Italy’s Competition Authority (AGCM) has imposed a €98.6 million ($116 million) fine on Apple over its App Tracking Transparency feature.
[…]
In a press release and executive summary today, the AGCM said the App Tracking Transparency rules are “disproportionate,” and “harmful” to app developers and advertisers. Ultimately, it found that Apple abused its dominant position in the EU market.
Previously:
John Daniel (via John Siracusa, Reddit):
As of 26.1, when you encode a security-scoped bookmark to “file:///”, what you decode will be a bookmark to “file:///.nofollow/”. So the decode method now succeeds, but the value is wrong. I actually preferred the behaviour of the original bug.
The “.nofollow” syntax is a new part of the core system that allows components to construct paths that the lower level system guarantees will not be resolved or followed. This makes it simpler to protect against TOC/TOU attacks by allowing one component of the system to resolve a particular path, then pass that path to another component while guaranteeing that the second component won’t inadvertently cause a second resolve.
Unfortunately, the bug here is that parts of Foundation aren’t handling this correctly when the path references root.
I expect this will be resolved in the next system update [26.2]; however, it’s not clear to me whether that will mean that resolution will return “/” again or that the new “file:///.nofollow/” construct will start working.
However, even if we revert to “/”, you should be aware that “.nofollow” and “.resolve” paths are not inherently invalid and you should expect to see more of them in the future.
I don’t remember seeing this in the documentation or at WWDC.
The standard way of preventing this attack is by passing one of the “no follow” flags to
open, but in a complex system that can be extremely difficult to guarantee and validate.The new “.nofollow” construct effectively “attaches” the no follow flag to the path itself, forcing that flag on all open calls regardless of the actual flag passed in.
I’m not sure what the current state of things is, but the expectation is that most/all syscalls that interact with paths will “preserve” these “.<flag>” prefixes. I’ll also note that the behavior of
realpathwill change based on “.nofollow”.[…]
In the context of framework code, I think the best option is to treat any “.nofollow” path you receive as “inherently” canonical and simply use it directly.
My general advice here is to treat any URL you receive from the system as a “magic” object. In practice, I generally convert it to a bookmark, then resolve the bookmark again, and use that new URL*, discarding the original (“magic”) URL. *This ensures that the rest of my app is ALWAYS working with “a URL that came from a bookmark”, instead of a “split” flow.
Previously:
This morning I reluctantly updated my iPhone SE (3rd generation) from iOS 18.7.2 to iOS 26.2. I had been hoping for Santa Cook to bring me iOS 18.7.3 for Christmas. Apparently, though, we’ve all been naughty. Or maybe Cook himself is not nice. I was aware that it was (previously) possible to install iOS 18.7.3 by enabling beta software updates, but nowadays that requires enabling iCloud, which I refuse to do on my iPhone. According to MacRumors and my followers on social media, Apple has within the past 24 hours stopped providing 18.7.3 on the beta track. Moreover, Apple is providing restore image to developers for only a few iPhone models: XR, XS, and XS Max. Thus, it appears that iOS 18 is effectively discontinued on most devices, and iOS 18.7.2 suffers from actively exploited security vulnerabilities.
More on that here. I also somewhat involuntarily just updated to iOS 26.2, because I got a new Apple Watch and it refuses to pair with an iPhone running iOS 18.
What struck me on iPhone was something I hadn’t noticed as much on Mac and iPad: the animations.
[…]
There are quite a few visual glitches remaining, three months after the public release of the new operating system. If iOS 26.0 was half-baked, iOS 26.2 is at most two-thirds-baked.
Needless to say, I enabled Reduce Transparency in Display & Text Size Accessibility Settings as soon as I updated to iOS 26. I had already enabled Show Borders and On/Off Labels in iOS 18 or earlier.
[…]
By the way, don’t get me started on the Liquid Crass replacement of close buttons with checkboxes. (On iOS 18, the checkbox in the video was a Done button.) This change is insane! And I’ve already had a customer confused by the checkbox, thinking that they had to “approve” something in the window.
I’d seen the betas, too, and already knew I didn’t like Liquid Glass. What struck me in everyday use is how many glitches remain and that the accessibility settings don’t work very well. There are glass borders that start out with square corners and then become rounded. As with previous recent versions, various things just don’t look good with Reduce Transparency enabled—ugly colors, edges that are harder to see in a sea of white—like I’m being penalized for using it. I ended up turning it off because sometimes the keyboard doesn’t show the labels of the keys. I find the Liquid Glass animations annoying, too, but many of them remain even after enabling Reduce Motion. Prefer Cross-Fade Transitions helps but looks odd, in my opinion, and causes temporarily glitches with curved outlines being left behind. I guess it’s easier to not consider the “bloody ROI” if you don’t commit the resources to actually finishing the job.
Previously:
Chiara Castro (Hacker News, Reddit):
Proton has confirmed the company has begun moving out of Switzerland due to “legal uncertainty” over the newly proposed surveillance law.
[…]
The firm behind one of the best VPN and encrypted email services has been very critical of the Swiss government’s proposed amendment of its surveillance law since the beginning, already sharing plans to quit Switzerland back in May.
[…]
Proton launched its ChatGPT competitor, Lumo, in July 2025, to give its users an alternative to Big Tech solutions that truly protect their privacy.
In a blog post about the launch, Proton’s Head of Anti-Abuse and Account Security, Eamonn Maguire, explains that the company has decided to invest outside Switzerland for fear of the looming legal changes.
Previously:
