Apple had a rough week, starting with a nasty Group FaceTime bug that could let a caller eavesdrop on you while your device was ringing. Then the company announced its Q1 2019 financial results, which showed the significant falloff in Chinese iPhone revenues that Tim Cook had warned of earlier. Fortunately, Apple’s other products fared much better, showing strong growth. On top of all that, Apple feuded with Facebook and Google after TechCrunch revealed that both companies were violating the terms of Apple’s Enterprise Developer Program to distribute “research” apps that paid users to let the companies spy on their usage. Finally, we wrap up Jeff Porten’s CES coverage with a trip to Eureka Park for gadgets and services from startups. Notable Mac app releases this week include Quicken 2018 5.10, Moneydance 2019, Things 3.8.1, Twitterrific 5.3.9, and iFlicks 3.0.
Last month, a nasty FaceTime bug was discovered that allowed a FaceTime caller to hear audio from your device while it was still ringing, before you accepted or rejected the call (see “Apple Disables Group FaceTime to Block Glaring Privacy Hole,” 29 January 2019). The bug was related to the Group FaceTime feature introduced in iOS 12.1 (see “Apple Releases iOS 12.1, macOS 10.14.1, watchOS 5.1.1, and tvOS 12.1,” 30 October 2018), so Apple disabled Group FaceTime from its end while its engineers worked out the problem.
Now, in a statement to TidBITS, Apple has announced that it has solved the problem and will re-enable Group FaceTime soon:
We have fixed the Group FaceTime security bug on Apple’s servers and we will issue a software update to re-enable the feature for users next week. We thank the Thompson family for reporting the bug. We sincerely apologize to our customers who were affected and all who were concerned about this security issue. We appreciate everyone’s patience as we complete this process.
Who is the Thompson family? That’s a reference to Grant Thompson, the 14-year-old who originally discovered the bug. Grant and his mother Michele tried to alert Apple about the bug but were stymied by Apple’s bug reporting process. Here’s the tweet Michele Grant posted on 20 January 2019 about it:
A “high-level executive with Apple” has since visited the Thompson family to thank them personally and get feedback, and Apple has indicated that Grant Thompson will be eligible for their bug bounty, which is usually restricted to invited researchers and pays up to $200,000 for each vulnerability reported (see “Apple Opens Bug Bounty Program,” 5 August 2016). That’s one way to pay for college!
Apple’s statement continued:
We want to assure our customers that as soon as our engineering team became aware of the details necessary to reproduce the bug, they quickly disabled Group FaceTime and began work on the fix. We are committed to improving the process by which we receive and escalate these reports, in order to get them to the right people as fast as possible. We take the security of our products extremely seriously and we are committed to continuing to earn the trust Apple customers place in us.
Apple’s handling of this incident is notable for three reasons:
- Apple was able to respond and block the issue on its servers within an hour of it becoming common knowledge. This happened the same week in which Apple also used its server-side control to disable apps from Facebook and Google that were violating Apple’s terms of service and violating user privacy (see “Apple Shuts Down Facebook’s Internal Apps Due to Flagrant Policy Violations,” 30 January 2019).
- Apple publicly acknowledged the Thompson family’s discovery of the bug. Over a decade ago, Apple wouldn’t typically attribute security vulnerabilities to the researchers who discovered them. Not only has that policy changed, but Apple is giving the family credit in its public statement despite that report being mishandled internally.
- In the statement, Apple admits that its security bug reporting process is flawed and needs improvements. While Apple has made great strides in working with security researchers and improving its vulnerability management process, it still has problems when it comes to bug reporting. Apple’s current system requires submissions to originate from an Apple Developer account and be shared using the company’s dedicated bug reporting system. This isn’t merely an obstacle for security professionals (and hobbyists); as reinforced by this incident, it prevents reporting from the general public and appropriate internal escalation of sometimes-serious issues that get lost in a sea of general bugs.
Apple blocked the vulnerability so quickly that our Twitter feeds were still filled with people blasting out the flaw even hours after Apple’s workaround went into effect. Make no mistake, this was a serious security failure, but one that Apple handled quickly. The company’s statement and outreach to the Thompson family also show that it recognizes the failures in how the initial reporting was handled and intends to improve the process going forward. We’ll see if Apple follows through on that intent.
