Archive for April 2026
Tuesday, April 14, 2026
John Gruber:
If I had my druthers, Apple would make a new svelte ultralight MacBook. Not instead of the Neo, but in addition to the Neo. Apple’s inconsistent use of the name “Air” makes this complicated, but the MacBook Neo is obviously akin to the iPhone 17e; the MacBook Air is akin to the iPhone 17 (the default model for most people); the MacBook Pros are akin to the iPhone 17 Pros. I wish Apple would make a MacBook that’s akin to the iPhone Air — crazy thin and surprisingly performant.
The biggest shortcoming of the decade-ago MacBook “One”, aside from the baffling decision to include just one USB-C port that was also its only means of charging, was the shitty performance of Intel’s Core M chips. Those chips were small enough and low-power enough to fit in the MacBook’s thin and fan-less enclosure, but they were slow as balls. It was a huge compromise for a laptop that carried a somewhat premium price. Today, performance, performance-per-watt, and physical chip size are all solved problems with Apple Silicon. I’d consider paying double the price of the Neo for a MacBook with similar specs (but more RAM and better I/O) that weighed 2.0 pounds or less. I’d buy such a MacBook not to replace my 14-inch MacBook Pro, but to replace my 2018 11-inch iPad Pro as my “carry around the house” secondary computer.
Mike Sax:
I want a MacBook Mini (12”). I’d be thrilled and impressed.
David Sparks:
If you’ve been waiting for Apple to make a truly ultralight Mac, something more premium, smaller, and yes, more expensive, the Neo isn’t that machine. The Neo is about accessibility and volume. It’s the MacBook for everyone.
I want the other thing.
[…]
The technology is ready. Apple silicon was basically designed for this. The question is whether Apple sees the market opportunity, or whether they think the Air (or whatever it becomes post-Neo) already fills that slot.
I don’t think it does.
Thomas Clement:
Actually looking for ultraportable ~1Kg (or less), whatever size makes this possible (13" I guess, even maybe 12").
Stephen Hackett:
Among the many sins Apple committed with the 12-inch MacBook is that it was priced like a mid-range laptop, confusing the product line. If Apple were to return to this market, slotting in an ultra-portable machine in a more premium price point would avoid that confusion and let Apple go wild with what it could do with such a machine.
Jason Snell:
As someone who has known and loved the 12-inch PowerBook, 11-inch MacBook Air, and even the 12-inch MacBook, I am sadly not convinced that this is a big enough segment for Apple to target when the MacBook Air exists.
And here’s the biggest reason I think a smaller laptop may never happen: Over the last decade, everything in macOS has gotten a bit bigger—not just OS elements, but even fundamentals of app design. When I was still using an 11-inch Air, I would often discover apps that couldn’t be resized to fit on my screen. The same happened with the retina MacBook. I’m afraid that the 13-inch display in the MacBook is probably as small as modern macOS and today’s Apple will reasonably go.
Dan Moren:
She, did, however knock the MacBook Neo on one hardware feature—or lack thereof. And no, it wasn’t the two USB-C ports or that one is slower than the other. It’s the lack of a touchscreen. That’s a feature that even budget PC laptops have had for a long time, and Apple—arguably the king of touchscreens!—has refused to bring to its computer platform.
Dan Moren:
Still lacking in any of Apple’s laptops, however, are cellular options, all the more apparent as the company touts its C1X modem in recently released iPhones and iPads. Might that finally find its way into a future MacBook?
Mr. Macintosh:
I know this is goofy thinking territory… but imagine if Apple actually wanted to make a run at the low‑price PC market
Neo could be the budget nameplate across the entire Mac lineup
Mac mini Neo: Apple TV case, A18 $299
iMac Neo: A18 Chip $899
William Gallagher and Mike Wuerthele:
Apple has all of the elements to make a “Mac Neo” Mac mini adjunct. There is proof of market demand, and proof in the company’s own historical trends.
[…]
Save incredible rendering power for the Max and Ultra chips. A19 Pro would be just fine for most uses, and faster than the M2 mini.
[…]
There is an argument that Apple could build a Mac Neo into the chassis of the Apple TV 4K. We’d very much like this.
Mr. Macintosh:
How could Apple not turn the Studio Display into the next generation 27" iMac?
Adam C. Engst:
[W]hat’s stopping Apple from turning this into a 27-inch iMac Neo besides a little storage? It probably couldn’t support all the ports in Mac mode, but that would make the $1600 a lot more palatable if you got a Mac with it.
Scott Hanselman:
The MacBook Neo uses an A18 Chip that is in my iPhone Pro Max, and it runs full macOS competently in eight gigs of RAM
I want to plug my iPhone into my thunderbolt dock and run macOS X.
It doesn’t seem like it’s a technical problem anymore, now it’s organizational willpower
benwiggy:
The cheapest iPhone (17e) is the same price as the MacBook Neo! (In the UK: both £599.) If Apple can make a laptop for that price, then surely a basic phone should be a fraction of that?
gabe:
Had a dream that Apple released a 32-inch MacBook, called the MacBook Pro Ultrawide, and it looked like this. I bought one and unlocked extreme productivity but then it wouldn’t fit into my backpack, so I had to leave it behind.
Saagar Jha:
So I needed a new trash can
Previously:
Cellular Data Hardware iMac Mac Mac Pro Mac Studio MacBook MacBook Neo
Marcin Wichary:
Go to Settings > Accessibility > Zoom, and then turn on “Use scroll gesture with modifier keys to zoom.”
[…]
I’d also recommend turning off “Smooth images” under “Advanced…” so you see individual pixels better[…]
Over the years, I found this feature very useful to inspect various misalignments, to check visual details, and occasionally simply to read text that’s too small.
[…]
Peek gestures are fast, but the main benefit is that they’re safe. In some apps, pressing ⌘+ a few times and then ⌘– the matching amount of times doesn’t guarantee you will end up back in the same situation. The window size might change, the scroll position might move, the cursor might end up in a different place. In contrast, the Ctrl gesture is 100% deterministic and reversible; it will always work the same and never mess anything up.
John Gruber (Mastodon, previously):
This is one of the very best MacOS tips. No third-party software. Built into MacOS for several (many?) years now. Incredibly useful.
But I had no idea it existed until last June at WWDC.
A great feature that I rarely hear anyone talk about. It’s the perfect topic for the “Unsung” blog. I’m not sure how old this feature is, but I think I recall using it back when I had a Mighty Mouse. I think I could activate it one-handed using the side buttons?
These days, with a Magic Mouse, I use the Control-Option-Command modifier keys to avoid conflicts. It actually feels a bit more natural with a trackpad because you can use the same three-finger double-tap gesture to toggle the zoom level (it remembers where you left it) and to adjust the zoom. You can also quick-toggle the zoom when using the mouse, and it does let you use the same separate set of modifier keys as for zooming, but the problem with using modifier keys to toggle the zoom is that it conflicts. Any combination of modifier keys is also used by some keyboard shortcut that I use. When I press the bare modifiers as part of typing that keyboard shortcut, macOS doesn’t know that a letter key will be forthcoming, and it triggers an unwanted zoom.
Wichary has another great tip of using the Command-Shift-4 mode to measure distances on screen. Somehow I’ve never thought to do that—when were the numbers added? I do often use that mode to draw a temporary straight line to see whether two items are aligned. And, yes, this works in combination with the accessibility zoom.
Previously:
Accessibility Design Developer Tool Graphics Keyboard Shortcuts Mac macOS Tahoe 26 Mouse Screenshots Testing Trackpad
Marcin Wichary:
Why is there a short wait if you press a button on your headphone remote or your AirPods to pause the music? Because the interface has to let a bit of time pass to figure out if you’re going to press the button again, making it a double press (advance to next track) instead of a single press.
