Archive for July 8, 2024

Monday, July 8, 2024

Apple Intelligence for Siri in Spring 2025

William Gallagher:

While many Apple Intelligence features will roll out with iOS 18 during the remainder of 2024, its much-awaited revamp of Siri will wait until iOS 18.4 in 2025.


Before then, there will be a new design to Siri. That will presumably include how Apple has shown that invoking Siri will bring a flare around the edges of the iPhone screen, instead of the current circle icon.

This is a rumor, but, if true, it’s the first time I can recall a key part of the WWDC announcements being so quickly pushed so far back in the release cycle.

It’s also interesting that the new engine is not tied to the new user interface.

Hartley Charlton:

The more capable version of Siri allows the voice assistant to control actions within Apps, allowing it to understand what is currently on-screen and determine what to do based on context.

That all sounds good, but when are they going to fix the basics?


Update (2024-07-09): John Gruber:

If the usual pattern holds, it’s a safe guess that iOS 18.4 will arrive in mid-to-late March.

If generative AI weren’t seen as essential — both in terms of consumer marketing and investor confidence — I think much, if not most, of what Apple unveiled in “Apple Intelligence” wouldn’t even have been announced until next year’s WWDC[…]

Ivory 2.0


Now, in the app’s redesigned Hashtags tab, you can create a list that contains up to four hashtags, and you can even exclude specific hashtags if you’re looking to fine-tune the resulting timeline.


The other big improvement in Ivory 2.0 is its redesigned share sheet extension for creating posts. It is now fully-featured, with the ability to set the post’s visibility and language, as well as an option to add alternative text descriptions to shared images and videos. When sharing a URL, the share sheet will now show a preview of the link card that will appear as part of your post.

With no way to turn off Universal Links, I still can’t use the Mac version because whenever I work on a document that includes a Mastodon link it will open in Ivory instead of in my browser.


Signal for Mac’s “Encrypted” Database


Storing messages outside of your active Signal device is not supported.

Messages are only stored locally.

An iTunes or iCloud backup does not contain any of your Signal message history.

This makes it private on iOS because other apps can’t access the message database. But the same design doesn’t work so well with the Mac version.


This is the folder structure of Signal’s local data on macOS. The encrypted database and encryption key are stored next to each other. The folder is accessible to any app running on the Mac.

Why didn’t they store the encryption key in the keychain?


The encryption key used to encrypt the local DB that contains all the secrets and chat history is stored in plain text in a location accessible by any app, process or script started by the Mac user.

It’s very tempting to use Signal’s desktop app. This is particularly useful for activists who can be more productive using a desktop than a mobile phone. Signal doesn’t make it clear that linking a desktop app can render Signal’s “gold standard” for encryption useless.

This seems like a much bigger deal than last week’s ChatGPT story.


I wrote a simple Python script that copies the directory of Signal’s local storage to another location (to mimic a malicious script or app)


Messages were either delivered to the Mac or to the VM. The iPhone received all messages. All of the three sessions were live and valid. Signal didn’t warn me of the existence of the third session [that I cloned]. Moreover, Signal on the iPhone still shows one linked device. This is particularly dangerous because any malicious script can do the same to seize a session.

Saagar Jha:

I think a lot of people have recently learned something that horrifies them. I do not fault them for that in the slightest. I just also want them to share my terror of this being standard best practice in the industry.


Update (2024-07-09): Lawrence Abrams:

A mistake in the process used by the Signal Desktop application to encrypt locally stored messages leaves them wide open to an attacker.

He wrote this in 2018, and there are forum posts older than that referencing the issue. Curiously, a Signal developer offers the explanation that even though they are using an encrypted extension to SQLite and configured it to encrypt the database with a password, it was not their intention to protect the database with encryption:

The database key was never intended to be a secret. At-rest encryption is not something that Signal Desktop is currently trying to provide or has ever claimed to provide. Full-disk encryption can be enabled at the OS level on most desktop platforms.

I don’t understand what the reason was, then. And full-disk encryption is a solution to a different problem; it does not protect the data from other processes on the system.

Matt Henderson:

This is shocking for anyone considering Signal the gold standard in security.

Update (2024-07-15): Lawrence Abrams:

The response was unusual after Whittaker’s constant retweets about the security and privacy implications of Microsoft’s Windows Recall and how data could be stolen by local attackers or malware.


In April, an independent developer, Tom Plant, created a request to merge code that uses Electron’s SafeStorage API to further secure Signal’s data store from offline attacks.


While the solution would provide additional security for all Signal desktop users, the request lay dormant until last week’s X drama. Two days ago, a Signal developer finally replied that they implemented support for Electron’s safeStorage, which would be available soon in an upcoming Beta version.

Ben Lovejoy:

Using Keychain on Mac fully secures the encryption key, while the Windows solution could still potentially be compromised by some malware, but will be significantly safer than now.

Epic Games Store Temporarily Allowed

Epic Games:

Apple has informed us that our previously rejected Epic Games Store notarization submission has now been accepted.

Eric Slivka (Hacker News):

Apple today said it has approved the third-party Epic Games Store in the European Union, allowing the Fortnite developer to launch its alternative app marketplace in those countries, reports Reuters.

Is running to the EU the new running to the press?

Tim Sweeney:

Now about those 9 to 16 day TestFlight app approval delays…

App Review Guidelines:

5.2.5 Apple Products: Don’t create an app that appears confusingly similar to an existing Apple product, interface (e.g. Finder), app (such as the App Store, iTunes Store, or Messages) or advertising theme.

Malcolm Owen:

Epic had defended itself, insisting it used the same naming conventions employed across different platforms. Epic also said it followed standard conventions for buttons in iOS apps.

Tim Sweeney:

Apple is now telling reporters that this approval is temporary and are demanding we change the buttons in the next version - which would make our store less standard and harder to use.

We’ll fight this.

Matthew Connatser:

If Epic is representing Apple’s position accurately, this would be a very strange reason to reject a third-party storefront. It’s unclear why Epic needs to use significantly different language than is used in the App Store, not to mention that the online souk is just one of many storefronts in the digital world where the words “install” and “in-app purchases” are used.

Is Apple’s position that it’s “confusingly similar” if it says “Epic Games Store” in large friendly letters but the buttons have the same titles and colors as in the App Store? Or are they complaining about specific pixels in the design? If so, are Epic’s buttons on other platforms copyright infringements of the App Store?

Nick Heer:

As far as I know, there are no screenshots of the version of Epic Games’ store submitted to Apple. Maybe it is designed in a way that duplicates Apple’s App Store to the point where it is confusing, as Apple argues. […] Regardless, it seems like a bad idea for Apple to be using its moderate control over alternative app stores are distributed to litigate intellectual property disputes. Perhaps when trust in the company’s processes is healthier, it would be less objectionable. But right now? If Apple wants to give competition investigators more material, it appears to be succeeding.

John Gruber (Mastodon):

Epic is certainly under no obligation to reveal screenshots of its in-progress iOS games marketplace, but without screenshots, there’s also no reason for anyone to take their own description of the notarization dispute with Apple at face value. Epic Games is an unreliable narrator.

Well, the screenshots were submitted to the EU, and it would look really bad if Epic were found to be lying about this, so what would be the point? My recollection is that Epic has been accurate in its descriptions of its disputes with Apple, whereas Apple has a history of making misleading statements about Epic. Gruber started calling Epic an “unreliable narrator” after Epic claimed that Apple was going to punish its customers who had used “Sign In with Apple.” However, documents from court filings later showed that his sources were wrong and Epic’s version of story and timeline were correct.


Update (2024-07-15): See also: ArsTechnica (Hacker News).