Month: September 2019

Becky Hansmeyer:

Background used to be a good app. You can tell from its early reviews that its users genuinely enjoyed browsing and making use of its hand-curated selection of iPhone wallpapers. In fact, its reviews are generally positive up until late June, when an update began causing some issues. From that point on it becomes clear that Background is no longer owned or updated by its original developer. It’s been flipped.

So how does an app get flipped? Read on to discover the ultimate secret to making millions on the iOS App Store.

I was one of those happy users of Background. I remember it always having an upsell component, but nothing as scummy as this. Subscription abuse is a part of the App Store I’d like to see Apple pay more attention to. For example, if an app experiences a sudden surge in subscribers compared to its history — and particularly after a change of ownership — perhaps that should set off a giant klaxon in Cupertino.

I haven’t done one of those posts for a while where I list off several notable things mentioned during and after today’s product announcements, so here goes. I feel like this announcement is perfect for that: major upgrades wrapped in modest refinements of last year’s tailoring. That’s something I can get behind: most people don’t upgrade year-over-year, and stretching a two-year upgrade cycle to three is just fine by me; but, if you were to upgrade from an iPhone XS or a Series 4 Apple Watch, you’ve still got a lot to look forward to.

Anyway, onto a list:

  • The rumour mill missed a lot this year. The always-on display of the Apple Watch wasn’t even rumoured. Nor was the new green colour for the Pro, or the camera combination in the iPhone 11, or the enormous battery life improvements across the board. Then there were the things that didn’t materialize: no new mute switches, Sleep Tracking on the Apple Watch, or the ability to wirelessly charge devices from the back of the new iPhones. The latter two are perhaps possible through software updates.

  • The Apple Watch is now being sold as an entirely customizable product from the point of purchase. Deirdre O’Brien showed off the retail store implementation what they’re calling the Apple Watch Studio, and it’s also available online.

    When I bought my first Apple Watch, I thought this was how the buying experience would be. The table in the store had all of these bands laid out and you could swap whatever you wanted — with the assistance of a staff member, of course. But you couldn’t buy an arbitrary combination of watch and band. You could only buy a watch and then additional bands. I’m glad to see that’s changing, but I can’t imagine how difficult it must be at Apple’s scale.

  • The titanium Apple Watch looks very special in all of the photos I’ve seen.

  • The new U1 chip in the iPhone 11 line went unmentioned during the presentation, but it’s Apple’s implementation of ultra-wideband. Apple’s marketing webpage says that this will prioritize nearby devices for AirDrop, but it could also be used for the forthcoming item tracking beacon that also did not appear today, or the rumoured Walkie Talkie feature.

  • The iPhone 11 ships with a USB-A Lightning cable, while the 11 Pro includes a Lightning-to-USB-C cable and compact 18W wall adaptor. The now-perennial rumours of the iPhone’s impending switch to a USB-C connector have been greatly exaggerated.

  • Like last year, promotional photos that show the front of the phones feature a wallpaper that makes the notch visible on the base-model iPhone 11 and hides the notch on the iPhone 11 Pro. Most of the product photography seems to emphasize the camera bumps on each model, however, which reminds me of the iPhone 7 campaign.

  • These iPhones don’t have “iPhone” written on the back any more. There’s nothing on the back except the cameras and an Apple logo. It looks clean, but it’s hard to adjust to the centred logo when it’s been about a third of the way from the top for so long.

    I can’t find it right now, but I remember an old piece of advice — possibly in the HIG — that said that items mathematically centred vertically tend to look like they’re lower than they are. The suggestion was that a visually vertically centred item typically needed about twice as much space below the item compared to the space above it.

    Update: On page 184 of the 2003 edition of the HIG (PDF), Apple recommends visually centring application windows: “[the] distance from the bottom of the window to the top of the Dock (if it’s at the bottom of the screen) should be approximately twice the distance as that from the bottom of the menu bar to the top of the window.”

  • Federico Viticci says that iOS 13 will be available September 19, while 13.1 will be released just eleven days later. It sounds like iPads won’t get a x.0 release, only the iPadOS 13.1 update.

  • WatchOS 6 won’t be available until later this year for Series 1 and 2 models.

