Archive for April 5, 2024

Friday, April 5, 2024

Embedding a Privacy Manifest Into an XCFramework

Joe Heck (Mastodon):

I expected documentation at least, and was hoping for an update in Xcode – specifically the xcodebuild command – to add an option that accepted a path to a manifest and included it appropriately. So far, nothing from Apple on that front. […] I hope that something is planned to make this easier, or at the minimum document a process, since it now appears to be an active requirement for new apps presented to the App Store.


In the meantime, if you’re Creating an XCFramework and trying to figure out how to comply with Apple’s requests for embedded privacy manifests, hopefully this article helps you get there. As I mentioned at the top of this post, this is based on my open source work in Automerge-swift. I’m including the library and XCFramework (and show it off) in a demo application. I just finished working through the process of getting the archives validated and pushed to App Store Connect (with macOS and iOS deliverables). To be very clear, the person I worked with at DTS was both critical and super-helpful. Without this information I would have been wandering blindly for months trying to get this sorted.


Update (2024-04-24): Marcin Krzyzanowski:

apple: you have to add a privacy manifest
me: what’s that
apple: it’s a manifest
me: is it a plist file?
apple: use Xcode to make one
me: using Xcode
apple: not like that. The manifest file is invalid
me: what is valid
apple: check documentation
me: it doesn’t say the actual file format
apple: it’s invalid
me: google around and find out what is invalid in plist file because apparently, everyone struggles

Macs Targeted by Infostealer Malware

Jamf Threat Labs:

While searching for “Arc Browser” on Google, it was brought to our attention that following the sponsored result for what seems to be the legitimate Arc web browser, actually brings you to a malicious site aricl[.]net that imitates the legitimate


The DMG is signed ad-hoc and provides directions to right-click the app and select open thus overriding any Gatekeeper warnings.


Dumping plain text passwords out of the keychain requires the user’s macOS password. Infostealer developers have long caught on to the fact that the easiest way to get this password is to simply ask the user for it. We see a prompt generated via a call to AppleScript.

Recalling Apple v. Qualcomm

Reed Albergotti (via Eric Migicovsky):

One of the first stories I covered then was Apple’s lawsuit against Qualcomm, which was accused of having a wireless modem monopoly and overcharging companies for the device. Apple paid Qualcomm about $7 per phone.

The opening arguments in that trial were riveting. Apple’s slide presentation included a photo of Radar O’Reilly, the comic relief radio operator from M.A.S.H. That was Qualcomm, Apple’s lawyers argued, the company that simply operated the radio on Apple’s otherwise sophisticated device.

Then it was Qualcomm’s lawyers’ turn. They revealed bombshell documents that had not been publicly seen before; Apple’s lawyers had accidentally sent them to Qualcomm.


Apple had tried to replace some of Qualcomm modems with a different model made by Intel. But Qualcomm chips were so much faster that Apple had to secretly throttle them so that all of its phones would operate at the same level.

Qualcomm only sought a percentage of the cost of the iPhone, not of all the software and services that used the modem.


Trying to Bring Apple Watch to Android

Chance Miller (Hacker News):

As part of its response to the United States DOJ lawsuit today, Apple confirmed that it at one point considered creating an Apple Watch for Android. The company tells me that it spent three years working on bringing Apple Watch to Android before ultimately scrapping the idea.

Mark Gurman:

This was Project Fennel, which I wrote about last year.

I’d love to know more about this because it doesn’t seem to make much sense given the way apps work. Would it have been just be the built-in apps and some health features? If there’s an antitrust issue here, I would think it’s with lack of support for third-party watches on iOS rather than not supporting Apple Watch on Android.