Apple had an unusually embarrassing January, opening the month with a rare downward revision of its earnings guidance (see “Apple Warns of Lower Revenues, Blaming Slower Sales in China,” 3 January 2019) and closing it out with the acknowledgment of a humiliating FaceTime bug on, of all days, Data Privacy Day (see “Apple Disables Group FaceTime to Block Glaring Privacy Hole,” 29 January 2019). As a consequence, Apple’s quarterly conference call with financial analysts sparked more than the usual interest.
First, here are the bare numbers for the company’s first fiscal quarter of 2019. Apple announced net profits of $19.96 billion ($4.18 per diluted share) on revenues of $84.3 billion. Those revenues are down 5% compared to the year-ago quarter, but the earnings per share are up by 7.5%.
Before we dive into the breakdown, note that Q1 2019 represents some significant changes in how Apple reports its finances. Apple no longer reports unit sales, though it still breaks out revenue by category. The Other Products category has been redubbed “Wearables, Home, and Accessories,” but for now we’ll use both names interchangeably, so as to chart that category’s historical trends. Also, the company is now reporting gross margin for both its physical products and its services.
We also want to point out that the Q1 2018 numbers shared by Apple in its Q1 2019 statement are somewhat different than what it reported a year ago—see “Apple Posts Record Profits in Q1 2018, Though Unit Sales Flatten” (1 February 2018). This is due to the fact that Apple now amortizes the cost of free services against the Services category and not the associated hardware category.
CEO Tim Cook spent much of his opening remarks pouring oil on troubled waters, noting that while Apple’s overall revenues were down 5% year-over-year, and that iPhone revenues were down almost 15%, the Apple ecosystem continues to hum along nicely. He called out the Greater China market as the most significant contributor to the revenue decline by far, but he also noted that revenues for China still grew slightly for the full 2018 calendar year. It’s also worth noting that combined revenues for the geographic segments other than China were up 1.1% over the year-ago quarter.
In contrast to the vexing iPhone revenue declines, both Cook and CFO Luca Maestri were pleased to point out that revenues increased for Apple’s other product categories. For example, Mac revenues were up by nearly 9%, iPad revenues increased 16.9%, and the renamed Wearables, Home, and Accessories category boasted a 33.3% revenue increase. Services posted increased revenues of 19.1% year-over-year.
In an indication of Apple’s efficiency, the company reported a 38% gross margin overall, and while the iPhone segment had only a 34% margin, the Services segment posted a whopping 62.8% margin. You can see why Apple wants to grow Services.
Interestingly, Maestri revealed that the most popular iPhone model in the quarter was the iPhone XR, followed by the iPhone XS Max, with the iPhone XS being the least popular of the three.
Other points of interest: Apple Pay handled some 1.8 billion transactions last quarter, Apple Music now boasts 50 million paid subscribers, and Apple News currently has 85 million users. That last one is important to remember, given that Apple may launch paid subscriptions in Apple News later this year.
One other note on the Services category, seen by many as the next big income growth category for Apple: Katy Huberty of Morgan Stanley remarked on the quarterly investor call that services revenue last quarter grew more slowly than it had in the past. Luca Maestri went to some trouble to explain that the perceived slowdown reflected changes in Apple’s accounting, including amortization of free services, foreign exchange rates (due to the strong dollar), and issues with the App Store in China.
There is a supposed Chinese curse (its Chinese origin appears to be an urban legend) that goes, “May you live in interesting times,” and these are indeed interesting times for Apple. In some ways, this is the first real test of Tim Cook’s leadership of Apple. So far, he is passing the test. Although iPhone revenues took a hit this quarter, Cook was wise enough to see that as inevitable. Growth in Apple’s other revenue categories shows that Apple isn’t just a one-trick pony. While Cook may not bring the pizzaz that his legendary predecessor was known for, he has proven himself to be a steady hand at the wheel. Apple could—and certainly has—done a lot worse.
