Be careful with your Safari Extensions

My Macworld compadre Lex Friedman on Safari extensions:

Safari can update your extensions automatically. Included in the extension is a URL that the developer may optionally provide, and Safari checks that URL on occasion to see if a new version of your extension is available. If it is, Safari will install that new version silently.

Lex raises an excellent point (plus, he got fireballed!), but I would argue that explicit update notifications would not make extensions any more secure.

First, there is nothing that prevents an extension from advertising itself as harmless and get nasty with your computer behind the scenes, updates or not. In other words, it’s not the updates that make an extension insecure. Second, in my experience users will blindly click on just about anything that stands between them and doing whatever it is that they want to do. I’ll be the first one to honestly say that I cannot remember the last time when I read all the release notes that came with an update or any kind¹. Besides, even then, what guarantee do I have that the developer is telling the truth? In the end, it all boils out to whether you trust whoever issues the update or not.

Not all is lost, however. In order to be installed, extensions need to be signed using a digital certificate, which is issued by our friends at Apple to every developer who wants to distribute extensions. Without a certificate, extensions will not install  There is a good reason behind this: if an extension were found to be disruptive or malicious, Apple can simply revoke that developer’s digital certificate and effectively yank the extension from under the feet of every single user that has installed in one fell swoop. This won’t prevent a malicious update, but it will certainly stop one².

To me this approach is far, far superior to the corresponding update mechanism in Firefox, which takes the geek approach, believes that people will know what they’re doing and notifies them that an update is about to take place. But most people don’t know what they’re doing and, once something is installed on your machine, you’re on your own.

Personally, I’m on the fences as to whether the fact that Safari updates extensions silently is good or bad—I think that notifications would be useful, but ultimately pointless. However, I think the right question to ask is: will Apple act swiftly enough to prevent an extension that is proven to be malicious from becoming a problem?

⇥ What antenna problem?

It took six hours of standing in line on an uncharacteristically cold summer night¹, but I finally have an iPhone 4, which means that I can tell you the truth about the antenna problem: I have no idea what these people are talking about.

I live in an area where my provider has reasonably good signal, with four bars on both my old 3G and the new handset. As shown countless times by countless talking heads on countless media outlets, if i touch one of the black gaps on the side of the phone, the number of bars decreases to two, but I haven’t noticed any degradation in either data rates or voice in day-to-day usage. In areas where there is less signal (like, ironically, my local Apple Store), I can make the signal go down to a single bar or no bars, though this still doesn’t affect my ability to make phone calls in a manner that is substantially different from my old phones; in other words, I honestly can’t see any difference and, had there not been so much noise made about this issue, I likely would have never noticed.

It almost looks like the press has latched on to this problem—in my eyes completely irrelevant—and keeps picking at it the way one picks at a scab that’s healing. It’s the itch that some people just don’t seem to be able to let go of and, frankly, it seems like a pretty small problem to be so worked up about.

Now, if the press really had wanted something to complain about, they certainly could have spent a few words on the way Apple has handled the launch of the iPhone 4. It’s been a complete disaster, at least here. Far from being the smooth even that one would have expected from a company that, say, has launched three of these before, the whole affair bordered on the ridiculous: Apple’s website had no information until the morning of the launch and, were it not for press leaks and a small sign that appeared at the entrance of the stores in the days before the launch, there was no official confirmation that a phone was coming on July 30th, or what the pricing would be. To top it off, the Rogers activation system was down most of the morning—because, you know, it’s not like they were handling a major launch or anything.

I can’t speak for what happened south of the border, but based on what my friends told me, things weren’t that much smoother there, either—particularly for those decided to forego pre-orders and stood in line so that they could get their handset early on the morning, only to find out that many of those who had pre-ordered theirs had, in fact, received the phone the day before the official launch.