This kind of disambiguation delay is everywhere for simple gestures.
[…]
Why is there a short wait if you press a button to go to the next track on your car’s steering wheel? It’s a delay of a different kind, but the same principle: the function cannot kick in on press down, because press down and hold mean “fast forward.”
AirPods Car Design Finder iOS Mac
Monday, April 13, 2026
SpamSieve 3.3 is an update of my Mac e-mail spam filter that includes lots of changes to improve the filtering accuracy:
Much of this is automatic: SpamSieve is better at analyzing the message structure, HTML, and URLs within messages.
The other part is helping customers help themselves. If SpamSieve is continually letting spam messages through, the most common reason is that it’s been trained that messages like them are good. This can happen either due to accidental training or due to not training (e.g. just deleting) previous spam messages that it missed. It’s long been possible to fix uncorrected mistakes, but there can be so many messages to go through that this is overwhelming. Now, if you’re wondering why a certain spam message wasn’t caught, the expanded search features make it possible to find the specific previous messages that made SpamSieve think that one was good. For example, if the log shows that SpamSieve thought ”v1agra” was a key indicator of the message not being spam, you can find the previous messages containing that word and make sure that they are trained as spam, not good.
This sort of search can take a while because it has to read and process all the old messages in the corpus or log. The message parsing was already pretty optimized, due to work for EagleFiler and the bulk importer added in SpamSieve 3.0. Spam-processing messages to find their words was less optimized because it hadn’t been a bottleneck—the mail client doesn’t send very many new messages to be filtered at once, and it’s happening in the background, anyway. But now we have potentially a huge amount of data to process, and the user is waiting for the results.
The first step was to make the spam engine fully threadsafe so that each core could run a separate instance of it.
I initially planned to use multiple threads for reading individual messages from disk, but that turned out not to be necessary. SSDs are really fast.
Even with LZFSE, which is supposed to be highly optimized for decompression speed, decompressing still takes way longer than reading from disk and was sometimes on par with SpamSieve’s own message processing. So it did make sense to do this in a separate thread from the I/O. Thankfully, I was not using transformable Core Data attributes, so it was easy to separate the fetching from the decompression.
There are a bunch of regex objects that are used very frequently. These had been stored in an ivar dictionary, but that no longer made sense because I don’t want to recompile them for each message. My initial approach was to just put them in a threadsafe cache, which is also the approach that Swift Regex takes. But it turns out that with so many threads running at once there is significant overhead just from locking to read the cache. It works much better to use static variables, though that’s a lot more verbose.
Likewise, NSString uses a shared object to convert between different encodings, and there was significant locking overhead around that. As there’s no API to access the converter object directly, I ended up implementing my own lock-free solution for the specific encodings that SpamSieve cares about.
Swift string operations were another source of slowness. SpamSieve was calling the generalized contains() with a single ASCII character. That can be made much faster by using utf8.contains(). There are other cases where using unicodeScalars.contains() makes sense.
The HTML processor is still written in Objective-C, and it turned out that Swift bridging overhead was taking more time than the actual HTML processing. This was fixable through a combination of (a) adding specialized Objective-C methods with known return types instead of returning id and casting from Swift, and (b) Using as NSDictionary to avoid eager conversions of whole dictionaries when often we only need to read one key.
I fixed a regression that started when SpamSieve 3.2 switched to using NSDockTile to draw numeric badges on the Dock icon instead of drawing them itself. This was necessary because doing it manually doesn’t work with Liquid Glass. When SpamSieve did the drawing itself, it used a cached image of the Dock icon. The system API apparently relies on the image file on disk, even just to update the badge, and so it would sometimes crash during a software update if that file got updated.
Some customers were seeing a new issue on macOS Tahoe, seemingly caused by App Nap. The app would be running in the background, with no windows visible, and get woken up by an Apple event—so far so good—but then macOS would stop giving it processor time while it was still generating the response to the Apple event. I’m not sure what’s going on here since most customers are not affected.
I continue to have problems with fake GitHub repos, but GitHub is once again helping to take them down.
Previously:
Apple Mail Concurrency Core Data Liquid Glass Mac Mac App macOS Tahoe 26 Optimization Programming Regular Expression SpamSieve Swift Programming Language Unicode
Nick Heer:
NASA has put a few hundred photos on Flickr with some awesome views — and I must emphasize how the word “awesome” undersells these images. I am using this one as the wallpaper on my iMac right now, and it feels like a pretty good use of a big, high-resolution display.
Previously:
Flickr Mac macOS Tahoe 26 Wallpaper
Logan Kugler (via Hacker News):
To ensure those wrong answers never reach the spacecraft’s thrusters, NASA moved beyond the triple redundancy of traditional systems. Orion utilizes two Vehicle Management Computers, each containing two Flight Control Modules, for a total of four FCMs. But the redundancy goes even deeper: each FCM consists of a self-checking pair of processors.
Effectively, eight CPUs run the flight software in parallel. The engineering philosophy hinges on a “fail-silent” design. The self-checking pairs ensure that if a CPU performs an erroneous calculation due to a radiation event, the error is detected immediately and the system responds.
“A faulty computer will fail silent, rather than transmit the ‘wrong answer,’” Uitenbroek explained. This approach simplifies the complex task of the triplex “voting” mechanism that compares results. Instead of comparing three answers to find a majority, the system uses a priority-ordered source selection algorithm among healthy channels that haven’t failed-silent. It picks the output from the first available FCM in the priority list; if that module has gone silent due to a fault, it moves to the second, third, or fourth.
[…]
Orion carries a completely independent Backup Flight Software (BFS) system. This is a prime example of dissimilar redundancy. It is implemented on different hardware, runs a different operating system, and utilizes independently developed, simplified flight software.
Jim Hillhouse:
There are two main flight computers that use two radiation hardened IBM PowerPC 750FX single-core processors, a CPU introduced in 2002 and used in Apple computers such as the iBook G3 until 2005.
Previously:
Craft Data Integrity PowerPC Processors Programming RAM
Friday, April 10, 2026
Howard Oakley (Hacker News):
Thus, access to a protected folder by user intent, such as through the Open and Save Panel, changes the sandboxing applied to the caller by removing its constraint to that specific protected folder. As the sandboxing isn’t controlled by or reflected in Privacy & Security settings, that allows TCC, in Files & Folders, to continue showing access restrictions that aren’t applied because the sandbox isn’t applied.
[…]
It’s possible for an app to have unrestricted access to one or more protected folders while its listing in Files & Folders shows it being blocked from access, or for it to have no entry at all in that list.
[…]
Most concerning is the apparent permanence of the access granted, requiring an arcane command in Terminal and a restart in order to reset the app’s privacy settings.
I was aware that access could be granted in this way, but I think I assumed that it only lasted until the app quit. Oakley says that it actually persists until you run tccutil reset All and restart. (I guess the specific TCC identifier is undocumented; clearly it’s not SystemPolicyDocumentsFolder.)
I generally have the opposite problem, with access not lasting as long as expected:
- I keep getting prompts to allow the same apps to access my Documents folder. I’m not resetting anything, but TCC seems to keep forgetting that I’ve granted access.
- Sandboxed apps try to save access to certain folders using security-scoped bookmarks, which keep breaking and needing to be refreshed.
Previously:
Extended Attributes Mac macOS Tahoe 26 Privacy Security Security Scoped Bookmarks System Preferences Transparency Consent and Control (TCC)
Joseph Cox:
The FBI was able to forensically extract copies of incoming Signal messages from a defendant’s iPhone, even after the app was deleted, because copies of the content were saved in the device’s push notification database, multiple people present for FBI testimony in a recent trial told 404 Media.