  • 3D Touch has been wholly replaced by Haptic Touch. It’s likely that the requirements for the dynamic range of this display wouldn’t work with the additional screen layer required for 3D Touch. I bet it’s also easier to integrate an under-display Touch ID scanner without worrying about a 3D Touch layer.

  • You can get an Apple TV Plus subscription and an Apple Arcade subscription for the cost of an Apple News Plus subscription.

Ryan Broderick, Ryan Mac, and Logan McDonald, Buzzfeed News:

Photos and videos posted to private accounts on Instagram and Facebook aren’t as private as they might seem. They can be accessed, downloaded, and distributed publicly by friends and followers via a stupidly simple work-around.

The hack — which works on Instagram stories as well — requires only a rudimentary understanding of HTML and a browser. It can be done in a handful of clicks. A user simply inspects the images and videos that are being loaded on the page and then pulls out the source URL. This public URL can then be shared with people who are not logged in to Instagram or do not follow that private user.

If you have any familiarity with how the web works, you probably rolled your eyes while reading these paragraphs — I know I did. But despite my reservations about the way this is written — it reads like a parody of infosec reporting — I bet most people have no clue that it is trivial to get the address of any resource. Images need to be hosted somewhere, and protecting those addresses is often more difficult than necessary for social networks.1

The problem is not with the way that URLs work. The problem is that social networks continue to abuse the definition of the word “private”, thereby giving users a false sense of safety and secrecy with whatever they post there. Educating users is important, yes, but it is equally important for them to not be lied to by implying that flipping a single toggle switch is enough to make their pictures private to everyone except select users.2

  1. Attempting to access an Apple Music .m4a file directly, for example, will result in an error. ↥︎

  2. Also, it’s crazy that some Instagram settings can only be changed from within a web browser. ↥︎

Jack Nicas and Keith Collins, New York Times:

When search results were flooded with Apple apps, Apple executives said, the algorithm concluded that people were looking for a specific Apple app and decided to surface other apps by the same developer.

That wasn’t always to Apple’s benefit. For instance, they said, searching “office” returns a series of Microsoft apps because the algorithm recognizes they are looking for Microsoft Office tools.

Apple engineers said the algorithm believed people searching “music” wanted just Apple Music because users clicked on the Apple Music app so frequently. Apple Music had a distinct advantage over other apps: It comes preinstalled on iPhones. Apple said some people used the search engine to find apps that were already on their phones.

When people search “music,” the App Store reminds them that they already have Apple Music installed. Many people then click on the app, the engineers said, adding to its popularity in the eyes of the algorithm.

Charlie Warzel:

I think a big thing we’ll still be grappling with years from now was how we spent years uncritically absorbing content via recommendation engines and algorithms and how so many of the choices we thought were our own were really driven by this kind of stuff.

Nilay Patel:

One notes that “your search algorithm favors your own products” is the core of almost every antitrust decision Google has lost.

A difference is that Google is actually very good at building search engines; Apple is not. It’s hard to give any company the benefit of the doubt when the facts of the case seem so straightforward, but it is completely plausible to me that the App Store would elevate Apple’s own apps purely because the search engine isn’t very good. That’s not an excuse — especially not when there is no other venue for iOS apps — but it’s believable.

The more I’ve thought about Apple’s statement regarding the iOS exploit chains discovered last week, the more bizarre it seems. In short, I do not understand why Apple felt it necessary to issue a news release at all, and I’ve no clue why this is the release they went with. Let’s start with the first paragraph:

Last week, Google published a blog about vulnerabilities that Apple fixed for iOS users in February. We’ve heard from customers who were concerned by some of the claims, and we want to make sure all of our customers have the facts.

Apple’s use of the word “blog” here seems pejorative — an insinuation that this multipart highly-technical explanation should be taken less seriously because of its publishing medium. Should Google have published this information in a book? Would it matter if the explanation were not hosted on Blogspot? I don’t think so, but Apple’s statement seems to imply that I should care.

The next two paragraphs need to be examined together:

First, the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones “en masse” as described. The attack affected fewer than a dozen websites that focus on content related to the Uighur community. Regardless of the scale of the attack, we take the safety and security of all users extremely seriously.

