Sunday, October 01, 2017

How I was Accidentally Credited by Apple on a macOS Security Update

curl

We would like to acknowledge Dave Murdock of Tangerine Element for their assistance.

That’s from the end of About the security content of macOS Sierra 10.12.6, Security Update 2017-003 El Capitan, and Security Update 2017-003 Yosemite.

I wasn’t aiming to obtain such credit, all I did was File a Radar on curl.

Why?

I have no end of trouble downloading Cocoapods, Ruby Gems, Node modules, using Terminal at my day job.

They have a proxy server connected to my Active Directory credentials. For GUI based apps, macOS combined with a little Apple utility called Enterprise Connect configures everything as soon as I make a connection to the network.

However, anything that is strictly command-line is not guaranteed to work.

A bunch of co-workers and I have taken matters into our own hands and written a script that runs in our .bash_profiles. It sets these environment variables when started a shell automagically based on the current username and password:

http_proxy
https_proxy
no_proxy

Both http_proxy and https_proxy have traditionally been set to the same thing, a proxy server like http://proxy.company.com which is only available inside your company. Even the https_proxy variable is configured to hit an unsecured HTTP server.

During an earlier version of the script, I had accidentally set https_proxy to https://proxy.company.com and things were breaking.

Turns out, curl couldn’t support HTTPS proxies until late 2016, and macOS 10.12.5 hadn’t been updated to curl 7.52.0 or later to add support.

So I filed a radar…

But Wait There’s More!

Turns out, curl 7.54.0 or later closed a number of CVEs and I mentioned that in my radar.

Fast forward 2 months after I filed the radar, and Apple Product Security emails me to ask if I’d like credit.

I hesitated at first, not knowing what, if any, ramifications being publicly listed on an Apple Security listed might have.

Ultimately, being credited was just to cool not to do, so I did.

Still More to Do

While curl has been updated, unfortunately my problems persist. Appears the Generic Security Services Application Program Interface (GSSAPI) somehow occasionally selects the wrong way to present my credentials to the proxy server and I get connection errors.

I’m updating to macOS High Sierra right now hoping that something has changed to resolve this issue, but if not, I’ll be filling another radar.

Though the public Bug Reporter interface recently got a much needed overhaul, the system is still far from perfect. 

I’m truly baffled why Apple doesn’t build macOS and iOS apps that developers can use to collect the required information and file with far less work. I bet they’d get a lot more high quality bug reports. I’ve filed a radar on a radar app.

However, I’ve seen enough bugs fixed that I was the original reporter to feel my time is worth spending on filing radars.

Sunday, May 29, 2016

All Hope was Not Lost...Apple Released AirPort Base Station Firmware 7.6.7 for 3+ Year Old Devices!

While at a Memorial Day gathering yesterday, the host mentioned that an update just became available for his Airport devices, the Express, Extreme, and Time Capsule. I thought he had to have been mistaken and maybe I’d missed updating his hardware on a previous visit. No update had been mentioned in the Apple press, but I knew my AirPort Utility automatic update checking was off, I’d lost hope Apple would ever send out any updates for my aging Time Capsule. Maybe Apple did send out an update…

Sure enough Apple released AirPort Base Station Firmware 7.6.7! The prior version was 7.6.4  released in August 2013. That immediately got my mind racing. Were internal 7.6.5 and 7.6.6 releases created that didn’t make it public? Could more bug fixes be bundled up into this update than just those mentioned in the support article? We’re fixes made during a development cycle for new AirPort Base Stations or to comply with the FCC and back ported to 2 generation old hardware?

I guess we’ll never know, but WWDC is right around the corner, I’m not immune to rampant speculation 😬

Friday, May 27, 2016

TL;DR Wil Shipley: Keep Calm and Swift On

Keep Calm and Swift On 300x337I couldn’t agree more with Wil Shipley’s post on Swift and Dynamism. All the likes, stars, favs, or hearts wouldn’t be enough. 

You should read it for the entertainment value alone.

In Chris Lattner I Trust!

Is ABI compatibility missing Swift 3.0 annoying? Absolutely.

Is Swift 3.0 source compatibility going to be a time sink with chicken and egg library problems? Yep.

I’m sure dynamism is coming to Swift 3.x or 4 and I’m confident the teams and the community will improve on what Cocoa's had since 1988. Swift is the next 30+ years of Apple developer tooling and platforms. It’s almost insulting to the teams to suggest they aren’t being thoughtful.

Hapuna Matata, because in the coming on 2 years I’ve been using Swift it's saved me so much time with fewer bugs and easier to read code.

Saturday, May 14, 2016

Let's Talk About What Chewie Does in Star Wars The Force Awaken

SPOILERS Ahead for Star Wars The Force Awakens

I’ve read a lot of theories about what every character does in Star Wars The Force Awakens…except Chewbacca.