Rosyna Keller:
Push Notifications can be sent encrypted (server controls the encryption) and decrypted locally with a UNNotificationServiceExtension running on the device. Signal and other E2EE apps do this.
But then the decrypted notification gets saved to the database.
Rosyna Keller:
So iOS should probably delete an app’s entries from the notifications database when said app is deleted…
More than that, you may not want certain notifications to even be posted. As I discussed back in 2015, the Notification Center settings only control what’s displayed; turning notifications off there does not prevent the notifications from being generated and stored in the database. These days, the database is protected by TCC, but the information is still written to disk. For more privacy, apps should have their own settings that prevent the information from being sent to the system in the first place.
Marcus Mendes (Hacker News):
Signal’s settings include an option that prevents the actual message content from being previewed in notifications. However, it appears the defendant did not have that setting enabled, which, in turn, seemingly allowed the system to store the content in the database.
Patrick Wardle:
AuRevoir (French for ‘goodbye’) is a simple utility to view and remove notifications from Apple’s Notification Database.
Previously:
AuRevoir Federal Bureau of Investigation (FBI) iOS iOS 26 Mac Mac App macOS Tahoe 26 Notification Center Privacy Push Notifications Signal Transparency Consent and Control (TCC)
Rich Mogull:
Anthropic, the company behind the Claude AI chatbot, made two security announcements that were shocking for many but seen as inevitable by those of us working in AI security. First, it announced Mythos Preview, a new, non-public AI model that turns out to be startlingly good at finding security flaws in software. The second was Project Glasswing, Anthropic’s program for getting that capability into the hands of the companies best positioned to fix those flaws before anyone else can exploit them. Apple is one of those companies.
As much as I’d like to downplay the announcements, Mythos and Project Glasswing are very big deals on their own, and harbingers for the future of digital security. Mythos was able to find and exploit new vulnerabilities in every major operating system, including a bug in OpenBSD, an operating system famous for its security, that had been sitting there unnoticed for 27 years.
[…]
We are at the start of a period in which finding software flaws that affect everyday users will become dramatically easier for both attackers and defenders. […] However, over the long run, I believe using AI to identify security vulnerabilities favors defenders, because developers can find and fix many more bugs before shipping software to the public.
Anthropic has a habit of making wild and scary public statements that seem designed to generate headlines and funding but sort of fall apart upon scrutiny. I initially dismissed this as more of the same, but people seem to be taking it seriously.
Paul Haddad:
Our model is so good, it’s not safe to release, yet. Has to be one of the greatest AI marketing stunts ever.
Ben Thompson:
There’s reason for cynicism, given Anthropic’s history, but the part of the “Boy Cries Wolf” myth everyone forgets is that the wolf did come in the end.
Daniel Jalkut:
If Anthropic has really developed an LLM that can suss out security weaknesses better than any other AI, the US government would be foolish to continue shunning them.
Or, rather, if the government believes the marketing, it may want to take control of the company and its technology, like how it restricted restricted civilian nuclear research.
Ben Thompson:
In fact, Amodei already answered the question: if nuclear weapons were developed by a private company, and that private company sought to dictate terms to the U.S. military, the U.S. would absolutely be incentivized to destroy that company.
Previously:
Update (2026-04-13): Martin Alderson (Hacker News):
For nearly 20 years the deal has been simple: you click a link, arbitrary code runs on your device, and a stack of sandboxes keeps that code from doing anything nasty. Browser sandboxes for untrusted JavaScript, VM sandboxes for multi-tenant cloud, ad iframes so banner creatives can't take over your phone or laptop - the modern internet is built on the assumption that those sandboxes hold. Anthropic just shipped a research preview that generates working exploits for one of them 72.4% of the time, up from under 1% a few months ago. That deal might be breaking.
[…]
If an LLM can find exploits in sandboxes - which are some of the most well secured pieces of software on the planet - then suddenly every website you aimlessly browse through could contain malicious code which can 'escape' the sandbox and theoretically take control of your device - and all the data on your phone could be sent to someone nasty.
[…]
Equally, sandboxes (and virtualisation) are fundamental to allowing cloud computing to operate at scale.
Jon Martindale:
That’s the pitch in Anthropic’s blog and verbose 250-page report on the model — which includes over 20 pages of Anthropic staff waxing lyrically about their novel impressions of the new model and its “fondness for particular philosophers.”
Alongside the repeated suggestions from Anthropic and its staff that we should be concerned, nay, terrified, of what AI like Claude Mythos can do, they repeatedly suggest they’re unsure if this new AI is conscious.
For the record, it is not. It might be good at finding vulnerabilities in software, but many of them aren’t as potentially damaging as Anthropic wants us all to believe.
[…]
Under the subheading, “and several thousand more,” Anthropic also states that it can’t actually confirm that all of the thousands of bugs Mythos claims to have found are actually critical security vulnerabilities. It’s just extrapolated that number from having found in around 90% of the “198 manually reviewed vulnerability reports, [Anthropic’s] expert contractors agreed with Claude’s severity assessment exactly.”
Colin Cornaby:
When I read about Mythos one thing stood out to me: It didn’t matter if the modal was aligned or safe. You couldn’t afford to run it anyway, and they can’t afford to serve it to you. And that’s a better explanation for why they’ve limited access to Mythos.
[…]
If Mythos is only affordable by the very largest companies – I think cybersecurity is a very shrewd focus by Anthropic. But for reasons that concern me.
[…]
I think this is Anthropic’s next big play. Scare everyone with some security theater. And sell big tech some tiger rocks. And everyone will be too terrified to ever stop paying for Mythos. Big tech might even be willing to pay billions for multiple models.
Ben Thompson:
In other words, Anthropic isn’t facing a marginal cost problem, but an opportunity cost problem: where to allocate its compute.
[…]
The key to handling those costs will be to charge more for Claude going forward; that, by extension, means maintaining pricing power, which leads to a second benefit of not releasing Mythos broadly. Anthropic certainly faces competition from OpenAI; for both frontier labs, however, the real competition in the long run are open source models.
Stefan Esser:
One thing I have not seen discussed about #Mythos. Will
@apple
really give Claude and therefore potentially the whole world access to their private source code?
Bruce Schneier:
This is very much a PR play by Anthropic—and it worked.
[…]
These models do demonstrate an increased sophistication in their cyberattack capabilities. They write effective exploits—taking the vulnerabilities they find and operationalizing them—without human involvement.
[…]
The security company Aisle was able to replicate the vulnerabilities that Anthropic found, using older, cheaper, public models. But there is a difference between finding a vulnerability and turning it into an attack. This points to a current advantage to the defender.
[…]
A couple of weeks ago, I wrote about security in what I called “the age of instant software,” where AIs are superhumanly good at finding, exploiting, and patching vulnerabilities. I stand by everything I wrote there. The urgency is now greater than ever.
Previously:
Anthropic Artificial Intelligence iOS iOS 26 Mac macOS Tahoe 26 Marketing Open-source Software OpenBSD Security
Thursday, April 9, 2026
Juli Clover (no release notes, no security, enterprise, no developer, full installer, IPSW):
macOS Tahoe 26.4.1 addresses an issue that could cause the M5 MacBook Air and M5 Pro/Max MacBook Pro models to fail to join 802.1X Wi-Fi networks when using content filter extensions.
See also Mr. Macintosh and Howard Oakley.
Previously:
Update (2026-04-14): macOS 26.4.1 fixes a bug introduced in macOS 26.4 where NSWorkspace.icon(forFile:) didn’t work with custom icons.