Last week brought a media report about how Facebook was misusing its Enterprise Developer Program certificates to circumvent Apple’s App Store guidelines for a privacy-busting “research” app. Apple reacted by revoking Facebook’s enterprise certificates, which had the side effect of disabling all of Facebook’s internal apps and beta releases (see “Apple Shuts Down Facebook’s Internal Apps Due to Flagrant Policy Violations,” 30 January 2019). Then it was discovered that Google was doing much the same thing as Facebook, and Apple revoked Google’s certificates as well. Both companies quickly negotiated with Apple to have their certificates reinstated, but how did we get to the point where the tech giants are feuding so obviously?
Here’s the order of events, which starts earlier than you might have anticipated:
- October 2013: Facebook purchases the Israeli firm Onavo, a mobile analytics company.
- 2016: Facebook begins a program that pays users between 13 and 35 up to $20 per month to install a Facebook Research app on their iOS devices. This app uses Facebook’s Enterprise Developer Program certificates so Facebook can distribute it outside of the App Store—and without any oversight from Apple. Apple expressly forbids such uses of enterprise certificates; they’re designed to allow companies to develop and distribute apps purely for internal use or limited beta testing.
- February 2018: Facebook quietly inserts a “Protect” link into its iOS app, which leads to a free app called Onavo Protect, a VPN owned by Facebook. See “Beware “Protect” In Facebook’s iOS App” (14 February 2018). This VPN effectively handed all of its users’ Internet traffic to Facebook.
- March 2018: Security researcher Will Strafach reveals that Onavo Protect for iOS can detect when the screen is on or off, total daily data usage, and VPN connection uptime.
- June 2018: Apple changes the App Store rules to ban apps that “collect information about which other apps are installed on a user’s device for the purposes of analytics or advertising/marketing.” The change is clearly aimed at Onavo Protect and similar apps.
- August 2018: Under pressure from Apple, Facebook removes Onavo Protect from the App Store.
- 29 January 2019: TechCrunch’s Josh Constine publishes a report with details about the Facebook Research program, including its use of enterprise certificates to distribute the app without Apple’s knowledge or approval. In the article, Strafach says, “The code in this iOS app strongly indicates that it is simply a poorly re-branded build of the banned Onavo app, now using an Enterprise Certificate owned by Facebook in direct violation of Apple’s rules, allowing Facebook to distribute this app without Apple review to as many users as they want.” Strafach’s analysis of the app revealed that it could collect “private messages in social media apps, chats from in instant messaging apps–including photos/videos sent to others, emails, web searches, web browsing activity, and even ongoing location information.”
- 29 January 2019: 7 hours after Constine’s article appears, Facebook tells TechCrunch that it would shut down Facebook Research for iOS.
- 30 January 2019: Before Facebook can act, Apple revokes Facebook’s enterprise certificates, which has the effect of disabling the Facebook Research app. In a statement, Apple said:
We designed our Enterprise Developer Program solely for the internal distribution of apps within an organization. Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple. Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data.
- 30 January 2019: Both Bloomberg and The Verge report on the ensuing chaos inside Facebook, as iOS-using employees weren’t able to beta test public apps or use internal apps for things like transportation and lunch menus.
- 30 January 2019: TechCrunch reports that Google is running a similar program to Facebook’s, called Screenwise Meter. Google promptly apologizes, telling TechCrunch:
The Screenwise Meter iOS app should not have operated under Apple’s developer enterprise program—this was a mistake, and we apologize. We have disabled this app on iOS devices. This app is completely voluntary and always has been. We’ve been upfront with users about the way we use their data in this app, we have no access to encrypted data in apps and on devices, and users can opt out of the program at any time.
- 31 January 2019: Apple revokes Google’s enterprise certificates, just as it had with Facebook, causing some level of havoc within Google as well.
- 31 January 2019: Facebook Chief Operating Officer Sheryl Sandberg denies any wrongdoing in a CNBC interview, saying that participants in Facebook Research went through a “rigorous consent flow.” The interviewer manages to maintain a straight face.
- 31 January 2019: Later in the day, Apple restores both Facebook and Google’s enterprise certificates.
- 1 February 2019: Alex Heath of Cheddar reports that Facebook has notified members of its research program that it is ending the program on iOS.
