox.

Now, this might not be so bad if political campaigns actually followed best email practices, and only put someone on their mailing list if the person asked to be, or at least gave consent to be, put on the mailing list. But everyone in our industries knows that political campaigns are the worst violators of best practices.

I don’t understand how this would be implemented. Presumably it would only apply to US-based mail providers. If the e-mails have to be signed by one of a list of approved private keys, maybe this would actually make it easier to get rid of unwanted political e-mails.

Nick Heer:

In a way, there is consistency in the FEC’s draft position: U.S. politicians are already exempt from most rules governing unsolicited phone calls and texts. They do not have to respect the Do Not Call list. It is sort of fitting for them to be excluded from spam filters, too, though it is maddening.

Makena Kelly:

While Google did not need the FEC to approve the plan before rolling it out, it sought a vote earlier this summer to ensure the program wasn’t at risk of breaking current election regulations. In its Thursday ruling, the FEC confirmed that Google’s plan was legal.

Update (2022-09-26): Makena Kelly:

Google told Axios on Monday that it was launching a controversial new pilot program to keep campaign emails out of spam folders this week.

Wednesday, August 10, 2022 [Tweets] [Favorites]

Time for Apple to Fix Texting

Android (MacRumors, Hacker News):

It’s not about the color of the bubbles. It’s the blurry videos, broken group chats, missing read receipts and typing indicators, no texting over Wi-Fi, and more. These problems exist because Apple refuses to adopt modern texting standards when people with iPhones and Android phones text each other.

John Gruber:

RCS messages are only end-to-end encrypted sometimes, if both the sender and recipient are using Google’s Messenger app — and never for group chats, even with Google’s Messenger app.

So, practically speaking, neither RCS nor iMessage is actually private for most users. Right now, the experience of communicating with Android users from Messages is not very good. And it happens via SMS, which is even less secure. Whether or not you consider RCS to be a real open standard, it seems like it would be better than what we have now, and I don’t see Apple proposing a better alternative. It’s unclear whether this is a case of perfect being the enemy of good, RCS having genuine problems, Apple deliberately making things worse for their customers for strategic reasons, or simply not caring.

Regardless, they should also make Messages work better with SMS.

Ron Amadeo (via Jack Wellborn):

Google has been pushing this strategy since the beginning of the year, but coming from the company with the world’s most dysfunctional messaging strategy, it just comes across as a company tired of reaping what it has been sowing.

[…]

RCS has hung around so long and is still so poorly implemented because it was created by the carriers (through the GSMA) as a carrier-centric messaging standard. Carriers did this in the heyday of pay-per-message SMS, when carrier messaging was a real revenue stream. Now that carrier messaging is commoditized though, the carriers in control of RCS don’t have an incentive to care about RCS. RCS is a zombie spec.

Dave Mark:

What is the down side to RCS?

I get why Apple doesn’t want RCS (walled garden, green vs blue bubbles differentiator, etc), but is there a technical downside to switching to RCS?

Matt Birchler:

The thing for me is that everyone who is railing against Apple adding support for RCS are saying it’s because it’s not as good as iMessage, but that’s not what it’s replacing…it’s better for everyone than SMS, which I think is the better comparison.

Previously:

Update (2022-08-11): Dieter Bohn:

SMS/MMS are bad for texting on any platform, so Google worked with carriers to fix it. Yes, it’s been messy - it’s a hard problem. But sunsetting SMS/MMS and replacing it with something better is what’s right for users.

Russell Ivanovic:

SMS sucks bad. RCS sucks way less. Yes a dedicated end to end encrypted messaging app is better, but RCS is a good step forward.

The world would be a better place if Apple implemented it, period.

Update (2022-09-08): Sami Fathi (Hacker News):

During a panel at Kara Swisher’s final Code Conference yesterday, Cook was asked why iOS has not yet adopted support for the RCS standard and how Steve Jobs would feel about it (via The Verge), despite repeated calls from the industry for the company to do so. “I don’t hear our users asking that we put a lot of energy in on that at this point,” Cook said in response to the question.

[…]

The reporter who asked the question pushed Cook on his response, saying he and his mother find it difficult to send photos and videos to each other because she uses an Android while they use an iPhone. “Buy your mom an iPhone,” Cook told the reporter who posied the situation.

Update (2022-10-06): Abner Li:

Before Google’s “Get The Message” campaign in August, Android’s Messages app was updated with iMessage reactions at the start of this year. In a very weird turn of events, Apple appears to be taking credit for Google adding iMessage reactions on Android.

Why the macOS Ventura Share Menu Is Bad

What’s new in AppKit:

The most prominent update to the sharing experience is the new sharing popover. This replaces the existing share menu with a rich interface that includes more information about the document you’re sharing and familiar features like suggested people. It supports all of the same APIs and delegate methods as the previous picker, so you can still do things like filter the list of sharing services, or insert your own custom services into the picker.