Icons Mac macOS Release macOS Tahoe 26 Wi-Fi
Juli Clover (iOS/iPadOS release notes, no security, enterprise, no developer):
According to Apple’s release notes, the software updates contain unspecified “bug fixes.”
Benjamin Mayo:
While the official release notes were vague, a thread on the developer forums indicates it actually fixes a significant bug related to iCloud data syncing.
Developers had noticed that iPhones running 26.4 would stop receiving iCloud change notifications, which impacted cloud data sync for apps that use CloudKit framework, including Apple’s own Passwords app.
[…]
The bug exists on iPadOS 26.4.0 as well, but macOS Tahoe 26.4 was not afflicted by the same issue.
Adam Engst:
Apple, would it kill you to acknowledge what the bug affected in the release notes? Something like, “Fixes an issue where data synced by iCloud may not appear immediately.”
Apple (MacRumors):
Stolen Device Protection will be automatically enabled on devices that update from iOS 26.4 to iOS 26.4.1.
Adam Engst:
I tested this explicitly with my update, turning Stolen Device Protection off before I installed, and checking immediately afterward, where it remained off.
I don’t understand why Apple keeps announcing that it’s doing this and then not actually doing it, or perhaps only doing it for certain users. If, like me, you don’t want Stolen Device Protection, the idea of being opted into it is a bit scary. If you do want it, you may now have a false sense of security unless you check that it was actually enabled.
Previously:
Update (2026-04-14): Akshay Kumar:
Wi-Fi instability remains a widely discussed problem after updating to iOS 26.4.1. The networking stack continues to struggle with maintaining steady connections to local routers, and Apple has yet to officially acknowledge its flaw, leaving users to rely on community troubleshooting.
[…]
- Reports confirm the update resolves the CloudKit/iCloud sync bug, which previously caused outdated or missing data across apps like Passwords.
However, users are still discussing lingering issues:
- Delayed syncing after update
- Temporary mismatch between devices
- Apps needing manual refresh to update data
Nick Heer:
We’re four major updates into iOS 26 and Safari still opens tabs from other apps in random places among open tabs. Too bad this massive company has no time to fix bugs.
I’m still seeing lots of freezes in Safari where the bottom bar gets drawn in the center of the screen, and the whole app stops responding to taps.
CloudKit iOS iOS 26 iOS Release iPadOS iPadOS 26 iPadOS Release Stolen Device Protection Wi-Fi
Thijs Xhaflaire (via Andrew Orr):
Unlike traditional ClickFix campaigns that instruct users to paste commands directly into Terminal, the discovered variant uses a browser-triggered workflow to launch Script Editor.
[…]
- The page leverages an applescript:// URL scheme
- Clicking the “Execute” button invokes this URL scheme from the browser
- The browser prompts the user to allow Script Editor to open
- Once opened, a pre-filled script is presented for execution
[…]
This payload uses base64 encoding combined with gzip compression to obscure its contents before execution.
Previously:
Update (2026-04-13): Wojciech Reguła:
I described this technique on my blog in 2022.
AppleScript Mac macOS Tahoe 26 Malware Security Transparency Consent and Control (TCC) URL Web
Wednesday, April 8, 2026
Thom Holwerda (via Hacker News):
If you’re using Windows or macOS and have Adobe Creative Cloud installed, you may want to take a peek at your hosts file. It turns out Adobe adds a bunch of entries into the hosts file, for a very stupid reason.
[…]
If the DNS entry in your hosts file is present, your browser will therefore connect to their server, so they know you have Creative Cloud installed, otherwise the load fails, which they detect.
They used to just hit http://localhost:<various ports>/cc.png which connected to your Creative Cloud app directly, but then Chrome started blocking Local Network Access, so they had to do this hosts file hack instead.
Sure enough, my /etc/hosts contains:
## Adobe Creative Cloud WAM - Start ##
166.117.29.222 detect-ccd.creativecloud.adobe.com
## Adobe Creative Cloud WAM - End ##
I don’t even use Creative Cloud. Lightroom Classic is the only app I wish I could get from the Mac App Store, because Adobe’s own updater is so intrusive and terrible.
Previously:
Update (2026-04-09): John Gruber:
They didn’t have to do this, of course. In fact, quite obviously, they definitely should not be doing this. Adobe is just a third-party developer, no better, no more trusted, no more important than any other. Imagine if every piece of software on your computer added entries to your /etc/hosts file. Madness.
Update (2026-04-10): Nick Heer:
In his headline, Tsai says this is “for their analytics”, but I do not think that is right. I spent a little time digging into this today and, while I have nothing concrete, I expect this is for integrations between web apps and the company’s desktop apps. In Adobe Express — free web apps for a handful of common image and PDF editing tasks — there are at least two JavaScript files containing references to a ccdDetectUtil, presumably standing for “Creative Cloud Desktop detection utility”. If the user has the desktop apps installed, it appears to suggest the Express app, too, and I am guessing this also powers a thing where you can update a Creative Cloud desktop app by clicking a button on the web.
See also: Hacker News.
Adobe Adobe Creative Cloud Adobe Lightroom Domain Name System (DNS) Mac macOS Tahoe 26 Privacy
Joe Rossignol:
Three established YouTube channels have sued Apple, alleging that the company violated the U.S. Digital Millennium Copyright Act (DMCA) by unlawfully accessing and scraping millions of copyrighted videos from YouTube to train its AI models.
[…]
Apple “deliberately circumvented” YouTube’s protections against video scraping and “profited substantially” by doing so.
Apple’s research papers indicate that some of the YouTube videos uploaded by the plaintiffs were used to train its AI models, the complaint alleges.
Malcolm Owen:
This apparently involved using computers with rotating IP addresses to scrape the data.
[…]
This data was then used to create an archive that was used to train “Apple AI Video.” As proof of this, the suit refers to an academic paper from Apple’s researchers disclosing it had trained using Panda-70M.
Panda-70M is described as a dataset made entirely of YouTube videos. All acquired via scraping YouTube for content. Ted Entertainment’s content is in a total of 438 videos, with MrShortGameGolf’s content in 8 videos, and Golfholics in 62 videos.
And yet when Musi made an app where users could watch individual YouTube videos, with no circumvention, Apple pulled it from the App Store.
Previously:
Apple Apple Intelligence Artificial Intelligence Copyright Digital Millennium Copyright Act (DMCA) iOS Lawsuit Legal Mac Web YouTube
Ashley Belanger (via John Gruber):
Perplexity’s AI search engine encourages users to go deeper with their prompts by engaging in chat sessions that a lawsuit has alleged are often shared in their entirety with Google and Meta without users’ knowledge or consent.
“This happened to every user regardless of whether or not they signed up for a Perplexity account,” the lawsuit alleged, while stressing that “enormous volumes of sensitive information from both subscribed and non-subscribed users” are shared.
[…]
“‘Incognito’ mode does nothing to protect users from having their conversations shared with Meta and Google,” the complaint said. “Even paid users who turned on the ‘Incognito’ feature still had their conversations shared with Meta and Google, along with their email addresses and other identifiers that allowed Meta and Google to personally identify them.”
Previously:
Artificial Intelligence Google Lawsuit Legal Meta Perplexity Privacy Web
Sarah Perez:
Apple is preparing to take its App Store fight with Epic Games back to the Supreme Court. In a new filing, the iPhone maker said it plans to ask the U.S. Supreme Court to review another aspect of this long-running case over App Store fees.
In the meantime, Apple sought to pause the appeals court’s ruling limiting how it can charge for external payments. On Monday, April 6, the court granted Apple’s motion, and Epic Games immediately challenged it.
