Posts in Linked

Apple’s Updated Security Guide for iOS 11.1 and iOS 11.2

Apple’s iOS Security guide is one of the most fascinating technical documents I’ve read in recent years. While the topics are intricate, they’re presented clearly in readable English. Earlier this week, the document was updated with new information on the latest additions to the iOS ecosystem – including Face ID, Apple Pay Cash, and Password AutoFill. There are some interesting details I didn’t know in each section.

On Face ID:

Facial matching is performed within the Secure Enclave using neural networks trained specifically for that purpose. We developed the facial matching neural networks using over a billion images, including IR and depth images collected in studies conducted with the participants’ informed consent. Apple worked with participants from around the world to include a representative group of people accounting for gender, age, ethnicity, and other factors. The studies were augmented as needed to provide a high degree of accuracy for a diverse range of users. Face ID is designed to work with hats, scarves, glasses, contact lenses, and many sunglasses. Furthermore, it’s designed to work indoors, outdoors, and even in total darkness. An additional neural network that’s trained to spot and resist spoofing defends against attempts to unlock your iPhone X with photos or masks.

On Apple Pay Cash, which details the new ‘Apple Payments Inc.’ subsidiary:

When you set up Apple Pay Cash, the same information as when you add a credit or debit card may be shared with our partner bank Green Dot Bank and with Apple Payments Inc., a wholly owned subsidiary created to protect your privacy by storing and processing information separately from the rest of Apple and in a way that the rest of Apple doesn’t know. This information is only used for troubleshooting, fraud prevention, and regulatory purposes.

[…]

Apple Payments Inc. will store and may use your transaction data for troubleshooting, fraud prevention, and regulatory purposes once a transaction is completed. The rest of Apple doesn’t know who you sent money to, received money from, or where you made a purchase with your Apple Pay Cash card.

To read more, get the full PDF here and check out the document revision history for January 2018.

Permalink

The Effects of Safari’s Intelligent Tracking Prevention

Alex Hern, reporting for The Guardian on the results of Safari’s new Intelligent Tracking Prevention (ITP), launched last year with iOS 11 and macOS High Sierra (via John Gruber):

Internet advertising firms are losing hundreds of millions of dollars following the introduction of a new privacy feature from Apple that prevents users from being tracked around the web.

Advertising technology firm Criteo, one of the largest in the industry, says that the Intelligent Tracking Prevention (ITP) feature for Safari, which holds 15% of the global browser market, is likely to cut its 2018 revenue by more than a fifth compared to projections made before ITP was announced.

Here’s how Apple officially describes ITP in Safari 11’s documentation:

Added Intelligent Tracking Prevention, which updates the default cookie and website data policy to isolate and remove cookies and website data for sites with the ability to track users across-site.

This isn’t the first time ad companies have complained about Apple’s protection of user privacy in Safari and stance against invasive cross-site tracking. In September, six trade groups claimed Apple was “sabotaging” the industry with a “unilateral and heavy-handed approach”, to which Apple responded:

“Ad tracking technology has become so pervasive that it is possible for ad tracking companies to recreate the majority of a person’s web browsing history,” according to an Apple spokesperson. “This information is collected without permission and is used for ad re-targeting, which is how ads follow people around the Internet.”

“Unilateral” is exactly right: Apple should only care for the interests of users buying their devices, not those of third-party ad companies creepily tracking them around the web.

Cross-site tracking and ad targeting has gotten so out of hand over the past couple of years, it’s become a regular comment from friends who don’t follow tech news – “Why am I seeing an ad for something I was checking out two days ago on another site?” is a question I hear frequently despite the existence of third-party ad blockers and Apple’s own ITP in Safari. Personally, I think the more Apple can advance ITP, the better it is for the privacy of all iOS users.

Permalink

Sharing Links from Twitter for iOS Appends Garbage to the URL

Last night on Twitter, I noted that the company’s iOS app now appends a query parameter based on an app’s bundle identifier when you share a tweet’s link via the system share sheet.

