Link

Apple Pay Has Problems

John Gruber is ripping into the Wall Street Journal for their reporting on Apple Pay. Specifically, he complains that the Journal didn’t explain how to remove an alert that is meant to encourage people to set up Apple Pay, agrees that Apple has done a bad job explaining how Apple Pay is more secure than using an actual credit card, and mocks an analyst’s comparison to Apple Pay to Microsoft’s antitrust cases in the 1990s and early 2000s.

I agree with a lot of what John wrote but, at the same time, think that it’s all too easy to dismiss complaints about Apple Pay. I work amongst an incredibly technical group of colleagues. Many of us have iPhones. But I’m the only person who uses Apple Pay with any regularity…and I’ve run into issues time after time. Let me list some of the problems I’ve experienced:

  1. I tried to return an item I bought using Apple Pay (linked to my credit card). But when I returned it the credit card number displayed on the receipt was different from that on my credit card…so the retailer refused to take the return.1 It was only after I undertook some independent research that I figured out how to pull up the temporarily assigned number in Apple Pay and, then, additional time to educate the frontline staff, the manager, and then wait for the manager to call central office to confirm they could process the return. Time to return a product to a store that was down the street from me? About 3-4 hours split over 2 days. I wouldn’t have the same issue if I’d just bought the item with my physical credit card.2
  2. Apple Pay doesn’t work as reliably with tap-enabled Point of Sale machines. I’d say that I have about an 85-90% ’hit’ rate with Apple Pay versus using the tap feature of my credit card. That makes Apple Pay less convenient than a tap-enabled credit card or debit card.
  3. Various Point of Sale machines have disabled tap and force me to use one of my chip/PIN cards. This is typically done in restaurants or retail locations where either they can’t afford to fix their Point of Sale machine or refuse to pay to enable the feature (or simply haven’t upgraded their machines to accept tap payments). So I have to carry my regular credit card and debit card with me, wherever I go, on the basis that I can’t trust that I can use Apple Pay at any given location.
  4. Sometimes Apple Pay just doesn’t work. I have no idea what the problem is but there are times where I just have to remove the cards and re-add them to Apple Pay. I don’t know why this takes place but it happens at least once a year. And I find out about it when I’m trying to pay for something. I don’t have this problem with my credit card.3

Do I like Apple Pay? I do, actually, and I use it a lot. But I’m willing to deal with the above teething issues as an early adopter. Security is fine and good, but for the majority of people usability is the most important component of using a product. And Apple Pay remains, in my eyes, only mostly-usable. It needs to be a lot more reliable before it is adopted by the mainstream.

  1. I know: this is a security feature (one I love!) but it’s a feature that’s been introduced without an equally clear explanation of how to find the temporarily used number. This education needs to happen at both the end-user and retailer level.
  2. And I have no clue what you’d do if you lost your phone or it was stolen between the time of purchasing an item with Apple Pay and wanting to return it.
  3. To be fair, I have to replace my debit card (rarely used either as the card or in Apple Pay) approximately every six months because it just stops working. But this hasn’t ever happened with my credit card, which is my primary way of paying for everything.
Aside

2018.3.29

The only thing I want in today’s iOS release is for Apple Notes to not hang and freeze constantly. It was only with iOS 11.2 that I started running into issues so I’m hopeful they’ll have fixed whatever went wrong last update.

Link

Cellebrite can unlock any iPhone (for some values of “any”)

An update by Ars Technica on Cellebrite’s ability to access the content on otherwise secured iOS devices:

Cellebrite is not revealing the nature of the Advanced Unlocking Services’ approach. However, it is likely software based, according to Dan Guido, CEO of the security firm Trail of Bits. Guido told Ars that he had heard Cellebrite’s attack method may be blocked by an upcoming iOS update, 11.3.

“That leads me to believe [Cellebrite] have a power/timing attack that lets them bypass arbitrary delays and avoid device lockouts,” Guido wrote in a message to Ars. “That method would rely on specific characteristics of the software, which explains how Apple could patch what appears to be a hardware issue.”

Regardless of the approach, Cellebrite’s method almost certainly is dependent on a brute-force attack to discover the PIN. And the easiest way to protect against that is to use a longer, alphanumeric password—something Apple has been attempting to encourage with TouchID and FaceID, since the biometric security methods reduce the number of times an iPhone owner has to enter a password.

This once again confirms the importance of establishing strong, long, passwords for iOS devices. Sure they’re less convenient but they provide measurably better security.

Link

Serious Vulnerabilities (Probably) Found in All iOS Devices

From Forbes:

The Israeli firm, a subsidiary of Japan’s Sun Corporation, hasn’t made any major public announcement about its new iOS capabilities. But Forbes was told by sources (who asked to remain anonymous as they weren’t authorized to talk on the matter) that in the last few months the company has developed undisclosed techniques to get into iOS 11 and is advertising them to law enforcement and private forensics folk across the globe. Indeed, the company’s literature for its Advanced Unlocking and Extraction Services offering now notes the company can break the security of “Apple iOS devices and operating systems, including iPhone, iPad, iPad mini, iPad Pro and iPod touch, running iOS 5 to iOS 11.” Separately, a source in the police forensics community told Forbes he’d been told by Cellebrite it could unlock the iPhone 8. He believed the same was most probably true for the iPhone X, as security across both of Apple’s newest devices worked in much the same way.