Juli Clover:
Apple says that it does not want to make multiple major changes to its App Store fee structure. Instead, Apple proposes that the current no-commission setup remain in place until Apple hears back from the Supreme Court. Developers can currently include links to non-App Store purchase options in their apps and Apple charges no fee from purchases made using those links. Apple wants to continue fee-free links and hold off on the long legal battle to determine a fee for the time being.
Marcus Mendes:
Additionally, Epic filed its actual response opposing Apple’s original motion to stay the order. In it, the company reaffirms its stance that “Apple’s effort to stay this Court’s mandate is about nothing other than delay,” and argues that “staying the mandate (…) simply delays relief for consumers and allows Apple to continue reaping supracompetitive profits from IAP.”
Previously:
Antitrust App Store Apple Epic Games External iOS Payments Fortnite In-App Purchase iOS iOS 26 iOS App Lawsuit Legal
Tuesday, April 7, 2026
Tyler Hall:
I submitted a new build of one of my Mac apps to Apple’s Notary service - like every new release. Normally, the notarization goes through in just a few minutes. Today, multiple builds have been pending for 2+ hours. And, weirdly, my API server is getting traffic from those two builds I submitted for notarization.
Does Apple’s notary service…launch and run app submissions? I’ve never noticed this behavior before.
Thomas Reed:
In theory, the notarization process is supposed to weed out anything malicious. In practice, nobody really understands exactly how notarization works, and Apple is not inclined to share details.
[…]
All developers and security researchers know is that notarization is fast. I’ve personally notarized software quite a few times at this point, and it usually takes less than a couple minutes between submission and receipt of the e-mail confirming success of notarization. That means there’s definitely no human intervention involved in the process, as there is with App Store reviews. Whatever it is, it’s solely automated.
Mac macOS Tahoe 26 Notarization Programming Web API
Photon (Hacker News):
After exactly 49 days, 17 hours, 2 minutes, and 47 seconds of continuous uptime, a 32-bit unsigned integer overflow in Apple’s XNU kernel freezes the internal TCP timestamp clock. Once frozen, TIME_WAIT connections never expire, ephemeral ports slowly exhaust, and eventually no new TCP connections can be established at all. ICMP (ping) keeps working. Everything else dies. The only fix most people know is a reboot.
[…]
This is a 32-bit unsigned integer timer wraparound bug in the TCP subsystem, specifically a TCP timestamp counter overflow. The counter in question, tcp_now, is the kernel’s internal TCP clock. When it stops ticking, every timer in the TCP stack that depends on it stops working.
They suggest that the bug may have been around since Catalina, but I’ve had a Mac server running from the Catalina days all the way through Sequoia, with months of uptime, and haven’t seen this problem. I’ve not updated the server to Tahoe yet.
Previously:
Update (2026-04-08): Jason Snell:
As someone who keeps a Mac mini running in my closet, I guarantee you that I have been affected by this bug. […] Unless I’m traveling, I just shrug, reboot the Mac, and go on with my life.
Update (2026-04-10): John Gruber:
I think this bug is new to Tahoe. If you look at Apple’s open-source XNU kernel code — e.g. lines 3,732 to 3,745 in tcp_subr.c — you can see that the lines assigning the time in milliseconds to a uint32_t variable were checked in just six months ago, whereas most of the file is five years old. Also, I personally ran my MacBook Pro — at the time, running MacOS 15.7.2 Sequoia — up to 91 days of uptime in January.
See also: Adam Engst.
Bug C Programming Language iMessage Integer Overflow Mac macOS 10.15 Catalina macOS Tahoe 26 Networking TCP
Aaron Trickey:
Foundation’s date-handling code has an effective lower bound around January 1, 4713 BC on the Julian calendar. You can create a Date value representing an instant in time below that limit, but many Calendar methods will return unexpected values when you try to do anything with it.
[…]
And NSDatePicker does okay with BC dates. […] UIDatePicker, however, simply cuts off at AD 1.
[…]
When formatting or parsing dates, there is no way to override the built-in era symbols (like “BC” and “AD”) or, in locales where multiple conventions are in use, to choose among them.
[…]
(For going to and from strings, the older DateFormatter type does have such a property [for the Julian to Gregorian transition] defined, but it wasn’t carried forward into the newer Date.FormatStyle API, and it obviously doesn’t affect DateComponents conversions.)
Previously:
Cocoa iOS iOS 26 Mac macOS Tahoe 26 Programming Swift Programming Language Time
Bryan Chaffin:
He rose to the rank of Captain in the U.S. Air Force, and he was a NASA scientist. He worked for years at Apple, and most importantly to me, he was a columnist and the voice of reason and humanity at The Mac Observer. He wrote SciFi and a variety of tech columns for several other Mac sites, too.
John was kind, smart, logical, and always reasonable. He was both considerate and considered. Every word that came out of his mouth had a reason to be there and a place to go.
Jeff Gamet:
He’s the guy behind the space shuttle landing simulator I played on an Apple II. He also wrote fantastic analysis pieces and interviewed wonderfully interesting people for his podcast back when we worked together at The Mac Observer.
He wrote for many Mac publications. Just his author page at TMO has 83 pages of article summaries.
Update (2026-04-14): John Gruber:
One of Martellaro’s columns I most remember was one I linked to in January 2010, “How Apple Does Controlled Leaks”[…] Inexplicably, the original piece is no longer hosted at The Mac Observer, but thankfully the Internet Archive has it.
[…]
Another one worth revisiting is this post from December 2011, where I linked to a Martellaro column in which he declared that the success of the Amazon Kindle Fire necessitated that Apple build a 7-inch iPad. “Noted for future claim chowder,” I wrote. Well, Apple debuted the iPad Mini in October 2012.
Many of the Martellaro articles that I linked to over the years are also no longer available outside the Internet Archive.
Apple II Internet Archive Mac Rest in Peace The Media
Monday, April 6, 2026
digidude23:
Is Apple creating updates for 3rd party apps now?
This update from Apple will improve the functionality of this app. No new features are included.
iSan4eZ:
Apple inserted this text into my app and issued an update with the same version.
I’m sure about it as I update the app on my phone as soon as I publish it. Imagine my surprise seeing another update a day later with the same release notes, but this prefix added.
Matt Neuburg (via David Deller):
VLC is also showing this. Moreover, I already updated XScreenSaver to this version, yet now I am seeing this modified listing to update to. […] Personally I'm kind of afraid to download those updates just in case the App Store has been hacked and evil payloads injected somehow.
This has happened twice before, and it’s probably nothing to worry about, but it’s weird that I don’t think we ever got an official explanation from Apple.
Previously:
Update (2026-04-08): See also: MacRumors and Hacker News.
App Store iOS iOS 26
This weekend, I helped my non-techie father migrate to a new iPhone 17e and MacBook Air:
Device Transfer initially couldn’t find the old iPhone SE. It turns out that years ago he’d read some article that said Bluetooth was unsafe and so he’d turned it off.
The setup assistant repeated the new age verification question at least four times. Any time we’d go back a step on subsequent screens to change a setting it would jump back to age verification.
This was his first phone with an eSIM. The transfer ended up going quickly and smoothly, but the flow was confusing. The setup assistant led to an AT&T Web site that (on the small screen) was almost entirely a cookie banner. I don’t know why the assistant can’t show you the IMEI or send it to the carrier directly. You have to understand multitasking (and Copy/Paste) to get it from Settings. After pasting the IMEI, it got both the capacity and color of the iPhone wrong. (Hopefully someone wasn’t trying to steal the phone number.) AT&T sends a text message to the old phone that you’re supposed to reply to to confirm, but tapping the notification didn’t allow a reply because the old phone was locked to the Device Transfer screen. After approving the transfer, it sounded like we’d just get a notification on the new phone that it was done, and then it would work. The notification arrived, but the phone still had no service. Tapping the notification didn’t do anything. You need to go back into the Cellular settings. At that point you have the choice of using an eSIM or transferring from another phone. Initially, you had to pick Transfer, but this time you have to pick eSIM. There’s no indication that this eSIM just arrived on your phone or even which carrier it’s associated with.