[…]

The new sharing picker is great for kicking off sharing from somewhere like a toolbar button, but sometimes you want to start sharing from a menu, like the main menu bar or the context menu for a selected view inside your app. Previously, you might’ve constructed your own menu to handle this, by enumerating sharing services and then building menu items for each one. Although that does work, it bypasses the standard picker, so now you’re missing out on all of those new features. In macOS Ventura, NSSharingServicePicker can create a standardShareMenuItem for you. You can add the standard item to any menu to easily kick off sharing. Once selected, the menu item summons the sharing popover, and for context menus, it’ll even anchor the popover to the same view that produced the menu.

I love the idea of an API to create the standard Share menu item, but I think it should create a submenu rather than a popover. The popover just doesn’t work very well.

Jeff Johnson:

  1. It takes one click to get the Share menu on Monterey, two on Ventura.
  2. The contextual menu and its Share menu item disappear when I open the Share menu.
  3. Nonetheless, the Share menu is anchored at the now empty space previously occupied by the Share menu item.
  4. The Share menu refers to the Support link on the web page, which is nowhere near where the Share menu is visually anchored.

[…]

I can no longer navigate the menu at all with the keyboard!

The arrow keys and type-selecting by name no longer work.

To me, the worst part is the location of the popover. Say that you are trying to share a file from Finder. With a submenu, the sharing choices always appear just to the right of the cursor. With the new design, if you choose Share… from the menu bar, the popover appears, not near the menu, but potentially way on the other side of the screen, i.e. near the icon that was selected. Even if you choose Share… from the contextual menu, the popover does not originate from the where you initiated the command but from the icon. So it’s not just a matter of needing an extra click—which, as with Control Center, feels slower than the menu it replaced—but you also need to first move the cursor to a different area of the screen.

Previously:

Update (2022-08-11): Peter Böttges:

Keyboard support was also removed from Menubar controls like Sound/Vol. and Wi-Fi with the overhaul in Big Sur.

And most of the new UI has zero support for Apple Script automation, making it inaccessible to those having to rely on it.

That’s the wrong direction to take macOS to.

Seth Willits:

My theory is that NSMenu is a little too limited in its customization capabilities. I’ve run into it now and then.

Ex: As soon as a menu item has a view, it’s no longer a clickable/selectable item like the others. Sometimes want it to be.

Customizing the style and size of individual items is not clear. (Attributed titles get you there with text attachments for images, but … awwwkward)

[…]

But all in all, yes… a popover masquerading as a menu is a terrible thing. Crazy that they did it.

The Top PDF Reader in the Mac App Store

Stephen Warwick (via Kosta Eleftheriou):

An investigation into seven different apps on the Mac App Store, including the number one PDF reader in the U.S., has found that all of them are orchestrated by the same Chinese developer using fake reviews and command-and-control exploits to try and target users.

[…]

For example, an app could determine whether it was in Apple’s review process, changing its UI so as not to fall foul of any App Store guidelines before unleashing popups asking for money on unsuspecting users. […] Finally, multiple spammy versions of the same app with slight variations were uploaded “in order to gain as much market-share as possible in some niches.”

[…]

[These] apps would push users to make purchases using deceptive windows offering purchases of trials or subscriptions with no close or cancel button in sight, leaving the user no option but to click okay and possibly making a purchase.

Alex Kleber:

The developer is well known of abusing the Appstore review system under the account of Polarnet Limited were previously reported by other Mac Appstore vigilantes few months ago. At that time, Apple took action and removed many reviews of this developer.

Alex Kleber:

Apple removed all 7 developers’ accounts mentioned in the article.

Jeff Johnson:

I’ve found proof that the apps SmartPlay for Safari by Best App Limited and StreamPlay for Safari by Xiaobo Wang are actually from the same developer.

Needless to say, these are among the top apps in the store.

Rafael (via Kosta Eleftheriou):

two apps of mine almost only get 5-star reviews. However, recently a competitor of mine started writing fake reviews in the review sections of these apps to lower the score of my apps and even uses these reviews to tell people that there were better apps out there, with features that match exactly the features of his apps.

I contacted Apple about this issue and they deleted one review, that was obviously fake and contained bad language. However, they said they could not do anything about the other fake reviews, because these reviews did not violate their guidelines about App Store reviews.

Marcos Tanaka (via Federico Viticci):

Had to request an appeal to the App Review Board. I asked three times for a screenshot or concrete evidence of this supposed hidden functionality in my app, but the reviewer only answered with vague sentences such as “money gambling functionality”.