What should we take away from this brouhaha?
- An independent press is essential. Sure, we’re biased, but Facebook launched its Facebook Research app in 2016, and it was only thanks to TechCrunch’s reporting 3 years later that Apple noticed how Facebook was violating its Enterprise Developer Program contract. Kudos to Josh Constine and TechCrunch for breaking this story.
- Apple’s Enterprise Developer Program is being abused to avoid App Store rules. If companies as large as Facebook and Google decided it was acceptable to violate the program terms, you have to figure others are as well. Apple needs to seek out and crack down on such violations.
- The divide between iOS and Android has never been more stark. Apple is being a bit of a control freak here, and we’ve certainly reported on numerous instances where the company comes down disproportionately hard on innocent developers for no good reason. But the alternative is to use Android, which allows users to sideload any app and where the security level is a lot lower. Pick your poison.
- Many users don’t value privacy highly. Shannon Palus of Slate talked with some Facebook Research users, and they were generally aware of the implications. However, they had little expectation of privacy anyway, so they were willing to sell their data for a little money. That’s depressing, but in some ways, Facebook and Google paying for data is more honest than all the surreptitious tracking that both (and many other Internet marketing firms) employ on the rest of us.
- Facebook and Google are too big to fail. It took almost no time for Apple to reinstate the enterprise certificates for both companies. Would that have happened—ever—for a smaller company?
Have we seen the end of this story? All that has happened is that Apple has slapped Facebook and Google for behavior that blatantly violates agreements the companies had signed, but apart from the elimination of the Facebook Research and Screenwise Meter iOS apps, nothing else has changed.
Eureka Park is the part of CES dedicated to startups, and it’s the section of the main floor that provides the best signal-to-noise ratio for products worth writing about. The products I see here have less chance of making it to market than those from established companies elsewhere—plenty of booths are here to raise investment capital or find a distributor, and if they don’t, they’re going home broke. But Eureka Park is also home to the most inventive and out-of-left-field ideas.
In light of this, it’s worth mentioning two press releases I received from the Consumer Technology Association during the show. The first touted a new $10 million venture capital fund dedicated to businesses headed by women and people of color. This should be welcome, as top executives at booths are nearly always men (women are generally in marketing), and the biggest source of diversity I see comes from Asian companies.
The second press release said that consumer tech revenue is at an all-time high with $397 billion in 2018. The industry doesn’t make Apple’s 38% margins, but we can safely assume that revenue figure generates roughly $40–$80 billion in profit, yes? So $10 million is… 0.025% of industry profits. I’m sure that veritable drop in the bucket will be more than enough to achieve gender and diversity parity. This is especially galling because a venture capital fund isn’t a grant program—managed correctly, the CTA should make money on it. What was meant as a positive PR move—aside from any altruism that launched the idea—just demonstrates how little interest there is in actual change.
BassMe Portable Subwoofer
Furniture with built-in audio is old hat at CES, and yes, it’s impressive when a bass line rattles your teeth, until you remember that the audio-enabled couch you’re sitting on costs $4000. BassMe (Web site in French) intends to let you sit on any furniture you like—or walk around—wearing your own thorax-rattling subwoofer. It’s a large clip that goes over your shoulder into your chest and back, and looks vaguely reminiscent of an implement of the Spanish Inquisition if Torquemada’s first job had been at Bang & Olufsen. Studio-Duroy, its designer, is looking for US distribution and intends a retail price of $150.
Beauty and the Bolt Hands-On Science
I love science educational nonprofits—in fact, I run one—which is why Beauty and the Bolt caught my eye. They bring science education to the K-12 sector by providing hands-on STEM experiments via educational videos, kits, and “Makercrates”—a rentable box of equipment, such as a 3D printer, that kids can work with in class and ship back to the organization. Beauty and the Bolt is a 501(c)3 nonprofit with what they call a “Robinhood” pricing structure: when you check out with a full cart, you can opt in for a questionnaire about the resources of the school or organization you’re shopping for. Wealthy groups pay full fare, groups with fewer resources get a discount. The site makes it clear they’re open to all kids, but there’s a special emphasis on girls and people of color.