Google’s post, issued six months after iOS patches were released, creates the false impression of “mass exploitation” to “monitor the private activities of entire populations in real time,” stoking fear among all iPhone users that their devices had been compromised. This was never the case.

Google’s explanation can be misread, but it is not wrong.

The iPhone is assumed to be the most secure consumer device on the planet — nothing revealed in the past week actually changes that. But because of its reputation and its widespread use by higher-value targets — celebrities, politicians, businesspersons, and the like — the market for iOS security breaches is booming. Exploits that require little to no user interaction and rely upon so-far-undisclosed vulnerabilities have long been associated with targeting specific users in a truly clandestine fashion.

The series of exploit chains Google wrote about are entirely different. They’re comprehensive — they span multiple major and minor versions of iOS. They’re targeted to surveil an entire persecuted group of people, which makes them far more exposed than specific user applications but not as indiscriminate as a computer virus. Make no mistake: this was an exploitation deployed “en masse”, exactly as Google says.

Apple’s acknowledgement that users would be exposed only if they visited one of “fewer than a dozen websites” is a little misleading as well. Those websites, Google estimates, served thousands of users per week.

Second, all evidence indicates that these website attacks were only operational for a brief period, roughly two months, not “two years” as Google implies. We fixed the vulnerabilities in question in February — working extremely quickly to resolve the issue just 10 days after we learned about it. When Google approached us, we were already in the process of fixing the exploited bugs.

Whether these websites were active for months or years seems to be confused by the context of Google’s explanation:

TAG was able to collect five separate, complete and unique iPhone exploit chains, covering almost every version from iOS 10 through to the latest version of iOS 12. This indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years.

The way this is written makes it sound like Google has extrapolated the time that these websites were operational from the version numbers of iOS. Apple doesn’t provide any source for their assertion that they were live for two months, other than “all evidence” — which, sure, but what evidence? Whatever it may be, it doesn’t seem to be available publicly.

The last paragraph is an acknowledgement that software security is a constant chase, and that neither the bugs nor the patches will stop. That’s fine; it’s probably the most straightforward paragraph in the entire release.

And that’s it — that’s the release in summary. The only new information in its five paragraphs is a slightly more accurate number of affected websites and the controversy of whether the attack was running for two months or two years. But those new details are not as relevant as the number of visitors who may have been affected, and making an estimate is still a fraught exercise. If we take the lowest possible figures that we can extrapolate from “thousands of visitors per week” (1,000), two months (or about nine weeks) of operations, mobile share of web browsing in China (about 60%) and Chinese iOS market share (about 20%), we’re left with maybe a thousand exploited iPhones.1

But, again, this is a not-particularly-useful estimate, and I won’t vouch for its accuracy. I put it out there only as a guess about how many devices may be affected by an authoritarian government’s relentless surveillance of Uyghurs worldwide. So, I return to my original question: why did Apple issue this statement?

As both Apple and Google acknowledge, these bugs were patched six months ago, so there is little ongoing customer risk from these websites. Neither company has disclosed which websites were spreading these exploit chains, however, so it’s impossible to say whether your iPhone is likely to be affected. Apple’s disputes seem to be about little more than language choices.

John Gruber points to a story by Thomas Brewster of Forbes as one possible reason. Google’s report only covered iOS vulnerabilities, but Brewster says that the same websites also distributed exploits for Windows and Android systems. The final paragraph in Apple’s statement seems to hint at this possibility:

[…] iOS security is unmatched because we take end-to-end responsibility for the security of our hardware and software. […]

I suppose that’s one possibility, but I’m not convinced.

An argument like Rhett Jones’ of Gizmodo also doesn’t seem quite right:

Cutting through the corporate-speak in that statement, it is important to acknowledge that the Project Zero crew does great work, and there’s no reason to believe that their work is motivated by malice. It’s also worth emphasizing that Apple’s reputation for making secure products has been earned by making secure products. What’s at issue here is who will have the best reputation for security in the future, and the answer is up for grabs.

I don’t see how Apple gains anything by pushing a nonsense statement on a Friday afternoon when they are preparing to unveil new iPhones, Apple Watches, and other devices on Tuesday. Their statement says nothing, but it does remind people of a reputational failure. Why not, instead, demonstrate a commitment to security during the product launch?