It did not opt him into Stolen Device Protection Instead, there was an informational screen saying that he could go to Settings to enable it.
Migration from the Intel MacBook Air to the new one using a Thunderbolt cable was quick and easy. The fans on the old MacBook Air ran the entire time, while the new one was silent.
Then we got stuck. Signing into the Apple Account brought up the “Enter iPhone passcode” prompt. It said the password was incorrect. There were three iPhones and two Macs attached to the account. We know what all of the passcodes are—and confirmed by actually logging into those devices—but no matter which one we picked using “Choose a Device” the new MacBook Air kept saying the password was wrong. Of course, I checked the Caps Lock and, based on prior experience, the keyboard layout. (The iPhone passwords were numeric, so I wouldn’t even expect those settings to matter.) It still wouldn’t accept any of the passcodes, either saying that the password was incorrect or showing an infinite progress spinner so that we had to hard-restart the Mac. After a few hours, without doing anything different, suddenly it worked.
It added an unwanted Weather widget to the desktop that didn’t show any weather because it didn’t have permission for Location Services. I couldn’t figure out how to grant this. The Weather app itself did have access. I ended up just removing the default Calendar and Weather widgets, which he couldn’t read on top of the wallpaper, anyway.
He asked why Apple “got rid of the Tab key.” Every other keyboard has always had a key that says “tab”; this one just has the arrow glyph (⇥), which he didn’t recognize. He assumed this was a new key that did something different and so wasn’t going to press it—instead reaching for the trackpad to move between text fields—until I explained the situation.
He was really happy to have MagSafe back and to no longer have to juggle cables to plug in two USB devices at once.
Previously:
Apple ID Design iOS iOS 26 iPhone 17e Keyboard Liquid Glass Mac MacBook Air macOS Tahoe 26 Migration Assistant Stolen Device Protection
John Gruber:
Pogue interviewed Scott Forstall and got this story, about just how far Steve Jobs thought Apple could go to expand the iPhone’s software library while not opening it to third-party developers:
“I want you to make a list of every app any customer would ever want to use,” he told Forstall. “And then the two of us will prioritize that list. And then I’m going to write you a blank check, and you are going to build the largest development team in the history of the world, to build as many apps as you can as quickly as possible.”
Jesper:
Scott Forstall both arranged for the covert development of app, sandbox and profile infrastructure, as well as talked Steve off the idea of killing jailbreaking and letting it be as long as it was just a fun community experiment.
Indeed, it was Steve catching wind on the latest app developments that ultimately made him change his mind on officially supporting app development, at which point Scott could unveil his skunkworks and presumably shave months off the effort.
[…]
Apple has had a bipolar attitude towards developers for at least the last 40 years, never quite deciding whether we are indispensable or insipid.
[…]
Apple is at its best when the openness of the Woz strain is coupled with the determination and focus of the Jobs strain.
Previously:
App Store History iOS Jailbreak Scott Forstall Steve Jobs
Friday, April 3, 2026
Adam Codega:
Apple does not inspect or analyze the contents of what you paste. Even harmless text like "hello world" will trigger the warning under the right conditions.
Instead, Terminal checks where the clipboard content came from. It does this by calling a private API _sourceSigningIdentifier on the NSPasteboard, which reveals the code-signing identity of the application that placed the content on the clipboard.
If the source app matches a predefined list (74 apps total), the paste may be flagged.
Via Jeff Johnson:
The dialog is NOT displayed if Terminal app was opened within the last 30 days, or if developer tools are installed on the Mac.
Dr. Drang:
Surely, I thought, a command that pipes the contents of some random file on the internet into bash for execution would be worth warning about. Nope. I copied the curl command from Safari, pasted it into Terminal, and hit Return. No warning from macOS and my test folder and files disappeared again.
My feelings about this have gone from “I hope Apple doesn’t make it impossible for me to work the way I normally do” to “Looks like Apple isn’t going overboard on the protection” to “Is there any protection here at all?”
Patrick Wardle:
You can read more about ClickFix attacks in MacPaw’s Moonlock Labs write-up: “How ClickFix attacks trick users and infect devices with malware”
[…]
Long before macOS 26.4 (ok, like a month 😄), when Apple added native ClickFix protection, I had already added ClickFix protection to BlockBlock[…]
[…]
The reason Apple doesn’t allow us to subscribe to these events—specifically ES_EVENT_TYPE_RESERVED_1 (the paste event)—is that it’s private, and thus only available to clients that possess the com.apple.private.endpoint-security.client entitlement.
Previously:
Update (2026-04-08): Ferdous Saljooki:
If you’re looking to trigger this on a test machine running macOS 26.4:
- /Library/Developer must not exist and no dev tools [including non-Apple tools] should be installed
- /var/db/.AppleSetupDone must be older than 24 hours. On a fresh install backdate it:
sudo touch -t 202603200000 /var/db/.AppleSetupDone
- Clear Terminal’s state:
defaults delete com.apple.Terminal LastTerminalStartTime and defaults delete com.apple.Terminal UserAcknowledgedPasteWarning
- Quit Terminal completely and relaunch
- Copy ANY text from Safari and paste into Terminal
Update (2026-04-13): Howard Oakley:
Although important, devising those defences is continuing the game of cat and mouse: no sooner are they in place than the attackers switch to a different ploy, as they have recently done by abusing a URL scheme and Script Editor. macOS offers a seemingly endless supply of mechanisms available for such abuse.
What has largely escaped attention is how bizarre user behaviour has become. Here’s a victim using a thoroughly GUI operating system copying what to them can only be incomprehensible gibberish and pasting it into Terminal, or running it in Script Editor. Why on earth would a user fall prey to that?
[…]
Over this period, tackling problems on Macs has moved from understanding how to use those GUI tools to blindly entering magic spells in Terminal, and now Script Editor. This trend has been promoted by search engines and most recently AI assistance, both of which are primarily text-based. Ask Google a Mac question, and the chances are you’ll be presented with commands to paste in, rather than a well-written account of how to solve it in the GUI.
I think Apple is also partly behind this change. GUI controls are increasingly absent, hidden, or in different places in different OS versions. Recommending a Terminal command can be simpler and more future-proof.
Previously:
BlockBlock Endpoint Security Mac macOS Tahoe 26 Malware Pasteboard Security Terminal Xcode
Marco Arment (Mastodon):
I urge you, on behalf of everyone who loves computers as much as we do, to protect and cultivate this spirit of Apple’s founders as the company’s top priority:
- We love computers. We don’t hide that — we celebrate it!
- We use computers to enhance our minds, lives, and abilities — not to be controlled, restricted, tricked, placated, angered, or surveilled.
- Our computers work for us, with the utmost respect for our time, attention, money, data, and privacy.
- We are customers and owners — not resources to be harvested, annoyed, or badgered into ever more services and upsells.
[…]
Making great computers must remain Apple’s top responsibility, because if you don’t do it, nobody will.
Previously:
Apple Apple Services iOS John Ternus Mac
Jeff Johnson (Mastodon):
There are countless small, practical, mostly uncontroversial ways in which Apple could improve the App Store for developers, yet the App Store has changed relatively little in the 18 years since it was hastily cloned from the iTunes Music Store. […] These changes to the App Store would not require a huge financial investment from Apple. They would simply require Apple to care about the App Store and developers.
