Skip to content
Thoughtful, detailed coverage of everything Apple for 33 years
and the TidBITS Content Network for Apple professionals
Show excerpts

TidBITS#1315/04-Apr-2016

Apple has released iOS 9.3.1 to address a bug that could cause app crashes and hangs when tapping links. Google is giving away its professional-grade Nik Collection photo-editing apps away for free — Julio Ojeda-Zapata tells you where to get them. Adam Engst explains how to keep your Mac’s security data up to date, Michael Cohen documents the troubles he’s had with the new iCloud Drive-enabled iBooks apps, and Joe Kissell examines the differences between 1Password and iCloud Keychain in his latest FlippedBITS column. Notable software releases this week include Banktivity 5.6.7, Parallels Desktop 11.1.3, Fantastical 2.2, Evernote 6.6, OmniFocus 2.5, OmniOutliner 4.5.1, MoneyWell 2.3.10, iBooks Author 2.4.1, KeyCue 8.0, Default Folder X 5.0.3, and DEVONthink/DEVONnote 2.8.10.

Josh Centers 9 comments

Apple Releases iOS 9.3.1 to Address Link Bug

In “Apple Reissues iOS 9.3 for Older Devices; Links Remain Problematic” (28 March 2016), we reported that many users were experiencing app hangs and crashes after tapping Web links. Apple has released iOS 9.3.1 specifically to address this issue. A number of users had complained about similar problems in iOS 9.2.1; it will be interesting to see if this update addresses their complaints as well.

Image

To download the small update (27.5 MB on my iPhone 6), go to Settings > General > Software Update or update via iTunes. I haven’t noticed any problems with this update so far, but it did seem to take an unusually long time to install on my iPhone 6.

Adam Engst No comments

Chapter 5 of “Take Control of Slack Basics” Available

Last week we published Chapter 4, “Post Basic Messages,” in Glenn Fleishman’s serialized “Take Control of Slack Basics” book, but we weren’t kidding about how those messages were basic. This week, we’re going deeper with Chapter 5, “Go Beyond Basic Messages,” which explains how to do exactly what it says in four ways:

  • You can upload a file to any Slack channel or conversation, or link one in from a file-sharing service like Dropbox, Google Drive, or Box.

  • For those times when you need to share a bit of code, or some quoted paragraphs from an email message, use a snippet. They’re a great way to compress a bunch of text into a small space in the message list and then let readers expand it.

  • If you want to collaborate with others on a chunk of text, use a post. Team members can comment on it, or, if you let them, take turns editing it.

  • When typing back and forth just isn’t enough, you can make voice calls from within Slack.

As always, if you want to try out attachments, snippets, posts, and calls (well, with people you already know in the team!), join our public SlackBITS group, which has nearly 150 members and so far has hosted discussions of Slack, the Mac, iOS, and Apple TV, along with a channel devoted to collecting links to fun April Fools jokes, including our piece “Apple Developing Fortieth Anniversary Mac” (1 April 2016). You’re welcome to ask anything you like in SlackBITS and we’ll do our best to answer! Instructions on how to join are in Chapter 1, “Introducing Slack.” Also available to everyone is Chapter 2, “Get Started with Slack.”

However, Chapter 3, “Master the Interface,” Chapter 4, “Post Basic Messages,” and this new Chapter 5 are accessible only by TidBITS members, so if you’re not currently one, we hope this is incentive to join! TidBITS members receive other benefits too, but what’s most important is that the TidBITS membership program has kept TidBITS afloat the last few years — your support is essential. If you’re already a TidBITS member, log in to the TidBITS site using the email address from which you joined to read and comment on these chapters.

The full ebook of “Take Control of Slack Basics” will be available for purchase by everyone in PDF, EPUB, and Mobipocket (Kindle) formats once it’s complete. We’re also pondering how to make the final book available as a discounted bulk buy for entire Slack teams, so if you’re interested in that, let us know.

Julio Ojeda-Zapata 7 comments

Google Gives Away Its Nik Collection Photo-editing Apps

Google has made a freebie of its Nik Collection, a set of advanced Mac and PC photo editing tools that, until last week, cost $150, and at one time went for $500. The company is issuing refunds to those who purchased the suite in 2016.