I am certain that Apple’s public relations people are much smarter than I am. I’m sure they have a reason for this release. I just can’t fathom what it is, nor can I understand why this is the statement they went with. If Apple did not want to engage with the troubling abuse of their platform to help surveil Uyghurs — and I think they should have, for what it’s worth, but I understand the economic risks of speaking up against the Chinese government — why not issue a succinct release solely about security? One that acknowledges Google’s findings, reminds users that these bugs are patched, reiterates the importance of software updates, and includes a commitment to maintaining device security. That explanation meaningfully helps reassure customers that apparently contacted Apple with concerns, even if the company can’t tell them the likelihood of their device being affected.

One cogent paragraph beats five mediocre ones most of the time, but demonstrating beats telling every single time.

  1. While there are Uyghurs worldwide, the overwhelming majority live in China, so that is why I’ve used those figures for mobile browser usage and iOS market share. Again, this figure is a wildly inaccurate estimate, but it’s the closest I could come up with given public data. ↥︎

From the statement:

Last week, Google published a blog about vulnerabilities that Apple fixed for iOS users in February. We’ve heard from customers who were concerned by some of the claims, and we want to make sure all of our customers have the facts.

A blog is a collection of blog posts.

First, the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones “en masse” as described. The attack affected fewer than a dozen websites that focus on content related to the Uighur community. Regardless of the scale of the attack, we take the safety and security of all users extremely seriously.

Google’s post, issued six months after iOS patches were released, creates the false impression of “mass exploitation” to “monitor the private activities of entire populations in real time,” stoking fear among all iPhone users that their devices had been compromised. This was never the case.

In the first couple of years of the iPhone’s availability, users simply needed to tap a link on a webpage to jailbreak their device. Even though it was an elegant solution, there was still a nagging feeling that this mechanism could be easily abused.

Apple patched the affected vulnerabilities, of course, but it is an ongoing battle — particularly with JavaScript engines that run far closer to the CPU and GPU than they used to.

As far as I know, nobody has yet published a list of the websites affected, but I imagine they’re highly targeted. That is, even though anyone could have accessed them, that doesn’t mean every iPhone user is equally vulnerable or a likely victim.

Update: Ryan Mac of Buzzfeed News reports that this attack campaign originated in China. Apple and Google have so far skirted that aspect of the story.

Update: Michael Tsai thoughtfully disputes Apple’s downplaying. Regardless of scale, I think Bruce Schneier explained very well the way in which these findings change how we think about zero-day vulnerabilities.

Dieter Bohn, the Verge:

Today at IFA, Google is announcing a new feature for Google Assistant: Ambient Mode. On a few upcoming Android phones and tablets, this new mode will turn those devices into something like a Google Nest Hub (neé Google Home Hub) display when docked. It will show calendar info, weather, notifications, reminders, music controls, and smart home controls. Also like the Nest Hub smart display, it will automatically show a slideshow from your Google Photos account.

For its first couple of years on the market, the iPad could show a photo slideshow when it was docked. I’ve always been confused why this capability was removed in iOS 7 instead of being refined along similar lines to this Android feature.

I’m fascinated by this library of hundreds of books about and for the bartending profession. There are volumes in here dating back to the 1700s; there’s a book in the library containing the first printed martini recipe. The web viewer is pretty irritating, but all of the books can be downloaded as PDF documents. If you have a bit of a home bar, this is worth your time. (Via Metafilter.)

John Voorhees, MacStories:

As first reported by TechCrunch and The Verge, Apple has launched a web-based version of its Music app as a public beta at The app looks and feels a lot like the Music app coming to Catalina later this fall. The two are so close in fact that it’s easy to confuse the two if they’re open at the same time, which I did almost immediately.

Benjamin Mayo:

First impressions: Apple Music web client is a bit slow and laggy. But the UI layout is better optimised for the iPad screen size than the native Music app lol.

The Music app on the iPad should be a lot closer to iTunes or the new Music app on Catalina than it is; it’s one of my most disliked default iPad apps.