Previously:

Twitter Breach of 5.4M Accounts

Lawrence Abrams (Hacker News):

Twitter has confirmed a recent data breach was caused by a now-patched zero-day vulnerability used to link email addresses and phone numbers to users’ accounts, allowing a threat actor to compile a list of 5.4 million user account profiles.

[…]

This vulnerability allowed anyone to submit an email address or phone number, verify if it was associated with a Twitter account, and retrieve the associated account ID. The threat actor then used this ID to scrape the public information for the account.

[…]

While no passwords were exposed in this breach, Twitter is encouraging users to enable 2-factor authentication on their accounts to prevent unauthorized logins as a security measure.

For those using a pseudonymous Twitter account, the social media company suggests you keep your identity as anonymous as possible by not using a publicly known phone number or email address on your Twitter account.

Giving Twitter your phone number was supposed to provide more security, but in this case it seems like it made it easier to look up accounts and link them to other public information.

Previously:

Update (2022-08-12): See also: Bruce Schneier.

Tuesday, August 9, 2022 [Tweets] [Favorites]

Implementing Parts of the Swift Compiler in Swift

Douglas Gregor:

Here’s a proposed build process for the Swift compiler with Swift code in it:

  1. Build C++ bits with the host C++ compiler
  2. Build mandatory Swift bits with the host Swift compiler
  3. Link a “minimal stage 1" Swift compiler
  4. Build optional Swift bits with the minimal stage 1 compiler. Note that these bits may not be fully optimized because the stage 1 compiler may lack some optimizer passes.
  5. Link a “full stage 2” Swift compiler
  6. Rebuild optional Swift bits with the stage 2 compiler.
  7. Link a “final stage 3” Swift compiler

[…]

Personally, I’m excited to open the door to having more Swift code in the compiler, but I want to make sure we’re doing so in a way that doesn’t make it unduly complicated to develop the Swift compiler or port to other host architectures.

Previously:

Update (2022-08-10): See also: Hacker News.

Which iOS 15 and macOS 12 Monterey Features Do You Actually Use?

Adam Engst:

The most notable finding is that most of them don’t use most of the features listed. Only four features—Live Text, Shortcuts, Hide My Email, and Memories in Photos—received more votes saying they were Occasionally or Frequently used than Never used. (A fifth feature, App Privacy Report, was close, with only 57 more people on the Never side.) It seems probable that those responding to the survey were more likely than the average Apple user to use these features, suggesting that a broader survey would have shown even lower usage levels.

[…]

One could conclude that Apple is putting too much focus on adding features and too little on fixing bugs, improving performance, and polishing existing features.

[…]

Another conclusion is that both Apple and the tech media need to do a better job of introducing new features to users. A common refrain among the comments was that many people—including many regular TidBITS Talk participants, who are probably even more involved than average TidBITS readers—didn’t even know about many of the features.

I use Live Text frequently and Shortcuts and translation occasionally. Often, translation doesn’t support support the language that I need so I end up going to Google Translate.

Previously:

Update (2022-08-11): Nick Heer:

I mentioned “discovering” features. One reason for this, I think, is because Apple often mentions features without explaining or demonstrating them. Maybe I am just busier now or my brain is getting mushier with age, but I find I often have to look through Apple’s marketing pages to try to make sense of anything that has been announced. Minor software versions also quietly carry unannounced new features, too. When Visual Lookup was released in Canada with a software update earlier this year, it was not mentioned in the release notes.

Neither the marketing pages nor the release notes have links to the help pages that explain what the features do and how to use them.

South Korea Investigates App Store

Hartley Charlton:

In a statement (via Reuters), the Korea Communications Commissions (KCC) said that it conducted an inspection of Apple, Google, and One Store since May 17 to determine if they have violated in-app payment laws, and concluded that all three companies may have done so. Such contraventions could include unfairly delaying the review of mobile content, or refusing, delaying, restricting, deleting, or blocking the registration, renewal, or inspection of mobile content that uses third-party payment methods.

Previously:

Update (2022-08-10): Florian Mueller:

I predicted this after Google rejected updates to KakaoTalk (commonly referred to as KaTalk), a messenger app used by about 93% of Korean smartphone users, the reason for those rejections being KaTalk’s use of external payment methods (via its website).

[…]

The Yonhap report doesn’t specifically indicate that the KCC may consider the 26% app tax rate a violation of the country’s IAP rules. Maybe the KCC is going to focus on behavioral rather than numerical issues, at least for now--they’ve got to start someplace.

Labeling Apple Shipments From Taiwan

Cheng Ting-Fang and Lauly Li:

Apple told suppliers on Friday that China has started strictly enforcing a long-standing rule that Taiwanese-made parts and components must be labeled as being made either in “Taiwan, China” or “Chinese Taipei,” sources familiar with the matter told Nikkei Asia, language that indicates the island is part of China.