Helpicto App for Nonverbal Kids with Autism
Helpicto is a subscription service meant to make it easier to communicate with kids who are nonverbal due to autism. The service runs on computers, tablets, and phones, and translates spoken words into pictograms and back again. Say “do you want to eat an apple?” to the app, and it shows the child pictures and icons showing someone eating, and an apple. A library of icons and pictures allows the child to communicate back to parents, teachers, and other caregivers, and a cloud account keeps all of this synced across multiple devices. The service is now in development for international use outside of France, and is scheduled for US release in February 2019. It will cost $10–$15 per month after a 1-month free trial.
iCare Neural Up Stress Reducer
Sometimes I cover a product just because it would cruel to deprive TidBITS readers of seeing the product photo. iCare’s Neural Up is an audio program that the company claims will help reduce stress and improve mental focus. Like the HelloMind meditation app (see “CES 2017: Gizmos from the PEPCOM Digital Experience,” 6 January 2017), you dial up a sound program for the outcome you want to achieve, and the audio does the rest. So naturally, iCare built this into a giant egg called the Bubble Zen, which provides a “complete workstation space” while playing the audio. This is meant for businesses to provide to their staff and customers, and it’s available for lease or purchase—the latter cost being $15,000. Those who don’t want to sit in an oviform Godzilla chicken chair can look forward to later this year, when the audio will be available in a phone app for subscription at “under $10 a month.”
LifeInABox Medication Fridge
I’ve seen several useful products for diabetes monitoring, but there’s one technical problem that can’t be solved with an app: insulin can’t be digitized, and it’s not shelf-stable at room temperature. LifeInABox is intended to be the “world’s smallest refrigerator” and is designed for such purposes—although as the pictured products are prototypes, the final sizes aren’t in yet. The Box is a lunchbox-sized fridge that can store up to a month’s supply of insulin, keeping it at 35–46 °F (2–8 °C), which you can monitor with your phone. If you need to keep different medications cool, you can adjust the temperature accordingly. It’s designed to run off AC power, 12-volt DC in your car, or a built-in battery, which you can supplement with battery packs. The booth representative told me that batteries would keep it cold for 36 hours—but the literature says 4 hours of refrigeration off the internal battery and 12 hours off of optional battery packs. Perhaps 36 hours when kept closed and insulated? The shipping model will include a magnetic lock that can be released by your phone. Lifeina also demoed an even smaller fridge that resembled a tall thermos with a 2-inch diameter—it can keep one or two insulin doses cool for 24 hours and has the same monitoring features as The Box. Both products are still in development and need to clear FDA approval, but Lifeina is hoping to bring them to market for $200 and $79 respectively.
Lumen Smart Personal Nutrition
You’d be forgiven for thinking Lumen is some kind of lighting system, but you’d be half right, because the goal of Lumen is to make you lighter. It’s a breathalyzer that measures the carbs and fats you’ve recently eaten to help you judge how well you did yesterday, and give you tips and pointers for how to achieve the best balance today. A phone app gives you real-time metabolism measures and can prepare a meal plan for the rest of your day. It’s available for pre-order on Indiegogo for $249, and will retail for $299 when it ships in August 2019.
Nexoptic Blade Optic Binoculars
I think Nexoptic is on to something, but I’m not entirely sure what. Later this year, the company will be introducing a replacement for binoculars that provides 2.5x to 10x magnification to a built-in 5-inch screen, using a technology it calls “blade optic lenses.” There’s also a suite of AI routines that provide image stabilization, auto-focus, zoom, and low-light correction. I assume the following will mean something to photographers: it has an equivalent focal length of 500mm and a 52mm diagonal aperture. The odd thing is that the press release says little about it also being a camera—I infer such from a mention that its “lenses feature 4K video.” The company’s other press releases imply that it is also trying to license its technology to phone and camera manufacturers. The product is unnamed in the press release but called the Doubletake in the prototype photos. It has no set price yet, and is due to arrive sometime in 2019.