Om Malik:

Camera sales are continuing to falling off a cliff. The latest data from the Camera & Imaging Products Association (CIPA) shows them in a swoon befitting a Bollywood roadside Romeo. All four big camera brands — Sony, Fuji, Canon, and Nikon — are reposting rapid declines. And it is not just the point and shoot cameras whose sales are collapsing. We also see sales of higher-end DSLR cameras stall. And — wait for it — even mirrorless cameras, which were supposed to be a panacea for all that ails the camera business, are heading south.

Of course, by aggressively introducing newer and newer cameras with marginal improvements, companies like Fuji and Sony are finding that they might have created a headache. There is now a substantial aftermarket for casual photographers looking to save money on the companies’ generation-old products. Even those who can afford to buy the big 60-100 megapixel cameras are pausing. After all, doing so also involves buying a beefier computer. (Hello Mac Pro, cheese grater edition!)

There’s never been a better time to get into photography by picking up a second-hand DSLR or mirrorless camera. You probably won’t find a full-frame professional-grade camera at a surprisingly good deal — the slight year-over-year improvements that Malik references mean that photographers can keep using years-old kit for much longer than they used to — but the used market is flooded with great mid-level cameras.

After reviewers reported problems with the Galaxy Fold’s display after just a few days of use in April, Samsung delayed shipping the phones while it investigated. Half a year later, the company says that the product is ready — first in Korea, and then in a handful of countries. Notably, the Canadian marketing webpage has been removed. Samsung has listed the changes they’ve made, but I’m most interested in a different press release:

We’re introducing the new Galaxy Fold Premier Service to give you direct access to Samsung experts who can provide you tailored guidance and support over the phone any time, any day. This includes an optional one-on-one onboarding session to walk you through every innovation packed into the Galaxy Fold and demonstrate how best to navigate this revolutionary device.

The optimistic interpretation of this is that this is a premium product with a premium tech support experience. The more cynical read is that Samsung is still worried about the durability of the Galaxy Fold and hopes to put out any fires before they become public relations catastrophes.

Madhumita Murgia, Financial Times:

The regulator is investigating whether Google uses sensitive data, such as the race, health and political leanings of its users, to target ads. In his evidence, Johnny Ryan, chief policy officer of the niche web browser Brave, said he had discovered the secret web pages as he tried to monitor how his data were being traded on Google’s advertising exchange, the business formerly known as DoubleClick.

The exchange, now called Authorized Buyers, is the world’s largest real-time advertising auction house, selling display space on websites across the internet.

Mr Ryan found that Google had labelled him with an identifying tracker that it fed to third-party companies that logged on to a hidden web page. The page showed no content but had a unique address that linked it to Mr Ryan’s browsing activity.

Johnny Ryan of Brave explained the “hidden web pages” in more detail:

Google Push Pages are served from a Google domain ( and all have the same name, “cookie_push.html”. Each Push Page is made distinctive by a code of almost two thousand characters, which Google adds at the end to uniquely identify the person that Google is sharing information about. This, combined with other cookies supplied by Google, allows companies to pseudonymously identify the person in circumstances where this would not otherwise be possible.

All companies that Google invites to access a Push Page receive the same identifier for the person being profiled. This “google_push” identifier allows them to cross-reference their profiles of the person, and they can then trade profile data with each other.

The Push Pages are not shown to the person visiting a web page, and will display no content if accessed directly.

A cursory web search turns up an article by Nic Jansma about ResourceTiming that references cookie_push.html in the context of cross-frame communication. It also references a Facebook script, another Google page, and similar blank-appearing pages from Twitter and Criteo — all of which appear to be for frame-bypassing tracking purposes. I’d love to know if any of these other companies are also passing uniquely-identifying characteristics to third parties through similar means.

Bennett Cyphers, of the Electronic Frontier Foundation, on Google’s proposals for privacy standards on the web:

As a result, Google has apparently decided to defend its business model on two fronts. First, it’s continuing to argue that third-party cookies are actually fine, and companies like Apple and Mozilla who would restrict trackers’ access to user data will end up harming user privacy. This argument is absurd. But unfortunately, as long as Chrome remains the most popular browser in the world, Google will be able to single-handedly dictate whether cookies remain a viable option for tracking most users.