Of course, one can say that it’s just a hiccup. Or—excuse me while I laugh—that the company was so overwhelmed by demand that it couldn’t handle the load. But, honestly, who buys that? An organization like Apple isn’t “caught off-guard,” and certainly not twice in a row². This is a publicity move, pure and simple. Apple wants the big lines and the impression of tight supply to drive media coverage—and, of course, the latter laps it up without ever questioning how a multi-billion dollar company can’t seem to launch their flagship product in a way that doesn’t upset so many customers³.

This said, the iPhone 4 is a beautiful device. The construction feels solid—dense, even, as if you’re holding a device that is packed to the gills and has absolutely no empty space inside. The screen, as advertised and widely reported is that good. Pictures look like they have been painted on the glass, rather than being generated by a screen underneath it. And speed, especially coming from a 3G, is quite simply amazing. The phone itself seems to have improved considerably: I no longer have trouble having a conversation with someone on my home line, which probably precedes the discovery of America and therefore tends to attenuate the signal slightly, and the Prius’s Bluetooth handsfree no longer sounds like the Hypnotoad while undergoing a colonoscopy while I wait for a call to engage. Oh, and FaceTime is loads of fun, too.

Droid X Proves a Hit: Sold Out

PCWorld:

The Motorola Droid X launched Thursday and is already sold out, exceeding Verizon’s demand expectations. The carrier had said that there would be no Droid X shortage, but the initial online stock of the hot Android smartphone is now exhausted, with the next shipping date pushed back to July 23.

Obviously, people buy phones because they’re open.

Tale of the monkey terrorists

MSNBC:

People’s Daily Online started the monkeyshines in China a couple of weeks ago, with a report claiming that the Afghan Taliban was using bananas and peanuts in an experiment to teach monkeys how to fire machine guns and mortar rounds at soldiers wearing U.S. military uniforms.

I know it’s fake, because she’s holding it wrong.

⇥ The great UIWebView mystery

I am sure that we all have our pet peeves about whatever technology or platform we work with. In iOS, my biggest pet peeve is called UIWebView.

I happen to really like WebKit—Safari is my default browser when working in OS X, both for browsing the Web and for developing websites¹. I find the overall environment extremely powerful both for laying out interfaces and for performing all sorts of I/O operations.

I also happen to think that there is a lot to be gained by tightly integrating WebKit into iOS operations. For example, parsing XML files from JavaScript (particularly if you use a library like jQuery) is ridiculously easy compared to having to use NSXMLParser’s SAX-like interface, which looks like it time-traveled from the 1990s to annoy a whole new generation of programmers. Similarly, text layout is much more easily accomplished in HTML than using UiKit’s facilities—consider that FryPaper is built almost entirely in HTML and Javascript, with only a thin Objective-C shell around it to control navigation. Had I had to build it entirely in Obj-C, I would probably still be tearing my hair out or making compromises left and right.

Finally, let’s not forget the fact that WebKit is widely used across multiple platforms. This means that whatever you write in it is portable—you could build some of your interface for iOS and conceivably recycle it for an Android version of the same app, thus saving considerable amounts of development time and cost.

I hope that it comes as no surprise, then, that I am puzzled by the way Apple has set up UIWebView. It’s like they’re giving us a glimpse into this wonderful world of possibilities, where we can use the very same Web standards they are telling us are the future, only to keep the glass door firmly shut by crippling our access to the functionality provided by WebKit. We can’t poke into the DOM hierarchy without going through JavaScript—and our scripts aren’t allowed to raise any events inside their Obj-C container. We have no control over the scrolling—not even the same amount that we get from a UIScrollView.

To be sure, there are ways around this problem: typically, one creates fake URL requests that allow the Web content to notify the Obj-C code that something needs to happen, while ad-hoc JavaScript code can be used to issue command to the HTML side of things, and view masking can be used to control scrolling. But these workarounds introduce complexity (which breeds bugs) and make the overall use of HTML inside an app needlessly complex. Plus, it’s clear that they are not the way Apple intended UIWebView to be used, which means that they could yank the rug from under a developer’s feet with any new update.