[…]

Using the phrase “Made in Taiwan” on any import declaration forms, documents or cartons could cause shipments to be held and checked by Chinese customs, the sources added. Penalties for violating such a rule is a fine of up to 4,000 yuan ($592) or, in the worst-case scenario, the shipment being rejected, one of the sources said.

Via John Gruber:

Apple’s reliance on China has put the company in a spot where it must insist its suppliers print a falsehood on components to comply with communist propaganda.

Previously:

Monday, August 8, 2022 [Tweets] [Favorites]

Weathergraph 1.0.110

Tomas Kafka:

Be the first to try the hourly forecast from a beta version of Apple’s own new weather service. Hit the Preferences button and switch the forecast source. Nowcast isn’t available yet, so it will be provided by the good & trusty Foreca.

And dew point comfort scale. Enable humidity or dew point in the chart to see the feel for a given hour on a dew point comfort scale. From dry through pleasant, comfortable and humid up to miserable or extreme, Weathergraph will inform you both in the details section and chart tooltip.

I love Weathergraph’s design, but the weather data from Foreca has not proved quite as accurate in my area as I’d hoped. I prefer the data from AccuWeather (as seen in Snowflake) and The Weather Channel (as see in Apple Weather on iOS 15 and earlier).

I don’t know yet how well Apple’s own weather service compares, but it’s good to have another option in Weathergraph.

Note that Weathergraph is using the REST API for Apple Weather, so it’s able to get Apple Weather data, sans tuples, without requiring iOS 16.

Previously:

Reimplementation of Apple Code Signing and Notarization

Gregory Szorc:

I’m very excited to announce that we now have a pure Rust implementation of a client for Apple’s Notary API in the apple-codesign crate. This means we can now notarize Apple software from any machine where you can get the Rust crate to compile. This means we no longer have a dependency on the 3rd party Apple Transporter application. Notarization, like code signing, is 100% open source Rust code.

[…]

There are probably thousands of companies and individuals who have wanted to release Apple software from non-macOS operating systems. (The existence and popularity of tools like fastlane seems to confirm this.) The historical lack of an Apple code signing and notarization solution that worked outside macOS has prevented this. Well, that barrier has officially fallen.

It’s available here.

Update (2022-08-08): See also: Hacker News.

bri3d:

Apple’s code signing tool is open source, but heavily dependent on Cocoa/OSX libraries like CoreFoundation.

Testing Continuity Camera

Julio Ojeda-Zapata:

The mounts are not yet available to the public, but some lucky tech writers have been sent pre-release versions. Apple chose not to favor me with early access, but I found something similar while rummaging through my tech gear: PopSocket’s PopGrip for MagSafe. It’s an oval slab that clamps magnetically to the back of an iPhone and incorporates that classic telescoping two-finger circular grip.

[…]

Here are image comparisons with the FaceTime HD cameras in the 2020 M1 MacBook Air, the recently released M2 MacBook Air, and the Studio Display, which was released earlier this year. Continuity Camera imagery is superior across the board. The M2 MacBook Air improves on the M1 MacBook Air, but not dramatically so. The Studio Display’s imagery is muddled and a bit dark.

[…]

Now [Portrait Mode is] present in Continuity Camera as an option to toggle background blurriness on and off (iPhone 11 or later).

[…]

Unfortunately, the quality of the desk imagery isn’t great.

Previously:

Netflix Homes and Games

Emma Roth, Jay Peters, and Richard Lawler (Hacker News):

Netflix is testing a new way to tackle password sharing in Argentina, El Salvador, Guatemala, Honduras, and the Dominican Republic (as reported first by Bloomberg). A support page for Netflix in Honduras clearly states the test will prompt users to pay an additional fee if they use an account on a TV or TV-connected device at a location outside their primary household for over two weeks. Each additional home will cost an extra 219 pesos per month, per home in Argentina ($1.17 US), and $2.99 everywhere else.

It sounds like this isn’t going to work very well for people who regularly travel to the same location.

The company also started experimenting with a profile transfer tool that’s supposed to make it easier for someone to transfer their recommendations, watch history, and My List. This is a way for the platform to passively nudge password sharers toward opening a new account or getting on a subaccount.

Tim Hardwick:

Netflix’s mobile gaming platform has been engaging less than 1 percent of Netflix subscribers since its launch last November, according to new data from app analytics company Apptopia (via CNBC).

It’s too bad this doesn’t work on tvOS.

Friday, August 5, 2022 [Tweets] [Favorites]

Dropbox Branding and App Store SEO Shenanigans

John Gruber:

I quickly determined that this was just the regular Dropbox app. Dropbox has simply renamed it to include “Cloud Photo Storage” in the name for SEO purposes. This apparently works so well, at the moment, that some apps are putting these descriptions before the actual name of the app in their App Store listings. App Store entrepreneur Jake Mor explicitly recommends this in a long Twitter thread delineating his current recommendations for App Store success[…]

[…]

The App Store should discourage SEO nonsense like keyword spamming, not reward it.