The first thing you have to admit about Chewy in The Force Awakens is that he’s awesome. The Force Awakens is the best Chewbacca movie yet. He’s physical, played in large part not by original actor Peter Mayhew, but by newcomer Joonas Suotamo and the result is a more action oriented Wookie. He’s also funny and expressive. With just a head move or grunt, Mayhew and Suotamo communicate as much information as any actor playing humans do in the movie.

That’s not what I want to talk about though. I want to know what Chewie knows. Given what we see in The Force Awakens, Chewie knows:

If you believe that Kylo Ren has completed his fall to the Dark Side by killing Han Solo...

  • Why doesn’t Chewy go for the kill shot?
  • Why doesn’t Chewy’s blowcaster knock Kylo off the platform?
  • Why does Chewy go with Rey without comment?

However, there is another possibility. Watch this video by Movies with Mikey:

Mikey’s theory is that while Kylo and Rey fight, Kylo is not using the Dark Side, but Rey does. The theory is that Ren and Rey will flip Force sides by the end of the trilogy and Kylo Ren is in deep cover.

If you think this theory has any credence, then I’d propose that Chewy shoots Kylo Ren with a lower power, non-fatal bowcaster shot on purpose. Through The Force Awakens, we see Han and Chewy blow foes away with impunity using the bowcaster, catapulting them several feet upon impact. Yet Kylo Ren doesn’t move.

Of course Kylo’s force abilities could explain him being able to absorb the energy of the blaster bolt without moving. However, we see Kylo able to stop blaster fire in mid-air after being fired. If he was using his powers, he wouldn’t simply diminish the energy, he’d stop it.

On the other hand, if Chewie doesn’t miss a Kylo Ren kill shot on purpose, he’s responsible for allowing one of the galaxies greatest evils to escape justice just after his best friend of all time was killed.

Or Chewbacca is relieved his life debt is over, but feels he must take some kind of shot to keep up appearances that he actually liked Han Solo 😉

Friday, October 02, 2015

Changing UITextView's textContainer.layoutManager.delegate to your UIViewController Swaps Line Break from Word to Character Wrap

TL;DR Don’t assign UITextView.textContainer.layoutManager.delegate to your UIViewController, bad things happen. 
Versions: OS X 10.10, 10.11 Xcode 7.0.x iOS SDK 8, 9 

Some of the highlight WWDC 2013 sessions for me where those about Text Kit. That was largely because I was working at Dow Jones on The Wall Street Journal and Barron’s iOS apps which had native text layout code. It worked extremely well, but it was largely Core Text, and it wasn’t the easiest to maintain. I thought we might be able to replace a lot with Text Kit. Unfortunately I never got the chance, but I was always curious to try Text Kit’s capabilities.

Fast forward a few years and I got my change this past week. Designers handed me a screen that looks like this:

Text Kit Design

What I always remembered about Text Kit was the easy way to exclude paths from the layout for things like images and the text could flow around it.

To refresh my memory on how to do that, I did some searching and came across Ray Wenderlich’s Text Kit Tutorial, Updated with Swift. Great, read the article, downloaded the sample, and started using the UIBezierPath calculation stuff in my real project.

That’s where things went off the rails but I didn’t realize it until today. You see the tutorial had this:

let exclusionPath = timeView.curvePathWithOrigin(timeView.center)
textView.textContainer.exclusionPaths = [exclusionPath]

The method curvePathWithOrigin was calculating a round UIBezierPath because the tutorial was inserting a round graphic into the UITextView. I needed to create a rectangular UIBezierPath (see orange box in above image), but didn’t know you could do. Maybe it was the pain from a hand injury, maybe just ignorance or I forgot, but I didn’t get it.

Of course the round bezier path from the tutorial was not flowing text around the rectangle image correctly. It all seems to obvious in hindsight.

I tried many things to fix this issue. One of those was crawling down UITextView’s internal object tree and setting textContainer.layoutManager.delegate to my UIViewController instance. I usually never do things like this but again I probably wasn’t thinking very clearly.

Setting the delegate appeared to make the text flow better because character wrapping became the default, so I left the delegate assignment in. What a mistake!

When I realized how stupid I was being with UIBezierPath and used a rectangular exclusionPath, UITextView was defaulting to character wrapping instead of word wrapping.

Of course I was going through the Six Stages of Debugging:

I finally got to Stage 5 when I built up a sample line by line until I figured out setting the textContainer.layoutManager.delegate to my UIViewController instance was a really dumb idea.

Sometimes when writing code, you make bad choices and it takes a while to figure that out...

How To: Switch an Apple Watch to a new iPhone

I just got an iPhone 6s 128 GB and I remember reading an iMore article on the merits of doing a clean phone setup or restoring from a backup mentioning how to switch the Apple Watch to a new iPhone. Here’s a direct link to the Apple Support article.

This procedure is way to complicated. The iPhone setup experience doesn’t know anything about Apple Watch, which is ridiculous.

Wednesday, September 16, 2015

Inner Exception is on Apple News! Just search for "Inner Exception"

iOS 9 is out now and one of the big new features is News and Inner Exception is there!