At the same time, Google seems to be hedging its bets. The “Privacy Sandbox” proposals for conversion measurement, FLoC, and PIGIN are each aimed at replacing one of the existing ways that third-party cookies are used for targeted ads. Google is brainstorming ways to continue serving targeted ads in a post-third-party-cookie world. If cookies go the way of the pop-up ad, Google’s targeting business will continue as usual.

I would love a world in which the biggest privacy offenders have figured out that their business model is fundamentally objectionable and are radically transformed to become privacy leaders instead. I’m not a cynic, but I believe that hoping for that is unearned optimism. Even something as simple as building lightweight webpages is a twisted attempt at control over the web. Google is a skeevy advertising company masquerading as a purveyor of high technology.

Caroline O’Donovan and Ken Bensinger, Buzzfeed News:

The super-pressurized, chaotic atmosphere leading up to that tragedy was hardly unique to Inpax, to Chicago, or to the holiday crunch. Amazon is the biggest retailer on the planet — with customers in 180 countries — and in its relentless bid to offer ever-faster delivery at ever-lower costs, it has built a national delivery system from the ground up. In under six years, Amazon has created a sprawling, decentralized network of thousands of vans operating in and around nearly every major metropolitan area in the country, dropping nearly 5 million packages on America’s doorsteps seven days a week.


UPS and FedEx, the traditional powers of the logistics world, are deeply invested in safety. UPS, which spends $175 million a year on safety training alone, even has a policy prohibiting drivers from taking unnecessary left turns to reduce exposure to oncoming traffic, finish routes faster, and save fuel. Both firms are also heavily regulated by the government, and many of their trucks are subject to regular federal safety inspections and can be put out of service at any time by the Department of Transportation.

But Amazon’s ingenious system has allowed it to avoid that kind of scrutiny. There is no public listing of which firms are part of its delivery network, and the ubiquitous cargo vans their drivers use are not subject to DOT oversight. But by interviewing drivers as well as reviewing job boards, classified listings, online forums, lawsuits, and media reports, BuzzFeed News identified at least 250 companies that appear to work or have worked as contracted delivery providers for Amazon. The company said it has enabled the creation of at least 200 new delivery firms in the past year, a third of which are owned and run by military veterans. Inpax gets fully 70% of its business from Amazon; some companies depend on the retail giant for all of their income.

The 250 “last mile” delivery companies Buzzfeed found aren’t exactly competitors to UPS or FedEx — even though I bet plenty of people would wish for more competition in that space. Often, they’re couriers working in tandem with heavyweight logistics companies. FedEx might get the parcel across the country, for example, but will have one of these smaller companies bring the product from a warehouse to a customer’s home. And there are hundreds of these courier companies operating with little regulation, high demand, and core dependency on Amazon.

Among the characteristics that distinguish this era of enormously powerful technology companies: increasing the layers of abstraction between companies and their infrastructure; promising consumers more and relying on already-squeezed contractors, thereby exploiting their services; and celebrating their contractors’ successes as their own while deferring responsibility for any mistakes or problems.

Earlier this week, Zach Whittaker of TechCrunch reported that the complex series of exploits used to plant malware on iPhones was an attempt to infect the phones of Uyghurs — presumably by the Chinese government.

Thomas Brewster, Forbes:

The unprecedented attack on Apple iPhones revealed by Google this week was broader than first thought. Multiple sources with knowledge of the situation said that Google’s own Android operating system and Microsoft Windows PCs were also targeted in a campaign that sought to infect the computers and smartphones of the Uighur ethnic group in China. That community has long been targeted by the Chinese government, in particular in the Xinjiang region, where surveillance is pervasive.


Google hadn’t provided comment at the time of publication. It’s unclear if Google knew or disclosed that the sites were also targeting other operating systems. One source familiar with the hacks claimed Google had only seen iOS exploits being served from the sites.

This must be one of the most expansive known surveillance campaigns in the post-Snowden era, and certainly the most brazen. It doesn’t target communications in transit; because many messaging platforms employ at least some form of encryption, the contents of messages must be captured at either the source or destination. That makes devices themselves much higher value targets and more active participants in spying.