See also: Appfigures.

Update (2022-08-08): Greg Hurrell:

What is the point of living trapped in a walled garden if it is full of weeds?

Update (2022-08-29): Ariel Michaeli:

Indicating what the app does in its name is how you teach people who may not recognize the brand name about its benefits. That’s not keyword stuffing, that’s just business.

[…]

In first place we have Google Photos, which isn’t getting the most new ratings of the top 5, but is the only app to somewhat target this keyword. It has both parts of the keyword in its subtitle, which isn’t super strong, but… no other app targets the keyword in the name, which is why Google wins here.

That’s also why Dropbox wanted it…

[…]

App Store Optimization isn’t a way to game the algorithm but rather a way to help it. And, the algorithm needs it because it can’t just guess which apps are relevant and popular. Not without some help.

DuckDuckGo Increases Protection From Microsoft Trackers

José Adorno:

Starting next week, DuckDuckGo will expand the third-party tracking scripts it blocks from loading on websites to include scripts from Microsoft. This update applies to the iOS and Android apps and browser extensions with beta apps to follow in the coming month.

[…]

DuckDuckGo will also offer a new help page that offers a “comprehensive explanation of all the web tracking protections” the browser provides across platforms.

Previously:

Apple’s People Team

Matt Drange:

In responding to a shareholder proposal for Apple to assess potential risk associated with using NDAs “in the context of harassment, discrimination, and other unlawful acts,” Apple told the SEC that its “policy is to not use such clauses.” As a result, attorneys for Apple argued the company had already addressed the concerns of activist shareholders.

Citing her own experience receiving NDAs from Apple, Scarlett filed a whistleblower complaint with the SEC on October 25. The complaint, which Insider has reviewed, details what Scarlett says are “false statements or misleading statements” by Apple to the agency.

Scarlett included a copy of the settlement agreement Apple offered her in her SEC complaint, describing how the company included a “statement I was allowed to say about my leaving the company being a personal decision, rather than fleeing a hostile work environment[…]

Patrick McGee:

Mohr previously had a bad experience with human resources—known internally as Apple’s People group—when another colleague had broken into her accounts and harassed her, leading her to file a police report. HR didn’t listen well or help in any way, she says, so this time she didn’t bother.

[…]

In interviews with 15 female Apple employees, both current and former, the Financial Times has found that Mohr’s frustrating experience with the People group has echoes across at least seven Apple departments spanning six US states.

[…]

The accounts collected by the FT paint a portrait of a People team that acts less like a safe place for employees to go with complaints and more like a risk mitigation unit that protects bad managers.

[…]

Insiders say it’s a matter of priorities. Apple “is so singularly obsessed about making the best products, that there are blinders to everything else,” says Chris Deaver, an HR business partner at Apple from 2015 to 2019.

That familiar line is going to have a different ring the next time Tim Cook says it.

Dan Luu:

Every time I’ve taken a job because I let someone convince me that some horrible thing has gotten much better, I’ve regretted it, even though things had really improved a lot.

The problem is, they generally had no external frame of reference, so much better was still quite bad.

Previously:

AMD vs. Intel

Dan Luu:

Looks like AMD passed Intel in market cap last Friday, after being fairly close for quite a while.

The majority of comments I’ve seen are betting on AMD, but I’d bet, at even odds, ten years from today, the 1-month trailing average market cap of Intel is higher than AMD’s.

[…]

I think Intel will be ok if it can recover to 2010-levels of dysfunction while it’s much larger than AMD in revenue/scale.

Ben Thompson:

While there are a host of reasons why TSMC took the performance crown from Intel over the last five years, a major factor is scale: TSMC was making so many chips that it had the money and motivation to invest in Moore’s Law.

The most important decision was shifting to extreme ultraviolet lithography at a time when Intel thought it was much too expensive and difficult to implement; TSMC, backed by Apple’s commitment to buy the best chips it could make, committed to EUV in 2014, and delivered the first EUV-derived chips in 2019 for the iPhone.

[…]

Time will tell if the CHIPS Act achieves its intended goals; the final version did, as I hoped, explicitly limit investment by recipients in China, which is already leading chip makers to rethink their investments. That this is warping the chip market is, in fact, the point: the structure of technology drives inexorably towards the most economically efficient outcomes, but the ultimate end state will increasingly be a matter of politics.

See also: Dithering.

Thursday, August 4, 2022 [Tweets] [Favorites]

GitLab to Delete Dormant Projects From Free Accounts

Simon Sharwood:

GitLab plans to automatically delete projects if they’ve been inactive for a year and are owned by users of its free tier.