The solution here has to come from Apple. UIWebView has gone essentially unchanged since iOS 2.0, and it’s time for an overhaul. Here are some random ideas:

• Give Obj-C access to the DOM model.
• Allow the registration of Obj-C methods inside the HTML document, thus making them securely callable from JavaScript.
• Allow the rendering engine to better interact with custom scrollable views
• Provide developers with an easy way to determine the WebKit capabilities supported by a given UIWebView renderer²
• Allow the developer to disable same-origin policy checking for a given document³
• Improve the ability to inject content into an existing document[.1 Currently, this can be done with a bit of clever JavaScript, but it's a horrible, horrible hack.]

I can only hope that someone from the UIKit team will eventually realize that UIWebView needs some love—particularly if Apple is really serious about making HTML and JavaScript serious contenders in the app space.

⇥ So many questions on the Consumer Reports iPhone 4 announcement…

As you may have heard, Consumer Reports today decided that it cannot “recommend” the iPhone 4 because it has determined that the widely-reported antenna problem is a hardware issue, rather than a software bug that the company has promised it will fix. I think that their report is a little questionable—at the very least, as far as their claims go, they have some real explaining to do.

Please note: I make no claims of being an expert in electronics, RF interference, etc. etc. If anyone with knowledge wants to pitch in an fill in the gaps, please let me have your comments. I’m also assuming that the video wasn’t staged, because… well, what would be the point?

Isolation what?

The first question I have is: why do they call their testing location a “radio frequency (RF) isolation chamber?” That is such a strange name—so strange, in fact, that I have never heard of it. RF testing is done in what is called an anechoic chamber, which looks nothing like the room they were testing in. An anechoic chamber, which usually looks like this, is almost instantly recognizable because of the structures used to reflect radio waves in such a way as to not create interference; these normally look like a series of cones or spike rising from all sides of the room—if you’ve seen Transformers Revenge of the Fallen, for example, the big hangar at the beginning of the movie is a large anechoic chamber/hangar used by the Air Force.

Incidentally, if you Google “radio frequency isolation chamber,” all the pictures that come up also are of anechoic chambers.

Of course, perhaps instead of an anechoic chamber all that Consumer Reports needed was a Faraday cage, which, if properly set up, will block outside RF interference. However, even Faraday cages have very peculiar looks due to the way they need to be built—and none of them looks like the room shown in the video.

Is that a man I see?

The questions on the CR setup don’t end here. For example, the videos clearly show a man present in the room as the test is being conducted. Unfortunately, humans are not transparent to RF radiation, which may explain why some people are convinced that cell phones are giving us all cancer. Therefore, the human in the video could well be influencing the measurements by just being in the room and moving around.

But it doesn’t end here: there’s also a crapload of equipment in that room and what looks a lot like artificial lighting. I hope they carefully shielded everything before running their tests.

Look, ma, no wires!

The final question I have is this: how does CR detect a “reception” problem without attaching a single wire to the iPhone? If you look carefully at the video, it’s clear that the handset is not connected to any wiring of any kind. How on Earth does CR know that the phone has a problem receiving?

At best, the only thing that they can measure is that the signal emitted by the phone is attenuated as a finger is placed on the antenna—but that’s a transmission problem that couldn’t possibly influence the number of bars shown on the phone, so Apple could still be perfectly correct when they say that they are just calculating the signal level improperly.

It would seem to me that, had CR wanted to actually measure how well the phone receives a signal, they would have had to open it up and plug directly into its antenna.

Is there a problem?

So, does the iPhone 4 have a reception problem? I have no idea—heck, I can’t even buy the damn thing—but there are certainly enough anecdotal reports of something being wrong with it when it’s gripped in a particular way that chances are that the problem exists. It just seems to me that CR’s report is a little iffy—and that they could at least have done a better job of explaining their methodology.