The seven Nik Collection editing tools, a part of Google’s 2012 acquisition of Nik Software, work both as standalone apps and as plug-ins for Adobe’s Lightroom and Photoshop programs, as well as for Apple’s now-defunct Aperture, which some still use. The full download is 590 MB.

The Nik Collection tools are:


Google has not said whether it will continue to update the Nik Collection, but it seems to be signaling that the suite has now become abandonware.

In a Google+ post, the company wrote, “As we continue to focus our long-term investments in building incredible photo editing tools for mobile … we’ve decided to make the Nik Collection desktop suite available for free, so that now anyone can use it.”

Mac and iOS users should probably not wait for the collection to spawn Apple Photos extensions any time soon.

Google’s Nik Software buyout has been a mixed blessing for photography enthusiasts in recent years. The acquisition included Snapseed picture-editing apps for iOS and Mac. But in 2013 Google killed the Mac version (along with a PC version) even though Nik had announced the product only about a year earlier, just before being acquired. Google has said it will continue upgrading its Snapseed iOS app (a
universal app with full iPad compatibility) along with an Android version, though.

Google also used the Nik technology to turbocharge the photo editing controls that were a part of its Google+ social network. But those advanced tools later vanished, replaced with far simpler ones when Google+ Photos transformed into the standalone Google Photos service.

In a semi-related development, Google in February 2016 announced that it’s shutting down its Mac- and PC-based Picasa photo organizing apps, which it acquired when it bought out Picasa, Inc. in 2004.

It now appears that Google is focusing on the Google Photos service, with frequent updates to the service’s mobile apps and Web app. Just last week, it unveiled a smart album feature along with interface tweaks. Google Photos also now supports Apple’s Live Photos feature.

Unfortunately, the Nik Collection is entirely disconnected from Google Photos and Snapseed, making it awkward for Google fans wanting to use all of the above.

Still, free is free, and there’s no reason not to get the app suite while it’s there for the taking — and it might not be in the future if, indeed, Google has no further plans to upgrade this product.

But casual photo editing buffs beware: the Nik Collection is not entry-level stuff, like Google Photos and Apple’s Photos. The Nik apps have daunting interfaces and steep learning curves. For the average user, the suite may be overkill.


Nor is the Nik Collection a single, integrated product, meaning that you have to open and close these tools sequentially if you are doing heavy surgery on an image. This is true regardless of whether the tools are being used in a standalone capacity, or as Lightroom and Photoshop plug-ins.

And the suite’s total lack of integration with Apple Photos may be a deal-breaker for many Mac-based picture enthusiasts.

But for those who like experimenting with a wide range of editing tools on their Macs, the Nik Collection is now an amazing bargain.

Adam Engst 23 comments

Make Sure You’re Getting OS X Security Data

A few weeks ago, Josh Centers wrote about an update to OS X 10.11 El Capitan’s System Integrity Protection that broke Ethernet for many Mac users briefly, before Apple pushed out a second update to resolve the problem (see “El Capitan System Integrity Protection Update Breaks Ethernet,” 29 February 2016). Josh’s article confused me for a bit, because the problem revolved around El Capitan’s Incompatible Kernel Extension Configuration Data file, but I could find no evidence of it being installed on either my iMac or MacBook Air.

Discussion in the comments on that article and on TidBITS Talk revealed the answer: I had not selected the “Install system data files and security updates” checkbox in the App Store pane of System Preferences.


(No time to read more of this article right now? Just make sure that checkbox is selected and get on with your life. We now return the rest of you to the regularly scheduled explanation of what’s going on.)

Why had I avoided such an important-sounding checkbox? Because Apple messed up the interface here in a big way. The top enclosing checkbox is clear: “Automatically check for updates.” Everyone should have that checked. The next one isn’t as simple: “Download newly available updates in the background.” That’s fine in most cases, but if you give network-connected presentations or are in bandwidth-constrained situations where Internet use without your knowledge might be problematic, turn it off. However, note what the interface says next: “You will be notified when the updates are ready to be installed.” Great! That’s exactly what I want to have happen — updates will be downloaded in the background and then I’ll be
notified and get to choose when to install.