The Register has learned that such projects account for up to a quarter of GitLab’s hosting costs, and that the auto-deletion of projects could save the cloudy coding collaboration service up to $1 million a year.

[…]

Geoff Huntley, an open-source advocate, and participant in the open .Net community, described the policy as “absolutely wild.”

“Source code does not take up much disk space,” he told The Register. “For someone to delete all that code is destruction of the community. They are going to destroy their brand and goodwill."

It seems like something is missing from this story. Are these users storing something other than source code? Are there repos that have not been updated recently but that get large numbers of downloads?

Update (2022-08-05): Simon Sharwood:

GitLab has reversed its decision to automatically delete projects that are inactive for more than a year and belong to its free-tier users.

See also: Hacker News.

iMessage and the Secret Service

Tom Bridge:

The Secret Service has lately been in some hot water because they failed to backup the text message (and iMessage?) history of the devices issued to their staff during an MDM transition. I talked some with Jason Snell from Six Colors in a recent piece about what happened[…]

I wish there were a supported way to back up/export my entire message history from iCloud. Not having access to my own data is way worse than the potential privacy implications of my having an unencrypted copy of the data.

Previously:

How Apple Limits VMs

Apple:

Learn how you can use the Virtualization framework to quickly create virtual machines on your Mac. We’ll show you how to create a virtual Mac and quickly test changes to your app in an isolated environment. We’ll also explore how you can install and run full Linux distributions on Apple silicon, and share how you can take advantage of Rosetta 2 to run x86-64 Linux binaries.

Howard Oakley:

As your licence from Apple explicitly limits you to running no more that two copies of macOS as guests, it’s up to you to observe that licence condition, and up to Apple to enforce it on you. So, in the past, you may well have run more than two copies of macOS in VMs, although that’s in breach of Apple’s licence. What’s different with lightweight virtualisation using the Virtualization framework in macOS is that it’s Apple’s code which creates and runs each VM, thus Apple can enforce its restrictive licence terms by limiting the number of macOS VMs that can be run at any one time, and that’s what it does, and why I think Apple needs to change that.

Previously:

Studio Display Firmware Update 15.5 (19F80)

Apple (via Howard Oakley, MacRumors):

Resolves an audio issue with Studio Display

Are they not able to give it a new version number because there’s no iOS 15.5.1 for phones?

Previously:

Update (2022-08-05): John Gruber:

I spent $40 on a HomeKit power outlet to work around the Studio Display’s lack of a power button.

Markus Müller-Simhofer:

I “almost” bricked my Apple Studio Display with yesterdays update. I think my mistake was running it from macOS Ventura b3. Apple Support was able to help me restore it by keeping it plug-in for ~15min on a Mac with Monterey.

Update (2022-08-08): Seth Willits:

So far it appears that the recent Studio Display Firmware Update 15.5 (19F80) did fix the audio issues for me. Great!

Now, am I the only one who is getting windows resized to 1920x1080 whenever the display sleeps? Can we get a fix for that too?

Wednesday, August 3, 2022 [Tweets] [Favorites]

Examining Slack’s New Free Plan Restrictions and Motivations

Adam Engst:

As it stands now, free teams are restricted to being able to see the last 10,000 messages chronologically and access the most recent 5 GB of files. (Compare that to the Pro plan’s unlimited messages and 10 GB of files per user.) A free plan can connect up to 10 apps (against unlimited integrations in the Pro plan) and engage in one-to-one voice and video calls (compared to the Pro plan’s group calls with up to 15 people). Come September, free plan restrictions will change to provide access to only the past 90 days of message and file history, regardless of number or size.

[…]

However, when I examined my assumptions—that the change would affect my use of Slack and that Slack was trying to push more free teams to convert to paid teams—I found that my initial irritation didn’t hold up under scrutiny.

[…]

I honestly can’t remember the last time I searched in Slack, in any of my teams or other public teams.

Some teams are switching to Discord, which is essentially free.

Previously:

Update (2022-10-07): Tim Abbott (via Hacker News):

Moreover, many teams have decided to abandon Slack altogether. […] We know this because we run Zulip, an open-source alternative to Slack. Organizations migrating to Zulip can import message history from Slack and other popular team chat tools. We have seen data imports from Slack into Zulip Cloud increase an incredible 40x since Slack’s July 18 announcement!

[…]

There’s one unanswered question that is central to understanding Slack’s marketing claim: what exactly is an “active” team?

iMessage Editing and Un-Sending

John Gruber:

The edit-a-message-you-just-sent feature, intended for fixing typos or mistakes, has been tweaked. The time limit for editing is now 15 minutes, sent messages can be edited up to five times, and the recipient of an edited message now has the ability to see the edit history by tapping the small “Edited” label under an edited message.