Ovie Food Storage Smarterware
Considering the American obesity epidemic, it’s astonishing that 40% of the groceries we buy go from store to fridge to garbage bin because we don’t eat them before they spoil. Ovie hopes to change that with its tagging system. When you put food away for later, you attach a waterproof tag to the item and tell an Alexa device what it is. These tags either affix to Ovie’s optional range of storage containers, or clip to your existing ones. The tag will glow green when the container’s contents are still fresh, yellow when they’re nearing expiration, and red when it’s time to feed them to a dog you don’t particularly like. Ovie’s app will not only give you an inventory of what’s in your fridge, but will also suggest recipes for what’s about to expire. Tell the app which items you always want on hand, and it’ll track what you need to buy again on your next shopping trip. A single Ovie hub can handle any number of tags. Pricing is $130 and up for the initial kit including the hub, depending on how many tags are included, with additional packs of tags available. Ovie has committed 1% of its profits to nonprofits combating food waste and insecurity.
Propeaq Wearable Light Therapy
There was a trend at CES with various booths demoing blue light blocker lenses, which make it easier to fall asleep by shutting out wavelengths of light known to be stimulating. I found these uninteresting, because pretty much every recent gadget, including Macs and iPhones, can already shift the wavelengths of light emitted by the screen. Propeaq, however, proposes that only the right blue light gets to you, with sunglasses that shine it into your eyes when you need it, and sets of differently tinted lenses that block it when you don’t. If you’re working a night shift or crossing multiple time zones, this approach is supposed to help you adjust more quickly to the new schedule. Research is promising but not yet conclusive, although the theory is similar to the old advice to avoid sunlight before you leave but get plenty at your destination. These glasses are portable sunlight for your face—which, er, I suppose regular sunlight is also, but maybe it’s not in abundance where you’re going. Propeaq claims that you can reset your body clock with only 30 minutes a day of use. The Propeaq glasses are available now in Europe for €239 and are coming to the US for $199.
PUPSCAN Portable Scanner
I was impressed last year by what is now called the PUPSCAN, a handheld scanner that projects a laser frame over a document you’re scanning to show you you’re capturing it correctly, and then pipes the image to any of a number of cloud services (see “CES 2018: Eureka Park Wraps Up CES,” 18 January 2018). The company wasn’t able to find a large enough consumer market for the device, so it has now pivoted to making it an accounting tool—the scans are now OCR’ed and formatted for import into various financial apps. But it still includes the feature set I saw last year, with one exception: it doesn’t yet do color scanning. PUPSCAN costs €329 and is shipping now to the US.
VideoLAN Support for AV1 Open Source
I recognized the VideoLAN folks from 30 feet away, because they were all wearing the icon of their VLC app on their heads—a classic orange traffic cone. VLC, of course, is the free and open-source app that can play darn near any video format on your Mac or iOS device, and which on Mac has tons of other (nearly indecipherable) options for streaming, ripping, and transcoding video. The VideoLAN folks gave me a spec sheet with three columns of small print describing everything VLC can do, but the most notable news is the app’s support of the Alliance for Open Media’s AV1 video format. AV1 is also open source and royalty-free, and it provides features such as 30% better compression for streamed 4K video versus competing formats, scalability to the requirements of the displaying device, and optimization to work well regardless of the quality of hardware and Internet connection in use. VLC is available for macOS, iOS, and tvOS—in fact, it’s so ubiquitously available that you can still download a version for IBM’s OS/2 operating system, which hasn’t shipped for 17 years.
WeWalk Smart Cane for the Visually Impaired
I have a friend who is blind and tells me not to worry, but I can’t help it—whenever I see someone walking down the sidewalk using a cane, I scan ahead to make sure there aren’t any upcoming signs jutting out at head level they might hit at speed. (I’ve done that myself purely by not paying attention.) The WeWALK smart cane claims to solve this problem, among others, with an embedded scanner that will vibrate the handle if it detects an upcoming obstacle at chest height. The WeWALK cane also integrates with various apps, including Google Maps and Uber, to provide directions and other services—although I’m not sure how such information is communicated back to the user. There’s an iOS app that facilitates all this on an iPhone, but while the company’s Web site discusses Google Assistant integration, it doesn’t mention Siri. Available now on Indiegogo at $399 with promised delivery in June 2019, after which the price rises to $499.