It would seem that the next three checkboxes are related, but that’s where Apple messed up. The next two — “Install app updates” and “Install OS X updates” — sound like “Install system data files and security updates,” but they work differently. When selected, those first two checkboxes tell the App Store app to install app and OS X updates automatically; if you leave them deselected, you’re instead notified of updates and given the opportunity install to them manually at a convenient time.

In contrast, if you fail to select “Install system data files and security updates,” you won’t be notified of these critical background security-related updates. These are not the same as Apple’s foreground updates with names like “Security Update 2016-002” — they fall into the “OS X updates” category.

So what are they? TidBITS Talk member Al Varnell, who works in the security community, shared what he knows in the discussions there, but warns that the information is incomplete because Apple has avoided documenting these systems due to the security implications. These critical background updates include at least the following:

  • Core Suggestions Configuration Data
  • CoreLSKD Configuration Data
  • Gatekeeper Configuration Data
  • Incompatible Kernel Extension Configuration Data
  • MRT Configuration Data
  • XProtectPlistConfigData

I assume some of these files contain information used by security processes, as outlined in this Apple support article. Gatekeeper enables OS X to avoid opening applications that aren’t signed. MRT likely stands for “Malware Removal Tool” since it appeared around the time of the MacDefender malware (see “Apple Responds to Increasingly Serious MacDefender Situation,” 25 May 2011) — Apple’s Security Update 2011-003 could detect and remove MacDefender. And XProtect is part of OS X’s File Quarantine feature, which scans downloaded files for malware and blocks Web
plug-ins with known vulnerabilities like Flash and Java. Incompatible Kernel Extension Configuration Data helps OS X disable old kernel extensions that may cause crashes, but it’s unclear what Core Suggestions Configuration Data and CoreLSKD Configuration Data contain. (You might also see Chinese Word List Update; I presume that’s not security-related.)

Apple needs to push out updates to these files based on new threats — if Apple’s engineers become aware of a new piece of malware, OS X’s security systems need to know about it as soon as possible to protect Mac users around the world. Disabling the “Install system data files and security updates” checkbox is, frankly, a terrible idea — it’s not installing code, and barring a mistake like Apple made in accidentally adding the Ethernet kernel extension to the Incompatible Kernel Extension Configuration Data file, it’s unlikely that allowing this security-related data to be updated could cause many problems.

So if you’ve deselected “Install system data files and security updates,” turn it back on and wait a day or two for Software Update to notice and update everything.


If you don’t want to wait, select that checkbox and then issue this command in Terminal.

sudo softwareupdate --background-critical

To verify that the updates have taken place, look in the Software > Installations category in System Information (as explained in “El Capitan System Integrity Protection Update Breaks Ethernet”) — click the Date Installed column header twice to sort with the newest installations at the top.


For those who are constitutionally opposed to automatic updates, this is how you can get these critical background updates manually: select the checkbox, run the softwareupdate command above, verify that the updates have taken place, and then deselect the checkbox again.

It’s worth noting that, despite Apple’s policy of releasing security updates only for the current version of OS X and two versions prior, the company continues to update these security data files all the way back to 10.6 Snow Leopard, when the File Quarantine feature made its debut.

Regardless, Apple should clarify the importance of this checkbox by rewording it to something like “Install critical anti-malware definitions and system data.” Having it selected is presumably already the default, but wording like that should prevent unwitting users from disabling it. Plus, if that checkbox is not selected, Software Update should notify the user about each individual update, just like any other OS X update.

Michael E. Cohen 31 comments

iBooks with iCloud Drive Is Unreliable and Confusing

First off, let me say that some users have had no problems with the latest versions of iBooks that Apple delivered with OS X 10.11.4 and iOS 9.3.1: 1.5 for Mac and 4.7 for iOS. However, I am not one of those lucky users, and, judging from various discussions in Apple’s support communities (like this, and this, and this), I’m not alone.