⇥ Getting iTunes credit on the cheap

Thanks to a coupon, I was alerted today to the fact that Costco, at least here in Canada, sells iTunes gift cards for 92¢ on the dollar—that means that you can buy $100 in gift cards for $92¹. Since the gift cards can be used by anyone, including the person who buys them, that’s a pretty good opportunity for savings if you’re a heavy iTunes user.

Yet another great reason why I love my Costco membership.

Update: it looks like Costco has similar deals in the U.S. as well.

⇥ Ten ways to solve iPhone 4′s antenna problems

1. Duct-tape the metal band around the phone. Not as colourful as Apple’s bumpers, perhaps, but for $30 you can probably buy the United States’s entire supply of duct tape.
2. Duct-tape your hand to prevent it from shorting the antenna.
3. Duct-tape the phone to your head¹.
4. Hold the phone to your head using a stick with a suction cap.
5. Hold the phone upside down (note: you may have to speak a little louder for this method to work).
6. Attach the phone to the base and swivel arm from an iMac G4 to avoid touching the antenna. Makes for a trendy combo, especially when you’ll be able to get your hands on a white iPhone.
7. If you’re a leftie, learn to hold the phone in your right hand. If you’re right-handed, learn to hold the phone with the Force.
8. Speaking of the Force, this is not the problem you were looking for. Move along now.
9. Don’t call Apple customer support. Steve can only answer so many e-mails in any given day.
10. Google for solutions from antenna experts directly from your iPhone, only to find out that, in a case of extreme bitter irony, the entire antenna-expert industry has converted all its websites to Flash
11. It’s all the folders’ fault.

The NYT really gets the Internet

Kara Swisher on All Things D:

But, by the afternoon, that flush of entrepreneurial success had turned sour, after Apple (AAPL) informed the two that Pulse was being pulled from the App Store, after it received a written notice from the New York Times Company (NYT) that “The New York Times Company believes your application named ‘Pulse News Reader’ infringes The New York Times Company’s rights.”

I know why they are doing this. It’s not that they don’t understand the Internet¹… it’s that they’re so embarrassed by the awfulness that is their iPad app that they can’t stand two indie developers coming up with something that blows it out of the water in their spare time.

⇥ Estimating App Store sales

Apple today did something it has never done: it provided a glimpse not just into how many apps have been downloaded, but also in how much money they’ve disbursed to developers.

In so doing, they provide the inquiring mind with the tools to estimate how many apps have actually been sold by the App Store, which, if you’re a developer who intends to make a living from iOS, is a much more interesting number.

In his keynote at today’s WWDC, Jobs pointed out that Apple has paid out $1 billion to App Store developers. Since the company keeps 30 percent of all the revenue, this means that that the actual revenue was about $1,428,571,428, give or take a few cents.

Incidentally, if we were to assume the lowest possible cost per unit—that is, if we assume that every single app sold through the App Store was priced at $0.99, that’s the maximum number of apps that Apple could have ever sold. Rounding up to the next hundred million—hey, what’s a few zeros among friends—this means that, at best, only 30 percent of the apps downloaded from iTunes are paid (Jobs also announced that downloads had just passed 5 billion apps). That’s one in three apps.

This is, of course, just a very rough approximation—and, in all honesty, the only conclusion that can be drawn, since there is absolutely no way to tell how sales are actually distributed¹.

Still, that’s fairly impressive, even if you consider that only about 30 percent of the apps in the store are free. If there are truly, say, about 100 million iOS devices in existence, our best case scenario indicates that each one of those devices has, on average, a little over fourteen paid apps on it. Again, that’s a very rough metric, but still a very interesting one: the willingness of iOS users to pay doesn’t seem to stop when they walk out of the Apple Store².

It would be interesting to have similar numbers for comparison with other platforms—Android in particular. Any ideas on where they can be found?