As some have noted, this appears to be a recent change in Twitter for iOS, which is less than ideal as the resulting link contains a long string of URL-encoded garbage. More than ugly URLs, however, what bothered me was Twitter’s implicit tracking of which apps users invoke to share links with – something that even applies to core iOS features such as Apple’s own Messages extension.

I wondered whether Apple should consider this a violation of App Store guidelines, but it appears that Twitter isn’t breaking any rules by appending app-based query parameters to their shareable URLs. Benjamin Mayo looked into this feature and explained how Twitter is leveraging public iOS APIs to read bundle identifiers from the share sheet – he even posted a proof-of-concept code snippet to show how it’d work in practice.

He writes:

In reality, this is very easily achieved. As part of the activity provider API, the system asks for content to share for each sharing extension the user has installed. The Apple framework openly passes the activity type to the app. Twitter simply takes the base URL it wants to share and appends the ‘garbage’ before returning.

And:

The important thing to note here is that the mechanism is innocuous and uses valid APIs provided by Apple. Twitter is not exploiting private APIs to achieve this. A cursory look at the app review guidelines suggests to me there are no grounds for Apple to scold Twitter (or any other app) for doing it.

My personal stance is that this is annoying but does not violate user privacy. Importantly, Twitter cannot append arbitrary information to its URLs system-wide; it is confined to cases where users share something from inside the Twitter app itself. I don’t really see a justification for Apple to amend the guidelines to disallow it. I just take it as another reason not to use the official Twitter app.

In conclusion, if links to tweets you copied from the Twitter app suddenly look longer and messier than before, this is why. Personally, while Twitter may be taking advantage of a publicly available API, I still think the implementation is, at the very least, in poor taste – especially because it’s coming from the same company that used to scan users’ devices to list installed apps and deliver “tailored content” based on them. Even though I won’t stop using the Twitter app because of this, I wish Twitter would revert to standard, clean URLs when sharing tweets from the app. I also hope Apple is taking a closer look at this.

Permalink

Connected, Episode 175: The Devil on my Shoulder

2018 is here, and so is Stephen’s new computer and our predictions for the next year. Also, CES is a thing.

In the first episode of Connected for 2018, we share our annual predictions and discuss some of the overarching themes from CES. You can listen here.

Sponsored by:

  • Linode: High performance SSD Linux servers for all of your infrastructure needs. Get a $20 credit with promo code ‘connected2018’
  • Squarespace: Make your next move. Enter offer code WORLD at checkout to get 10% off your first purchase.
  • MissionU: An education for the 21st century
Permalink

Matt Wilkinson Joins Beats 1’s Primetime Lineup

Serenity Caldwell, reporting for iMore on a major change to Beats 1’s primetime lineup:

Apple’s Beats 1 radio service (part of Apple Music) is shaking up its weekday primetime programming starting January 8, bringing a new DJ to its daily lineup and moving around its primetime shows.

Matt Wilkinson, who formerly hosted Beats 1’s weekly Saturday alternative music show, will now join Zane Lowe, Julie Adenuga, and Ebro Darden as a weekdaily presence on the network — he’ll be broadcasting live from London from 6AM-8AM ET Monday through Friday, and will have Mike D of the Beastie Boys on to celebrate his new show on January 15.

Wilkinson’s deep music knowledge (he’s the former NME New Music Editor) is a solid addition to Beats 1’s regular programming.

Here’s Caldwell again on the significance the announcement:

This is the first time since Beats 1’s launch in 2015 that the primetime lineup has changed significantly: Adding another London voice at the 6-8AM ET slot will nix many of the replays and countdown shows formerly occupying that space; in addition, Julie Adenuga is moving from 3PM ET to 9AM ET, with Ebro Darden bumping up to the 3PM ET slot from the 6-8PM ET evening beat. Beats Creative Director Zane Lowe will continue to hold his flagship 12PM ET slot.

I haven’t listened to Beats 1 much over the past year, but I’m going to check out Wilkinson’s new show (to get an idea of Wilkinson’s style, you can listen to his last show of 2017 – Episode 128 – here.)

Permalink

Reverse-Engineering the iPhone X Home Indicator Color

Nathan Gitter:

I noticed an unusual behavior of the iPhone X home indicator while working on my most recent app. The app’s background near the home indicator is purple. When the app launches, the home indicator is very light gray.