Here is what Apple promises, from the support document “Sync ePub, iBooks Author books, and PDF files with iBooks and iCloud”:

You can use iBooks and iCloud Drive to sync ePub, iBooks Author books, and PDF files so that you can access them on all of your devices. After you turn on iCloud Drive, all files automatically upload to iCloud. Any ePub, iBooks Author book, or PDF file that you add to your iBooks library later also automatically upload to iCloud.

Sounds nifty, doesn’t it? If you have iCloud Drive enabled, and sufficient storage for your library, you can forgo the iTunes syncing dance: just plop a book — even a PDF! — into your iBooks library (supposedly on any of your devices) and it becomes available to all your other devices! Who wouldn’t want such a streamlined syncing system?

I certainly would. For one thing, I regularly make EPUBs, and the ability to check layout, for example, on my various devices (a Mac, an iPad Air, an iPhone 6+, and an ancient iPad 2) without having to sync these devices via iTunes sounds wonderful. And it would be… if everything worked as Apple says it should. Reality, however, begs to differ. With its latest iterations of iBooks, Apple has cooked up a gallimaufry of inconsistencies and unreliabilities.

Enabling iCloud Drive/iBooks Integration — The confusion begins with enabling the feature. When you first launch iBooks after updating your iOS device or Mac, the app offers you the opportunity to enable iCloud Drive for your book library.


If you don’t do so at that time, however, it’s hard to find out how to do so subsequently. In fact, the answer can be deduced from the support document mentioned above, a link to which also appears in the initial screen, although finding that document is an exercise in online searching once you dismiss that screen. Furthermore, once you do find that support document, you’ll discover that it offers no direct information about how to enable the iCloud Drive
feature: instead, you find how to disable it. From that, however, you can figure out where the necessary settings are to turn on iCloud Drive integration with iBooks:

  • On the Mac, look for the setting in System Preferences > iCloud > iCloud Drive Options. In other words, open System Preferences, click iCloud, click the Options button beside iCloud Drive in the list of iCloud features, click Documents on the Options dialog that appears, and look for the iBooks entry in the list of apps that store documents in iCloud Drive.


  • In iOS, the option is in Settings > iCloud > iCloud Drive. If you tap your way down that path, you’ll find an iBooks entry in the list of apps that use iCloud Drive — the iBooks entry has a switch you can turn on that enables iBooks integration with iCloud Drive.

After you turn on iCloud Drive integration with iBooks on your iOS device, the next time you open the iBooks app it asks you if you want to use iCloud Drive. If you decline the offer, the switch in the Settings app is turned back off.

Uploading Irritations — I have only my own impatience to blame. I downloaded the OS X and iOS updates as soon as they became available, and, once I had installed them, I immediately enabled iCloud Drive integration with iBooks. Naturally, Apple’s servers were being hammered by millions of users all fetching the latest updates, so the transfer of my iBooks library from my Mac to iCloud Drive was understandably slow. However, there was little indication of how much time it would take to finish, or how many items remained to be uploaded. A progress icon did appear from time to time on the toolbar seemingly at random, but the information it provided was both uninformative
and misleading.

When I looked at iBooks on one of my iOS devices during this upload period, I saw thumbnails appear, disappear, and shift around in a seemingly haphazard fashion. Even after waiting several hours, iBooks on my iOS device no longer matched what I saw on my Mac: I had to terminate iBooks manually and relaunch it on the device to see the current state of affairs.

What I saw wasn’t pretty: my All Books collection, which I had sorted by Recent, showed all the books in my library that were not on my device (as indicated by download icons on their thumbnails). I had to scroll down past dozens of books to reach the most recently read book that was on my device. What’s more, the arrangement of books in my various collections was scrambled, no longer matching the careful order in which I had once placed them.


Furthermore, many books — and I could find no pattern that predicted which — were no longer on my device but, instead were marked as available for download from iCloud. When I turned on Hide iCloud Books in the collections menu on my iPhone, for example, I saw many fewer books listed than had been there before the migration to iCloud Drive.

Corruption Issues — Because one of the books I was in the midst of reading (I usually have several going at once) was no longer on my iPad Air, I tapped its download icon. Within seconds, the download was complete. And when I tapped to open the newly downloaded book, it opened to where I had left off. So far, so good.