[…]
Apple is actually punishing developers for making native apps on each of Apple’s platforms! (In contrast, if I made an “iOS app on Mac,” then there would be only one review.)
[…]
We should be able to edit the metadata after an app has been published. Apple can of course review the edits before the metadata is changed in the App Store.
[…]
Stop using a session cookie for developer website logins!
[…]
App Store Connect is one of the slowest websites I’ve ever used.
[…]
Stop sending a 1.2 MB promo code email—without any actual promo codes!—every time we generate a promo code. […] Several of my apps are a Universal Purchase for iOS and macOS. But for some reason, all promo codes are platform-specific.
[…]
Allow App Store users on older versions of iOS to purchase the last compatible version of an app.
[…]
Show a “contact developer” button when an App Store user leaves a 1 to 3 star rating.
[…]
When an App Store user searches for an app by name, the app should appear first in the results.
Previously:
App Store iOS iOS 26 iTunes Connect Mac Mac App Store macOS Tahoe 26
Thursday, April 2, 2026
Jason Snell:
Last December I complained that Apple was withholding iOS 18 security updates from iPhones capable of running iOS 26, leaving users who didn’t want to upgrade to Apple’s latest OS version yet in some security peril.
[…]
The good news: As of Wednesday April 1, Apple is pushing out iOS 18.7.7 to all devices running iOS 18. This update, released last month for devices that were not capable of running iOS 26, is now available even for compatible devices.
[…]
Now the bad news: This is happening because of some really bad security breaches like DarkSword and Coruna.
Meek Geek:
My iPhone was stuck on 18.7.2 since early December and was deprived of FOUR point updates!
I considered this an unprecedented user-hostile move to coerce users to upgrade to iOS 26 when they don’t want to or can’t, and was determined to never buy another iPhone.
Mr. Macintosh:
What a crazy #Apple50 birthday present! 🎁
[…]
Who else is still holding the iOS 18 line like me?😅
Pieter Arntz:
DarkSword is a full‑chain iOS exploit kit that strings together six vulnerabilities in WebKit, Safari, the dynamic loader, and the kernel to go from a browser visiting a malicious website to full device compromise. The chain has been observed in the wild since at least November 2025 in campaigns set up by commercial spyware vendors and state‑sponsored actors.
There is no need to tap a link in Messages or approve an install prompt. Just loading a compromised site or even a malicious advertisement inside Safari is enough to trigger the exploit chain if your device is still missing the relevant patches.
Adam Engst:
After I wrote “DarkSword Exploit Threatens iPhones Still Running iOS 18” (23 March 2026), Apple published the tech note page “Update iOS to protect your iPhone from web attacks,” emphasizing the importance of staying current. It also addresses what those with older versions of iOS should do, noting that Apple released updates for iOS 15 and iOS 16 (to protect against Coruna—see “Older iPhones and iPads Receive Critical Security Updates for Coruna Exploits,” 13 March 2026).
Previously:
Update (2026-04-08): Cédric Luthi:
And now, thanks to DarkSword, people who are still on iOS 17 have another opportunity to upgrade to iOS 18 which has reappeared in Software Update after being removed a few months ago.
John Gruber:
It feels a bit spiteful that Apple doesn’t support staying a year behind the major version of iOS like they do — thankfully — with MacOS. The vast majority of iPhone and iPad users just do what Apple encourages — they accept the default setting to auto-update when Apple pushes updates to their devices. People who update manually do so by choice, and if that choice is offered, it ought to be supported.
iOS iOS 18 iOS Release iPadOS iPadOS 18 iPadOS Release Security
MacRumors (9to5Mac):
In a new support document, Apple said new purchases, in-app purchases, and subscription renewals are no longer available in Russia unless a user already has funds in their Apple Account balance, which can continue to be used.
[…]
Apple reportedly took this action in response to an order from the Russian government, which allegedly hopes that the lost services revenue from Russian users will pressure the company to add some popular Russian apps back to the App Store, after those apps were removed due to sanctions arising from Russia’s war with Ukraine. The order would presumably end if Apple were to make those apps available again.
That reasoning doesn’t make sense to me.
Will Shanklin:
Why is Russia doing this? Well, the (state-aligned) Russian news outlet RBC reported that government officials said it was to prevent users from paying for VPN apps. Earlier this week, Reuters reported that the country has stepped up its attack on the services as part of its “great crackdown” on online information and speech. By mid-January, it had reportedly blocked 70 percent more VPN apps than late last year.
Valerie Hopkins et al.:
The Russian authorities have deepened their crackdown on popular foreign apps and have begun periodically turning off mobile internet across the country, after spending hundreds of millions of dollars to build up censorship technology that they plan to expand.
Anastasiia Iurshina:
What follows is the testimony of an IT specialist living and working in Russia, describing what internet control looks like in practice in early 2026. They have worked in IT both for Russian and international companies for over 20 years, including software development, machine learning, and information security.
Matthew Luxmoore and Milàn Czerny:
The Kremlin has struggled for years to curb internet freedoms and curtail the reach of Western tech platforms that have amassed huge user bases inside Russia. A new Russian super-app is now making that goal possible.
Max is a messaging and e-commerce platform run by tech giant VK that is expanding to offer everything from taxi-hailing services to electronic passport wallets, modeled on China’s WeChat.
With full-throated government backing, Max is being pushed by pro-Kremlin celebrities as a safer equivalent to Telegram and WhatsApp, the popular messaging platforms now being throttled by Russian censors.
Previously:
App Store App Store Takedown In-App Purchase iOS iOS 26 Payments Russia
Eric Seckler (MacRumors):
Today, we are proud to celebrate a major milestone: Android is now the fastest mobile platform for web browsing.
Through deep vertical integration across hardware, the Android OS, and the Chrome engine, the latest flagship Android devices are setting new performance records, outperforming all other mobile competitors in the key web performance benchmarks Speedometer and LoadLine and providing a level of responsiveness previously unseen on mobile.
[…]
Where traditional benchmarks often focus on synthetic tasks, LoadLine uses recorded, stable versions of select real-world websites. This includes simpler and more complex sites with varied characteristics, reflecting the most important types of mobile web content, such as shopping, search, and news portals.
LoadLine has proven that Android’s page load performance is world-class: Top tier Android phones score up to 47% higher than non-Android competitors. And this matters: LoadLine scores also correlate well (-0.8) with median and high-percentile page load latency in the field.
John Gruber:
Speedometer is a benchmark anyone can run just by visiting the benchmark’s website. Running LoadLine, especially on an iOS device, is an enormous hassle that involves two USB-C-to-Ethernet adapters, enabling Remote Automation and the Web Inspector in Safari, installing custom certificates on the iOS device, and installing custom software on an attached Mac.
You will be shocked to learn that the three unnamed Android phones outscored the “competing mobile phone” by significantly larger margins on LoadLine than Speedometer.
Matt Birchler:
Likely due to corporate lameness, they didn’t put specific labels on their bar chart, they just identified that 3 Android OEMs have devices that performed better on the Speedometer 3.1 benchmark than some “competing mobile phone platform”.
[…]
I happen to be someone who has the fastest iPhone and the fastest Android phone from the most popular Android maker in the US: the iPhone 17 Pro and Galaxy S26 Ultra.
I guess today is a day of benchmarks for me, because I literally just posted a bunch of benchmarks, including GeekBench scores which showed the Galaxy matching the iPhone in single-core, and beating it in multi-core.