Undoing sent messages is now implemented too, with a two-minute time limit. […] On the recipient’s device, if they’re using MacOS 13 or iOS 16, the unsent message just disappears, but it’s replaced by a small-print status message that says “Sender Name unsent a message”.

Recipients do not get notifications for edits or unsends.

Update (2022-08-10): John Gruber:

This makes me wonder whether fears about unsending with iMessage are overblown. WhatsApp is the most popular messaging service in the world, and they’re expanding the grace period for unsending. Perhaps Apple will loosen this period over time, too?

SwiftSafeURL: Compile-Time-Checked URLs

Jhonatan Avalos (tweet):

Tool for avoiding using the URL(string:) initializer with optional result, instead introducing a compile time URL validity check. Note, this does not check for website availability, but if the URL is formatted correctly.

[…]

If a file contains the comment // safeurl:warn, invalid URLs in this file will be compiled and will show a warning instead of an error.

It’s cool how straightforward it is these days to write little plug-ins that leverage and extend the compiler.

See also: JP Simard.

Previously:

Instagram Walks Back Feed Design Changes

John Gruber:

If you haven’t been paying attention to Instagram lately, they’ve been steadily dialing up the algorithmic content users see in their feeds, especially video. More stuff in your feed from accounts you don’t follow, selected by machine learning algorithms, at the expense of stuff from people and brands you have chosen to follow. To top it off, they recently rolled out a limited test to a small — but not that small — number of users that turned those users’ timelines into something basically like TikTok: full-screen videos (and some images) that you go through one at a time.

Casey Newton:

Instagram will walk back some recent changes to the product following a week of mounting criticism, the company said today. A test version of the app that opened to full-screen photos and videos will be phased out over the next one to two weeks, and Instagram will also reduce the number of recommended posts in the app as it works to improve its algorithms.

[…]

The changes come amid growing user frustration over a series of changes to Instagram designed to help it better compete with TikTok and navigate the broader shift in user behavior away from posting static photos toward watching more video.

[…]

Mosseri made clear that the retreat Instagram announced today is not permanent. Threats to the company’s dominance continue to mount: TikTok is the most downloaded app in the world, the most popular website, and the most watched video company.

Nick Heer:

My own Instagram use went to near-zero after I received these changes. I am surely not representative of the wider Instagram user base, but it does not surprise me that enough people found it revolting to affect the company’s metrics.

[…]

I would not bet on seeing fewer posts in your feed over the long term from accounts you do not follow; these changes are still coming, just later.

Previously:

Tuesday, August 2, 2022 [Tweets] [Favorites]

Dogfooding Linux 5.19 on Apple Silicon

Linus Torvalds (via Hacker News):

On a personal note, the most interesting part here is that I did the release (and am writing this) on an arm64 laptop. It’s something I’ve been waiting for for a loong time, and it’s finally reality, thanks to the Asahi team. We’ve had arm64 hardware around running Linux for a long time, but none of it has really been usable as a development platform until now.

It’s the third time I’m using Apple hardware for Linux development - I did it many years ago for powerpc development on a ppc970 machine. And then a decade+ ago when the Macbook Air was the only real thin-and-lite around. And now as an arm64 platform.

Not that I’ve used it for any real work, I literally have only been doing test builds and boots and now the actual release tagging. But I’m trying to make sure that the next time I travel, I can travel with this as a laptop and finally dogfooding the arm64 side too.

Andrew Cunningham:

In November 2020, Torvalds wrote that the then-new M1 version of the Air “would be almost perfect” as an Arm Linux laptop but said, “I don’t have the time to tinker with it, or the inclination to fight companies that don’t want to help.”

At a certain level, this news is just mildly interesting trivia—it doesn’t matter to most Linux users what computer Torvalds is currently using, and Asahi Linux is still in a rough, early state where lots of things are half-functional or non-functional. But as Asahi contributor Hector Martin notes, having “real people… using Linux on a real, modern ARM64 platform” with a modern version of the Arm instruction set and a “near-upstream kernel” has knock-on effects that benefit the rest of the ecosystem.

Previously:

Update (2022-08-04): Hector Martin:

I have heard from several Apple employees that:

  1. The boot method we use is for 3rd-party OSes, and Apple only use it to test that it works, because
  2. It is policy that it works.

Apple didn’t “leave the door open” for 3rd party OSes. Apple explicitly engineered 3rd party OS support in, and it is a hard policy requirement that it continue to work.

They aren’t going to help us port anything but they absolutely will not shut Asahi down either.

Apple’s Q3 2022 Results

Apple (transcript, Hacker News):

The Company posted a June quarter revenue record of $83.0 billion, up 2 percent year over year, and quarterly earnings per diluted share of $1.20.