Or not. When I went to download another book, one that I had not read in a while, a tap seemed to download it, but when I tapped again to open the book, I saw a message telling me that there was not enough storage space to install it — absurd, because my iPad had more than 10 GB free, and the book itself was less than 1 MB in size. When I dismissed the message, the download icon reappeared on the book.


I went to my Mac, found the book, and opened it there. It opened with no problem. I went back to my iPad and tried again. Again, I saw the same message. I then dragged the book out of my iBooks library on my Mac, deleted the book from the library, and then dragged the copy I had just made back into iBooks.

On my iPad, the book was gone; although iBooks on the iPad had registered the deletion, it could not see the newly installed copy. I force-quit iBooks, and, when I restarted the app, the new copy appeared after a couple of seconds. This time, I could download it and open it with no problem.

Sadly, I encountered the same out-of-space error on a number of books I tried to download: as many as half of those I tried. I could only conclude that the initial upload of my books to iCloud from my Mac had corrupted something. The only way I was able to fix this was to remove and reinstall every book in my Mac’s iBooks library, one collection at a time:

  1. Display a collection.

  2. Select all the books and drag them into a Finder folder to copy them.

  3. Wait for the copying to finish, and then in iBooks, delete all the books in the collection.

  4. Wait for the deletions to finish, and then drag the copies from the Finder back into the now-empty window for the current collection in iBooks.

  5. Wait for iBooks to finish uploading the copies back to iCloud, and then empty the Finder folder in preparation for the next collection.

  6. Repeat Steps 1 through 5.

This process took me most of the day, but, when I was done, I had no more issues with downloads on my iOS devices. And it had only cost me a day of uncompensated labor!

Insurmountable Obstacles — Since then, I have continued to explore what the new iBooks apps have to offer, and what I have found is disheartening: a cavalcade of problems for which I have yet to find solutions:

  • iTunes Syncing: The Books syncing pane for iOS devices has become almost completely unusable for me. It lists only 133 books of the more than 700 items I have in my iBooks library. For the most part, it seems to list only books that are iBooks Store purchases, but one or two books from other sources also appear. When I removed and reinstalled my books as I just described, I was heartened to see my non-iBooks Store books begin to show up once again in the syncing pane. However, as soon as I quit and relaunched iTunes, those books vanished again, and, once more, iTunes only showed me a fraction of my actual iBooks library.

  • Collections, Notes, and Bookmark Syncing: I mentioned earlier that when I downloaded a book from iCloud it remembered my last-read location. However, a day or so ago, iBooks (on both Mac and iOS) seems to have lost the capability to sync the last-read location among my devices. And not only that, iBooks no longer syncs book collections, manually placed bookmarks, and notes among devices. I would write that off to a problem with iCloud Drive, but a colleague who has yet to enable iCloud Drive with her installation of iBooks has seen the same thing. In the past, iBooks occasionally hiccuped when syncing these kinds of data, but, as of this writing, the hiccup has become complete lung failure. The problem may clear up
    tomorrow, but I’m not holding my breath.

  • iPad 2: Old and creaky as it is, my iPad 2 has, in the past, been able to handle iBooks (I use the device for testing and as a secondary reading device). Alas, that’s no longer true when it comes to iBooks with iCloud Drive integration. Every time iBooks attempts to list my iCloud Drive book holdings, the app simply and unceremoniously quits. With iCloud Drive unable to work on the iPad 2, and with iTunes syncing currently broken, I have no way to get books onto the device other than side-loading with Open In from a Web or Dropbox download or an email attachment; the iPad 2 is too old for AirDrop to be an option.

  • PDF Viewing: This, compared to the other problems, is only a minor irritation, but still a real one for users who rely on Adobe Reader or another third-party PDF viewer. Previously, when you opened a PDF from iBooks on the Mac, the PDF opened in whatever app you had specified as the default for PDFs. No more: with iBooks 1.5, PDFs open in Apple’s Preview regardless of the default PDF app you specify on your Mac. As far as I have been able to ascertain, there is no workaround.