But yeah, I get the same results as Google did, although the iPhone scored a bit lower on my device for some reason[…]
Previously:
Android Geekbench Google Chrome iOS iOS 26 MobileSafari Processors
Wednesday, April 1, 2026
Lukas Kubanek:
Looks like Apple broke CloudKit sync in OS 26.4. Remote notifications don’t seem to arrive, so no updates unless the app is relaunched.
Sean Heber:
There are so many annoying limits and throttles when dealing with iCloud/CloudKit. Now I ran into one where the subscriptions that let you know when content changed are also throttled and limited. From what I’m reading, I might be in push-notification-jail for 24 hours now because I triggered a ton of changes during a test.
Makes it a tad hard to know when I broke something vs. when iCloud just decides to stop sending me stuff for a while.
Sean Heber:
Has anyone had a CKSubscription just… stop? It’s a zone change subscription. It’s supposed to generate an invisible push so I can refresh things. This used to work. Then early yesterday it didn’t work anymore. I’ve tried everything I can think of including reverting all code entirely back to a state from a few days ago when I know it worked. But it still doesn’t work. I’ve rebooted things. I’ve reinstalled things. It’s been 27ish hours now since I last saw it work.
Steve Troughton-Smith:
Looks like the CloudKit sync issue in *OS 26.4 is real (I can repro with all of my apps), and has the very distinct potential to lead to catastrophic data loss and/or sync conflicts across effectively all apps. Apps only receive changes from the cloud after being quit and relaunched.
Amy Worrall:
Anyone know if the iOS 26.5 beta fixes the CloudKit subscriptions not working bug from 26.4?
Ged Maheux:
It’s hilarious that the iOS 26.5 beta release notes make no mention that they fixed this massive regression with iCloud push sync Apple broke in 26.4.
It seems serious enough to warrant a 26.4.1 update.
Previously:
Update (2026-04-08): Adam Engst:
The good news is that Apple has acknowledged and addressed the bug, and multiple developers have confirmed the fix is present in the iOS 26.5 beta. However, that release may not appear until mid-May, so we can hope Apple will release an iOS 26.4.1 patch to address it sooner.
Update (2026-04-09): There’s more information about the bug in the Apple Developer Forums and on Reddit, and it’s apparently fixed in iOS 26.4.1.
Previously:
Update (2026-04-10): Gui Rambo:
It looks like the CloudKit silent notification bug was caused by some sort of token validation added in iOS 26.4 that was dropping notifications from CloudKit. Fixed in iOS 26.4.1 by bypassing the validation for notifications that come from CloudKit.
See also: Khaos Tian.
Bug CloudKit Datacide iCloud iOS iOS 26 Programming
WWDC 2023:
Discover how CKSyncEngine can help you sync people’s CloudKit data to iCloud. Learn how you can reduce the amount of code in your app when you let the system handle scheduling for your sync operations. We’ll share how you can automatically benefit from enhanced performance as CloudKit evolves, explore testing for your sync implementation, and more.
The documentation:
The sync engine uses an opaque type to track its internal state, and it’s your responsibility to persist that state to disk and make it available across app launches so the engine can function properly.
For example, if you delete an object while offline, you can send that change to the engine and let it keep track of whether it’s been pushed to the server. In theory, you don’t have to manage tombstones yourself as long as you persist the engine’s state. When you add or change objects, the state stores just the IDs so it shouldn’t grow too huge.
There’s some sample code, but it’s frustrating in that the conflict resolution is rather basic. I think you actually can access the ancestorRecord to do a three-way merge, but they don’t show that.
Sean Heber (previously):
I removed CKSyncEngine and did it all myself solving the problems we needed solved. Maintaining a synced database of items with unique IDs supporting cascade deletes and automatically handling conflicts without much participation from the server which knows nothing of our needs.
[…]
One of the key problems we had was how CloudKit replays deletion tombstones going way back. Tapestry would download feed items, make a CKRecord, and put it in iCloud to sync to other devices. Then later when the item gets old, we delete them. Over time, with busy feeds, you’re looking at hundreds of expiring items per day for some people.
[…]
Those replays are a total waste of time but it’s just how it works. It could take hours to restore the relatively small number of actually current records as CloudKit replays dead records the new install never had in the first place. Thousands and thousands of them.
I had to rearchitect everything to redesign it around this one unchangeable behavior.
You could probably fetch the initial data manually, using CloudKit directly, before initializing CKSyncEngine. Then it would take a while for it to catch up, but at least the app would be usable. It seems like the engine should just handle this better, though.
Christian Selig (Mastodon, tweet):
I’ve had a lot of fun working with CKSyncEngine over the last month or so. I truly think it’s one of the best APIs Apple has built, and they’ve managed to take a very complex topic (cloud syncing) and make it very digestible and easy to integrate, without having to get into the weeds of CKOperation and whatnot like you had to in previous years.
More interesting for a blog post, perhaps, I also had a fair few questions going into it (having very little CloudKit knowledge prior to this), and I thought I’d document those questions and the corresponding answers, as well as general insights I found to potentially save a future CKSyncEngine user some time, as I really couldn’t find easy answers to these anywhere (nor did modern LLMs have any idea).
[…]
But you should not have multiple CKSyncEngine instances managing a single private database (I naively tried to do this to have a nice separation of concerns between different types of data in the app). The instances trip over each othre very quickly, with it not being clear which instance receives the sync events.
[…]
In this [the case of quotaExceeded] Apple pauses the queue until the user frees up space or buys more (or after several minutes, specified by retryAfterSeconds) but does not add your item back, which seems weird to me, so just add it back. But you also can’t just add it back, as that would put it at the end of the queue, so you have to insert it back at the beginning of the queue so it’s the next item that will be retried (since it just failed). Only, there’s no API for this, so grab all the items in the queue, then empty the queue, then re-add all items back to the queue with your failed item at the front.
Stéphane Lizeray:
CKSyncEngine has greatly simplified the integration with CloudKit and the error handling though. It was way more difficult before, I would say almost impossible before.
[…]
There are several issues here. The first one is not related to CKSyncEngine but to the replay API of CloudKit. The second one is that you have options when fetching changes to fix this issue (Scope + prioritizedZoneIds) but it is supposed you designed your schema accordingly. And it didn’t exist with CKFetchRecordZoneChangesOperation only with CKSyncEngine… The third issue is that you can’t use ZoneOptions.desiredKeys
See also: Harmony, which uses CKSyncEngine on GRDB (via Aaron Pearce).
Previously:
CloudKit GRDB iCloud iOS iOS 26 Mac macOS Tahoe 26 Open-source Software Programming Swift Programming Language Syncing
Ashish Kurmi (Hacker News):
axios is the most popular JavaScript HTTP client library with over 100 million weekly downloads. On March 30, 2026, StepSecurity identified two malicious versions of the widely used axios HTTP client library published to npm: axios@1.14.1 and axios@0.30.4. The malicious versions inject a new dependency, plain-crypto-js@4.2.1, which is never imported anywhere in the axios source code. Its sole purpose is to execute a postinstall script that acts as a cross platform remote access trojan (RAT) dropper, targeting macOS, Windows, and Linux. The dropper contacts a live command and control server and delivers platform specific second stage payloads. After execution, the malware deletes itself and replaces its own package.json with a clean version to evade forensic detection.
Carly Page:
The releases didn’t come through the project’s usual build process either. Security firm StepSecurity found that both versions were published via the compromised npm account of “jasonsaayman,” the project’s primary maintainer, who was reportedly locked out of the account while the packages were being pushed.
The attackers swapped the account’s email address for an anonymous ProtonMail inbox and pushed the infected packages manually via the npm CLI, completely bypassing the project’s GitHub Actions CI/CD pipeline and the safeguards developers tend to assume are in place.
Previously:
JavaScript Malware Node.js Open-source Software Programming Security
