Archive for April 27, 2023

Thursday, April 27, 2023

Swift Foundation Preview

Tony Parker (tweet):

This preview provides a unified implementation of Foundation, written in Swift, that is faster, safer, and more approachable to new contributors.

A new Foundation Workgroup will run reviews of proposed Foundation API and coordinate the needs of the Swift community with Apple engineering.


The following types are available in the preview package, with more to come later. Many types, including JSONEncoder, Calendar, TimeZone, and Locale are all-new Swift implementations. FormatStyle and ParseStyle available as open source for the first time.

Here’s the repo.


Update (2023-05-22): See also: Hacker News.


Update (2023-06-09): Ben Cohen:

In What’s new in Swift I mention the performance improvements from the new Swift implementation of Foundation. Performance came up a lot when we first put the open source package live, but wasn’t easy to talk about until the new OS betas were available.

One common trope at the time was “it isn’t faster than using Objective-C, this is just to reduce Swift bridging costs” and while that’s true, it’s important to note Swift is just plain faster, as seen even when calling into it from ObjC.


Apple’s Guidance for StateObject Initialization

Jordan Morgan (Mastodon):

In an attempt to put an end to our StateObject woes in a more paradigmatic manner, Luca Bernardi let us know that Apple’s official documentation now tackles the matter. Specifically, there is now text detailing how to handle dependency injection with StateObject. This is exactly the kind of material we need from Apple, and it clears up a lot of confusion and advice I’ve been reading.


SwiftUI only will initialize a state object the first time you call it within its view.


All of this basically boils down to - dependency injection with state object initialization works great if parties outside of the view housing it are feeding it data that doesn’t change either.


If you did need the autoclosure to fire again, you could set the identity of the view to the value you’re interested in. […] Since the state object isn’t recreated when view inputs are changed (and it certainly shouldn’t), but when the view’s identity changes, this route forces the initializer to run again. But again, I can’t really see this being a viable route for most projects.



Filipe Espósito:

You can use an iPhone or iPad almost anywhere in the world, but some iOS features are only available in specific places. In some cases, these restrictions are related to local regulations (such as FaceTime not being available in the UAE). 9to5Mac has now learned that Apple has been testing a new, more modern system hidden in iOS 16 to restrict features based on the user’s location.

Based on our findings, the new system internally called “countryd” was silently added with iOS 16.2, but is not being actively used for anything so far. It combines multiple data such as current GPS location, country code from the Wi-Fi router, and information obtained from the SIM card to determine the country the user is in.


Code seen by 9to5Mac makes it clear that this system is designed to set restrictions determined by government regulators.

Nick Heer (Mastodon):

A question remains about how Apple may restrict sideloading to only European devices. For many past location-gated features, Apple’s guardrails have been flexible. For example, switching an iPhone’s region to “United States” — in Settings, General, Language & Region — is often enough to enable features like Apple News or Apple Pay Cash. It is not possible complete setup of Apple Pay Cash without U.S. payment information, but it is surfaced merely through this Settings change. Sideloading is tempting for some users; it is not beneficial for Apple. It is obviously reluctant to embrace the changes mandated in the European Union, and it appears it is building a more robust way to ensure it is only active where legally required.

Josh Calvetti:

It’s an incredibly shortsighted move to save a few dollars and yes it will absolutely be abused. Once the feature exists, it’s much harder to tell governments something isn’t possible.

It’s so frustrating and truly discouraging to have so much hardware optimism met with such terrible software decisions, all in the name of pinching pennies. I hope this rumor has no legs.


Zero-Click Exploits Against iOS 16

Citizen Lab (Hacker News):

Our ensuing investigation led us to conclude that, in 2022, NSO Group customers widely deployed at least three iOS 15 and iOS 16 zero-click exploit chains against civil society targets around the world.

NSO Group’s third and final known 2022 iOS zero-click, which we call “PWNYOURHOME,” was deployed against iOS 15 and iOS 16 starting in October 2022. It appears to be a novel two-step zero-click exploit, with each step targeting a different process on the iPhone. The first step targets HomeKit, and the second step targets iMessage.


Logs from another PWNYOURHOME-exploited device from the 2022 global target pool examined in the course of this investigation showed the homed process decoding what appears to be an unusual NSKeyedUnArchiver when it crashed.

It sounds like Apple was not using NSSecureCoding.

Logs from yet another PWNYOURHOME-exploited device from the 2022 target pool show that, following the homed phase of PWNYOURHOME, the phone downloaded PNG images from iMessage. Processing these images caused crashes in the MessagesBlastDoorService process. These crashes give us glimpses of what the exploit was doing at various stages, and suggest that the exploit may have circumvented pointer authentication codes (PAC) in some cases by repurposing PAC-valid pointers already present in memory, such as signed pointers to callback functions present in constant structs.

Bruce Schneier:

One interesting bit is that Apple’s Lockdown Mode (part of iOS 16) seems to have worked to prevent infection.

Zach Cutlip:

What follows is a writeup of the kernel bugs NSO Group’s Pegasus spyware exploited in iOS 9, specifically versions 9.3.4 and earlier. The spyware was discovered and the vulnerabilities patched roughly six years ago.


Microsoft Edge Leaking Browsing History to Bing

Tom Warren (Hacker News):

Microsoft’s Edge browser appears to be sending URLs you visit to its Bing API website. Reddit users first spotted the privacy issues with Edge last week, noticing that the latest version of Microsoft Edge sends a request to with the full URL of nearly every page you navigate to. Microsoft tells The Verge it’s investigating the reports.


“Microsoft Edge now has a creator follow feature that is enabled by default,” says Rivera in a conversation with The Verge. “It appears the intent was to notify Bing when you’re on certain pages, such as YouTube, The Verge, and Reddit. But it doesn’t appear to be working correctly, instead sending nearly every domain you visit to Bing.”