Final Words — iBooks with iCloud Drive integration is a great idea executed atrociously. Even without iCloud Drive integration, the latest iBooks apps remain embarrassing examples of poor quality control, Schrödinger’s apps built atop a Heisenberg engine that is unreliable, unpredictable, and dangerous to use if you value the contents of your ebook library.

I’m willing to forgive Apple occasional minor flaws in software when it re-engineers an app to provide important new features. But what Apple has provided in these latest iBooks updates is simply unforgivable. Unfortunately, there seems to be no way for a user to address these problems, but if you rely heavily on iBooks and have not yet updated to OS X 10.11.4 and/or iOS 9.3.1, I suggest you wait.

Joe Kissell 39 comments

FlippedBITS: 1Password Versus iCloud Keychain

Everyone agrees that passwords are a pain. The idea that each user of a computer, Web site, or online service should gain access using a unique identifier (a username) and a self-selected password must have seemed logical back in the day, but the system hasn’t scaled well. Now we all need passwords for dozens or even hundreds of services, while frequent high-profile security breaches remind us that a password-based infrastructure is inherently fragile and vulnerable.

In response, service providers make ever-harsher demands of their users: create longer, more complex passwords; change them whenever the provider sees fit; answer security questions; add two-step verification; and so on. Frustrated users, in turn, respond in ways that make them far less secure: they often choose easily guessable passwords, and reuse the same password (or one of a few) everywhere.

I’ve been thinking and writing about the password problem for a long time. In the recently published “Take Control of Your Passwords, Second Edition,” I lay out the whole problem from top to bottom and help readers think through a sensible, safe, and sustainable strategy. One key recommendation is to use a password manager whenever possible. This type of software automatically generates, remembers, and fills in passwords as needed, and syncs them across your various devices. Although a password manager alone isn’t a complete solution to anyone’s password woes, it can eliminate a large portion of the hassle while increasing your security tremendously.

There are lots of great password managers out there, and I truly don’t care which one you use, as long as it works well for you. I know that apps like LastPass, Dashlane, Blur, and many others, have lots of fans. In addition, Apple’s own solution, iCloud Keychain, works in Safari for recent versions of OS X and iOS — and it’s free for anyone with an iCloud account. I wrote extensively about iCloud Keychain in another of my books, “Take Control of iCloud.”

My personal favorite, however, is 1Password, which I’ve been using for nearly ten years. I’ve found that it hits the sweet spot of power, usability, and affordability — and it keeps getting better all the time. I like it so much I wrote yet another book about it, “Take Control of 1Password,” which explains how to make the most of the app’s extensive capabilities, many of which aren’t entirely obvious.

But wait a minute! Since iCloud Keychain is free, requires no extra software, and is supported by Apple, why would anyone bother with a third-party product in the first place? I’ve heard this question a number of times. For example, when I covered the latest major release in “1Password 6 for Mac Adds Teams, Expands Sync Options” (18 January 2016), a commenter named Jim inquired:

This would be a great chance to ask the question I’ve always had about 1Password. I hear nothing but praise for it, but… What exactly does it do that Apple’s built-in tools (Keychain, iCloud Keychain, etc.) don’t do?

I’ve read so many glowing reviews of 1Password, yet that’s the part I still don’t get…

I replied by pointing out a number of things 1Password can do that iCloud Keychain can’t, but the question deserves a more extensive answer. After all, 1Password isn’t free and does have a bit of a learning curve — and switching from one password manager to another isn’t always simple. I can understand why this might seem like a Pepsi-versus-Coke choice, but it’s more like pitting a standard can of Pepsi against a Cherry Vanilla Coke float made with artisanal hand-churned organic ice cream — and two straws.

Before I get into the feature differences, let me make two quick disclaimers. First, although I’m talking only about 1Password here, many of the features I point out can be found in other third-party password managers too. And second, I’m not trying to diss iCloud Keychain. In fact, as I’ll explain later, it’s an ideal choice for certain tasks, and there’s no reason you can’t use it alongside a third-party tool.