[…]

“Our June quarter results continued to demonstrate our ability to manage our business effectively despite the challenging operating environment. We set a June quarter revenue record and our installed base of active devices reached an all-time high in every geographic segment and product category,” said Luca Maestri, Apple’s CFO. “During the quarter, we generated nearly $23 billion in operating cash flow, returned over $28 billion to our shareholders, and continued to invest in our long-term growth plans.”

Jason Snell:

Compared to the year-ago quarter, Mac sales were down 10%, iPad sales down 2%, iPhone up 3%, Services up 13%, and Wearables down 8%.

John Gruber:

M2 MacBook Airs didn’t go on sale until July, which is Q4, but I don’t think that’s relevant to this dip. […] The dip is because so many businesses and consumers bought new laptops during the pandemic because they needed them for work-from-home and school-from-home. The big tell on that for Apple is the monster quarter the Mac had back in the July–September quarter in 2020. That was the quarter before Apple unveiled the first M1 Macs (including the bestselling MacBook Air), but after Apple told the world that they’d be shifting the entire Mac platform to its own silicon by the end of the year.

Sami Fathi:

Maestri said Apple has over 860 million subscriptions, which is an increase of 160 million over just the last 12 months. Apple does not provide a breakdown of subscriber counts per service, but Maestri said growth was strong in offerings like Apple TV+ and Apple Arcade.

Steve Troughton-Smith:

You can tell Apple financial call analyst ‘questions’ are just PR talking points by how nobody has asked about the potential hit to services revenue and platform in general by antitrust regulation around the world, likely Apple’s biggest existential crisis in decades 🤷‍♂️

Previously:

watchOS 8.7

Juli Clover:

According to Apple's release notes, there are no new prominent features in watchOS 8.7. Instead, the software focuses on under-the-hood "improvements," along with bug fixes and important security updates.

Fingers crossed, but this seems to fix the bug introduced in watchOS 8.5 where complications wouldn’t update.

Previously:

Update (2022-08-29): After using this for a while, I’ve found that the compliations situation is improved, but updates are still not as prompt and reliable as with watchOS 8.4. I’m also now seeing an intermittent problem where sometimes my watch runs out of battery halfway through the (otherwise unremarkable) day, whereas normally I end the day with at least 50% power remaining.

Yet More App Store Search Ads

Sami Fathi:

Until now, Apple has offered developers two ad opportunities on the App Store: in the Search tab and within the Search results page.

Chance Miller:

First and foremost, there is a new advertising slot coming to the “Today” homepage of the App Store.

[…]

The second new advertising placement is coming directly to product pages themselves. This means that developers will now be able to place ads on the product pages for other apps. This spot is located at the very bottom of the product page, beneath the banner section that shows other apps by that developer.

Nick Heer:

This coverage sounds a little too fluffy to me — too much like it came directly from Apple. It is hard to know for sure because, while this news was reported by several Apple-focused publications including 9to5Mac and Apple Insider, not one of them acknowledged its sourcing. As of writing, this news has not landed on Apple’s Newsroom, or in the news feeds of its Developer or Search Ads sections, nor does it appear on the App Store advertising info page. All three Apple-focused publications also cite in their coverage a corporate presentation to advertisers each says it “obtained” in May claiming 78% of App Store search volume came from devices with ad personalization disabled. Curious.

Paul Haddad:

Coming next year “Download Ads” instead of downloading the app you want, the App Store will randomly download the highest bidding app.

Tim Sweeney:

You worked hard to build a great app. You registered a trademark. You signed up to Apple demands for 30% of your revenue as the sole way to reach iOS users. How does Apple reward you?

They front-run searches for your trademarked app name, and place ad results above the result for your app.

But now, there’s more: Apple will litter your own app page with ads for competing apps. And keep all the ad money for themselves.

Sebastiaan de With:

Apple shouldn’t get into the ad business. Pushing ads in their platform opposes to their goals and core values, and will only erode user trust.

Are the relatively minor profits worth the price of bad experiences and lost goodwill?

Your core values are what you do on an ongoing basis, not the talking points that you broadcast or what you did 20 years ago under different leadership.

Florian Mueller:

Yesterday it became public in Colombia that Apple is--I kid you not--claiming a human rights violation and invoking Article 8 of the Universal Declaration of Human Rights because of Ericsson’s preliminary injunction in Colombia over a 5G patent. Nowhere on the 48 pages of the motion did I find a human rights violation in the sense in which most reasonable people would understand it. All I found was a bunch of run-of-the-mill appellate arguments. […]

Interestingly, Apple has just been warned against being sanctioned by the United States District Court for the Eastern District of Texas over a “misuse” of court rules. They brought an emergency motion instead of a regular motion.

Previously:

Update (2022-08-04): Nick Heer:

iAd felt like a typical ad network that, at first, only had high-end buyers; App Store ads feel more like key money.