But something odd happened when I pressed the app’s “share” button, which opened a default iOS activity view (aka “share sheet”). When I hit the “cancel” button to close the activity view, the home indicator animated to a dark gray color.

Home indicator starts light, then a share sheet passing makes it dark.

Even though the background color was exactly the same, the light-colored activity view passing underneath caused the home indicator to change color. The only way to get the home indicator back to its original color was to leave the app and come back.

I had never seen this before, and it prompted my curiosity.

Fascinating study of the iPhone X’s Home indicator behavior. I had no idea that the indicator adapted to background color changes within the bar itself. Don’t miss the second (and more technical) half of the story with Gitter’s detailed color tests.

Permalink

Panic to Discontinue Development of Transmit iOS

Panic has announced that it will remove Transmit iOS from the App Store soon. In a blog post today, Cabel Sasser explains that the revenue generated by the paid-up-front app was insufficient to justify its continued development. Sasser doesn’t rule out a return of Transmit to iOS some day, and the move does not affect the company’s other iOS apps or Transmit 5 for the Mac, but adding features to the iOS app to match those debuted in the Mac version last year would make Transmit iOS ‘a guaranteed money-loser.’

This is not Panic’s first pull-back from the App Store. In 2016, Panic pulled the plug on Status Board, its widget-style app for tracking data through web APIs. Why Transmit wasn’t sustainable on iOS is unclear:

Was the use case for this app too edge-casey or advanced? Did we overestimate the amount of file management people want to do on a portable device? Should we have focused more on document viewing capabilities? Maybe all of the above?

Although Transmit will be removed from the App Store soon, Panic updated it with iPhone X support, and existing users will still be able to download it from the App Store and use it until some future change in iOS breaks the app.

I’m sad to see Transmit go. It’s a loss for the platform, but I don’t think it’s a bad omen for ’pro’ iOS productivity apps in general. Transmit failed to get the traction necessary to sustain its further development, but there are still many examples of productivity apps that have found success on the App Store. Hopefully, Panic will find a way to bring Transmit back to iOS one day.

Permalink

Apple Addresses the Meltdown and Spectre Exploits With Additional Mitigations to Come

In a support article, Apple has acknowledged that the recently-disclosed Meltdown and Spectre exploits, which affect virtually every CPU in computers, mobile devices, and other platforms, also impact every Mac and iOS device. Although there are no known exploits of the vulnerabilities, Apple advises that users proceed with caution and download apps from trusted sources only.

Mitigations to defend against Meltdown have already been shipped by Apple in iOS 11.2, macOS 10.13.2, and tvOS 11.2. watchOS is unaffected by Meltdown. Development of mitigations for both exploits is ongoing and new defenses will be released to each Apple OS as they become available.

The support article published by Apple provides a high-level explanation of how each exploit works. If there’s any good news to be found in the widespread concern caused by these exploits it’s that Apple says the recently-released mitigations have no measurable impact on performance:

Our testing with public benchmarks has shown that the changes in the December 2017 updates resulted in no measurable reduction in the performance of macOS and iOS as measured by the GeekBench 4 benchmark, or in common Web browsing benchmarks such as Speedometer, JetStream, and ARES-6.

Apple’s support document also reveals that Spectre can be exploited in web browsers, including Safari, using JavaScript. Apple is working to address the problem with an update to Safari that will be released in the coming days. Apple says that:

Our current testing indicates that the upcoming Safari mitigations will have no measurable impact on the Speedometer and ARES-6 tests and an impact of less than 2.5% on the JetStream benchmark.

The gravity of the exploits, which affect virtually all computing platforms, cannot be understated, but it’s reassuring that the initial mitigations released and those coming in the days ahead should have little or no impact on performance. It’s also worth noting that this is probably not the last we’ll hear about Meltdown and Spectre. As Apple notes:

We continue to develop and test further mitigations within the operating system for the Spectre techniques, and will release them in upcoming updates of iOS, macOS, tvOS, and watchOS. 

Permalink