I didn’t really expect that Apple would take a blog like this into the News pantheon, but they did and it’s live.

Turns out the old logo was so poorly designed by me, it really looked terrible in Apple News, so I made a new one.

InEx  Orange

Since I look at Menlo all day long in Xcode and this is mostly a coding blog, it seemed like the right choice.

Friday, August 21, 2015

Just discovered iTunes Connect - Manage iCloud Download Settings

When you have an app for sale and you haven’t logged into iTunes Connect for a while, you don’t often see new features added. The Manage iCloud download settings for this app in the Pricing tab is one such feature that escaped my attention…until now!

Mange iCloud Download Settings

Super handy if you need to control this more tightly.

Friday, July 31, 2015

How To Write a Swift Generic Function Based Only On Return Type

TL;DR Annotate the return variable with a type, e.x. let foo:String? = Utility.nullableValueFromKey(“identifier", dictionary: jsonDictionary)
Versions: OS X 10.10.4  Xcode 6.4 iOS SDK 8.4 

When I started working with Objective-C coming from .NET, one of language features that I missed the most was Generics. They solve a whole class of problems that are tedious and/or require way more code than without generics. When Swift was announced with Generics...

Finally...It's Done

But Generics can be hard, thinking in T for any giving problem can make you a little crazy, especially when the compiler keeps yelling at you.

In Swift 1.0, I used generic functions to help parsing JSON server responses, the functions worked, but they were less than ideal.

The typical problem I wanted to solve was getting a primitive type out of the response dictionary that could be null.

I ended up with this function to do the trick:

class func originalNullableValue<T>(valueType: T, key: String, dictionary: NSDictionary) -> T? {
    var value:T? = nil
    var valueTemp = dictionary[key] as AnyObject! as? T
    if valueTemp != nil {
        value = valueTemp!
    }
    return value
}

Ugly! Why did I end up with this? Either I wasn’t smart enough to figure this out or the 1.0 compiler wasn’t.

Smart, but not Smart Enough

Getting either me or the compiler to figure out what type T was without passing an argument of that type into the method, was, well let’s just say it was the solution I found.

What I wanted was this:

class func nullableValueFromKey<T>(key: String, dictionary: NSDictionary) -> T? {
var value:T? = nil
    var valueTemp = dictionary[key] as AnyObject! as? T
    if valueTemp != nil {
        value = valueTemp!
    }
 
    return value
}

So I dusted off the original method and tried making it what I wanted with Xcode 6.4 & Swift 1.2.

Defining it works fine, but If you attempt to call it:

let foo = JSONUtility.nullableArrayFromKey("fooBar", json: Dictionary<String, AnyObject>())

The compiler returns this error:

Argument for generic parameter 'T' could not be inferred

I have no way to know/test if this is the same error that caused me trouble in Swift 1.0, but this time, either I or the compiler were smart enough to figure it out!

All you have to do is add the type to the variable declaration:

let bar:String? = JSONUtility.nullableValueFromKey("name", dictionary: Dictionary<String, AnyObject>())

Flawless Victory

Thursday, July 30, 2015

No Dan Gillmor, Government Should Do Nothing About Android Security

I nearly burst from laughter after reading this tweet and then article by Dan Gillmor:

What’s so funny? The free market is working in this case exactly as intended. A company in the market, e.x Apple, provides mobile devices that are usually secure and updated. Some consumers have voted with their dollars that isn’t as important to them as other criteria, so they bought an Android phone. There is no surprise here that if you buy an Android device, you highly likely will not get updates of any kind, security or otherwise. 

What criteria stops people from buying an Apple device? Let’s return to Mr. Gillmor:

Apple's iOS devices, of course, are part of a tightly controlled ecosystem, and while Apple is far from perfect on security, it does update iPhones. But we shouldn't be required to turn over our computing and communications to control-freak companies in order to get necessary security updates.

So let me get this straight? Mr. Gillmor doesn’t want Apple devices because Apple is a “control-freak” company, so he invites the control-freak government to use laws &  regulations & force Android implementors to be more control freaks about updates…like Apple. LOL. Sure, the government is always the lightest touch!

If Android users thought updates and security where higher priorities than cheap phones or “open source” software, then they wouldn’t have bought an Android device.

Returning this as not a bug, working as intended!

Epilogue

Google made this mess, they can still fix it. They already offer an Android Bug Bounty. They have a generic Patch Reward Program.

Instead of the heavy hand of laws and regulations, Google should start an Update Rewards program.

Every carrier or vendor that releases Android updates in a timely fashion (say within 1 month) gets a payment from Google.

Security Updates pay more than Feature Updates. To really sweeten the pot, Google can pay per user upgraded, get some vendor/carrier incentive to update as many users as possible.

Vendors/carriers have such thin margins, seems like they don’t have the money to cover testing and deploying Android updates without taking a loss.

Use some of that ad revenue to cover the costs. I mean, advertisers should be clamoring for this. After all, how can they trust the ad profiles Google vends with compromised devices?