Archive for August 24, 2022

Wednesday, August 24, 2022

See What JavaScript Commands Get Injected Through an In-App Browser

Felix Krause (tweet, Hacker News, MacRumors):

Last week I published a report on the risks of mobile apps using in-app browsers. Some apps, like Instagram and Facebook, inject JavaScript code into third party websites that cause potential security and privacy risks to the user.


Introducing, a simple tool to list the JavaScript commands executed by the iOS app rendering the page.


Just because an app injects JavaScript into external websites, doesn’t mean the app is doing anything malicious. There is no way for us to know the full details on what kind of data each in-app browser collects, or how or if the data is being transferred or used.


While you are interacting with the website, TikTok subscribes to all keyboard inputs (including passwords, credit card information, etc.) and every tap on the screen, like which buttons and links you click.

Ryan Jones:

But they promise they don’t use it. 🤣

Damien Petrilli:

So Apple is now aware that Tiktok has a key logger in their App, and they are still in the App Store.

Feeling safe yet?

TikTok shouldn’t be rejected just for registering JavaScript key handlers. The takeaway is that it’s not possible for Apple to reliably detect this sort of nefarious behavior, so they shouldn’t represent that they do or use that as justification for locking into their payments system.

Nick Heer:

Is TikTok a keylogger? Is Instagram monitoring every tap on a loaded webpage? It is impossible to say, but it does not look good that either of these privacy-invasive apps are so reckless with users’ ostensibly external activity.

It reminds me of when iOS 14 revealed a bunch of apps, including TikTok, were automatically reading pasteboard data. It cannot be known for certain what happened to all of the credit card numbers, passwords, phone numbers, and private information collected by these apps.

Felix Krause:

This new [WKContentWorld] system was initially built so that website operators can’t interfere with JavaScript code of browser plugins, and to make fingerprinting more difficult. As a user, you can check the source code of any browser plugin, as you are in control over the browser itself. However with in-app browsers we don’t have a reliable way to verify all the code that is executed.

So when Meta or TikTok want to hide the JavaScript commands they execute on third party websites, all they’d need to do is to update their JavaScript runner[…]


Apple’s Use of AppKit, Catalyst, and SwiftUI in macOS

Alexandre Colucci (tweet, Hacker News):

As you can see in the graph:

  • AppKit apps account for a huge percentage of apps
  • After a slow start, the number of apps using SwiftUI is quickly growing
  • The number of Mac Catalyst apps reached a ceiling [but see this]


And here is the corresponding graph if you split the apps in 6 categories:

  • Catalyst apps using SwiftUI
  • Catalyst apps with no SwiftUI
  • SwiftUI apps using AppKit
  • SwiftUI apps without relying on AppKit
  • AppKit apps using SwiftUI
  • AppKit apps with no SwiftUI


Apple Car: Software and Money

Jean-Louis Gassée:

Initially, one asks why Apple, whose average Gross Margin is in the 54% range (40% for hardware, more than 60% for services), would want to enter a hundred-year-old entrenched industry whose gross profit margins are in the 7% range, climbing to the mid teens for premium brands. But a closer examination reveals an exception: Tesla’s Gross Margin recently jumped from 26.5% to 33%.


We now have a possible explanation for Apple’s enduring effort to make a car against such long software odds. A profitable share of the $3.8T global car industry is well worth the estimated $1B/year it costs to move the Titan project forward. And even if Level 5 automation remains out of reach for the entire auto industry, Apple still might decide to compete using its asset-light, software-heavy business model.


Update (2022-10-14): Jean-Louis Gassée (Hacker News):

But there’s another side to the story. As the sages insist, we don’t understand a problem, an idea, a case unless we’re able to see, to plead both sides. So, I’ll attempt to argue that the Apple Car is a bad idea.


Personally, it’s jarring to think that I’ve joined the chorus of doomsayers who have repeatedly predicted Apple’s failure with the Mac, the iPhone, the iPad…whatever Apple comes up, it’s going to crash and burn. But my honest view is that the Apple Car project could be a bad idea for reasons of price, sales and service infrastructure, and technical challenges.

Removing the iOS Dictation Button

Jeff Johnson:

I consider it dickish behavior by Apple that they force you to enable dictation first in order to remove the unwanted dictation button, especially since enabling dictation seems like it might send your private information — such as contacts and location! — to Apple. So much for “Privacy is a fundamental human right.”

Fortunately, a kind person gave me a tip on how to disable dictation without first enabling it: use Screen Time! Enabling Content & Privacy Restrictions in Screen Time and disabling Siri & Dictation will also make the dictation button disappear from the Safari address bar.

Of course, then you won’t be able to use Siri at all, if you care about that.


Yoink Rejected for Mentioning Old iOS Feature

Matthias Gansrigler:

Got a rejection for @YoinkApp for #Mac for mentioning Apple pre-release software, but I am not. They didn’t give an example or any info where I’m allegedly mentioning it, either.

Turns out they didn’t like that his app mentions support for Continuity Camera, which was added in iOS 12. But Continuity Camera is also the name of a new iOS 16 feature, and you aren’t allowed to mention pre-release stuff.

Matthias Gansrigler:

App Review’s responses are getting downright nonsensical and disconnected.

They now offered me links to “helpful” articles on how to implement features like Game Center, iCloud, and In-App purchases.

What exactly does that have to do with iOS 12’s Continuity Camera feature!?

Sure, it seems like they have no idea what they’re doing, but we’re supposed to believe this is keeping the platform safe.

He escalated to the App Review Board. Six days later:

“Your app is no longer in violation”. Great.

But now they found 3 (!) other things allegedly wrong with @YoinkApp for #Mac, which have been there “forever” and never posed a problem before. 🤦‍♂️