If Cellebrite has, indeed, found a way of compromising all iOS devices then they’ve accomplished a pretty impressive task. I have to wonder whether the vulnerabilities emerged from studying the iBoot leak or their own software or hardware research. Assuming Cellebrite’s claims are legitimate they serve to underscore the position that government’s shouldn’t introduce backdoors or vulnerabilities into devices given that doing so will only exacerbate the existing problems associated with securing devices. Security is designed to add friction, not totally prevent an unauthorized party’s actions, and deliberately reducing such friction will put all users at greater jeopardy.

The Roundup for January 27-February 2, 2018 Edition

Sunset, 2018, Toronto by Christopher Parsons

I’ve been putting a lot of thought into how to structure my life, not just on a day to day basis, but with the intent of accomplishing something meaningful this year. Some of that relates to personal projects I want to pull off.1 But perhaps the most important thing I want to do this year is develop a really boring habit.

Mike Vardy wrote about his intent improve his personal fitness this year. His description of past attempts to become fit and how that differs from his current behaviours resonated with me. He wrote:

When I was trying to achieve a “body for life” before, I was single and doing it mainly to improve my physique for any potential ladies that I may wind up dating. I wasn’t really doing it for myself.

In contrast, this time he’s doing:

it for myself — and my family. My wife deserves to have a husband who’s in decent shape, and my kids deserve to have a father who can keep up with them. When my youngest turns thirteen, I’ll be fifty. I want to be able to roughhouse with him at that age and not feel it for weeks afterward. I’d also like to give myself the best shot at seeing my kids’ grandkids. Without exercise and proper diet, that just ain’t going to happen

In the past I tried to become more fit by taking it to the extreme. I also felt I had to hide what I was doing to avoid recriminations from family and people I lived with. I exercised when no one was around, or up, and hid the fact I was going on long challenging walks to avoid all kinds of hurtful commentary: getting fit was something that people were bemused about, at best, and openly mocked, at worst. I don’t have that kind of negative energy around me now and, instead, I have the support of people I love.2

I don’t know that my motives are quite the same as Mike: I’m not a father, and don’t intend to become one, nor am I doing this because I think someone else deserves my body in one format or another. No, I’m doing this purely because I would like to be in a situation where I can just say ‘sure, let’s climb that mountain’ and get going. I want to be able to hop on a bike and cycle across one of Canada’s smaller provinces because it would be neat to take that ride. And, more importantly, I want to get in the habit that regular active exercise is just so routine that it’s a normal, established, and boring part of my life.


Tim Cook was asked in the Apple earning call that took place in February about the company had considered whether, and if so how, their battery replacement program might affect replacement rates. The implied comment was the replacements might reduce the likelihood that consumers would upgrade to the new versions of devices, on grounds that some upgrades had historically taken place because people bought new phones as a result of their old ones slowing down or their batteries not providing adequate charge to get through a day. Cook responded that Apple:

did not consider in any way, shape, or form what it would do to upgrade rates. We did it because we thought it was the right thing to do for our customers. I don’t know what effect it will have for our customers. It was not in our thought process of deciding to do what we’ve done.

This is a great answer. Though I do suspect that the battery replacement program will delay some upgrades, I don’t know that such a delay would be inherently bad for the company. Jason Snell wrote that the iPhone 8 — not the X — was a really amazing phone for most people because they tended to be coming from devices that were release two or more years ago. As a result, people that were coming from iPhone 6, 6s, and 5s devices didn’t just get the updates of the iPhone 8 but also all the updates that came to the iPhone 7 and, in some cases, iPhone 6s.

In effect, people who waited three or more years to update ended up being wowed by all of the features in the new iPhone. These are everyday users who really do use words like ‘magic’ and literally utter ‘wow’ when things happen. They laugh with joy when Siri just does something right, or they have calendar items automatically added from their mail. These are the everyday consumers that Apple is making its money from.

These normal users are the ones that are going to be blown away whenever they do an upgrade, and are going to be especially appreciative of all the incremental updates that take place in the extra year they might delay an upgrade. They’re going to talk to their friends and family and co-workers. They might also talk about how the battery situation sucked while, simultaneously, mentioning how no other company offers a similar replacement program. Probably the only equivalent they’ll be able to think of was Samsung’s global recall of devices that were literally exploding in people’s hands.


Quotation of the Week

“By retreating into ourselves, it looks as if we are the enemies of others, but our solitary moments are in reality a homage to the richness of social existence. Unless we’ve had time alone, we can’t be who we would like to be around our fellow humans. We won’t have original opinions. We won’t have lively and authentic perspectives. We’ll be – in the wrong way – a bit like everyone else.”

Great Photography Shots

The best 40 photographs of 2017 which was compiled by My Modern Met is pretty stunning.

There She Waits on Her Throne of Ice by Kory Zuccarelli
Untitled by Nigel Hodson
California Summer Weekend Babe! by Niaz Uddin

Music I’m Digging

Good Reads for the Week

Cool Things

  1. I’ll update as I’m successful on those projects, instead of indicating what they are then failing to deliver.
  2. It also helps that my father died of a heart attack last year; getting fit isn’t just aimless or directionless, but it’s to reduce the likelihood of a similar event befalling me.