1Password’s Advantages — 1Password was developed long before iCloud Keychain was a gleam in Apple’s eye, and over many years it has been refined based in large part on user feedback, an approach that Apple often seems to be allergic to. Here are some of the ways in which 1Password surpasses iCloud Keychain:

  • Platform Support: If you use only recent-vintage Macs and iOS devices, this might make no difference to you. But if you happen to use Windows or Android devices, or even older versions of OS X (iCloud Keychain was introduced in OS X 10.9 Mavericks), iCloud Keychain won’t help you on those platforms. 1Password, on the other hand, can sync your data to all those locations, although admittedly you’ll need to download a legacy version of the app if you want to run it on Mavericks or earlier.

  • Browser Support: 1Password works with most popular browsers, so if you prefer to use Chrome or Firefox instead of Safari (or if you switch between browsers from time to time), that’s no problem. iCloud Keychain, on the other hand, works only with Safari (in both OS X and iOS).

  • Password Strength: iCloud Keychain can generate random passwords for you in Safari, which is undeniably handy. But all those passwords are exactly 15 characters long, following the pattern XXX-XXX-XXX-XXX, where each X is an alphanumeric character. Because the three hyphens are invariant, all those passwords have an effective length of only 12 characters, and because none of the other characters can be other punctuation, those 12-character passwords are much weaker than ones built from a wider character set. (Also, some Web sites limit passwords to fewer than 15 characters.) 1Password can make random passwords up to 50 characters long, with your choice of attributes; you can even
    opt for a series of random words instead of random characters, although a password of that type must be considerably longer to be as strong as one composed of random characters.

  • Additional Data Types: iCloud Keychain can store passwords, username-and-password combinations, secure notes, and credit card numbers, but that’s it. 1Password can also store many other kinds of data, such as software licenses, passports, membership cards, licenses, and bank account numbers. In addition, it can securely store and sync virtually any document you care to drag in, such as a Word document, PDF, or photograph containing confidential data.

  • CVV Numbers: iCloud Keychain can store credit card numbers and their associated expiration dates, but not CVV (card verification value) numbers. Apple says this is for security, but it means that every time you buy something online, you have to drag your card out of your wallet, look up that number, and type it in. My feeling is that if iCloud Keychain is secure enough to hold my bank account number and login credentials, not to mention passwords that could unlock all kinds of other highly confidential services, it should be secure enough to store and fill in a CVV too. 1Password has no trouble storing and filling in CVV numbers.

  • iOS App Support: Browsers aren’t the only apps that use passwords. Think of apps like Slack, Buffer, Basecamp, SoundCloud, Instapaper, and dozens of others that connect to online accounts. Using a simple API created by 1Password developer AgileBits, developers can enable their apps to query 1Password directly — it’s much quicker and easier for users than having to switch to 1Password, look up credentials, copy, switch back, and paste. Well over 100 apps have already added this support. And what I find even more interesting is that developers of other password managers can use the same API, so if your app supports 1Password, it also works with other iOS
    password managers. Although it’s possible for specially modified third-party iOS apps to access saved Safari passwords (which, in turn, may sync via iCloud Keychain), very few apps take advantage of this capability.

  • One-time Passwords: Many sites now offer two-step verification as an extra security measure. The most common implementation is that after you enter your password, the site prompts you for a second code — a time-based one-time password (TOTP), which is normally generated by a separate app such as Google Authenticator or Authy, and changes every 30 seconds. But 1Password can generate these codes too, meaning you don’t have to install a separate app to obtain them (and you don’t have to switch apps as often either). iCloud Keychain lacks such a feature.

  • Syncing Options: As you might guess from the name, iCloud Keychain syncs exclusively via iCloud. 1Password can sync via iCloud too, but if you prefer to use Dropbox, direct syncing over Wi-Fi, or even (for iOS devices) syncing your data via a USB cable and iTunes, you can. (Yet another way to sync is to use 1Password for Teams or Families, discussed just ahead.)

  • Ease of Use: Storing and entering passwords in a browser is one thing, but what if you need to look up a password for some other reason, or make other changes to your secure data? On a Mac, you have to use the ancient Keychain Access app (in /Applications/Utilities), which is incredibly cumbersome and unintuitive. On an iOS device, no such app exists; you can go to Settings > Safari > Passwords to see and edit your credentials, but even that is a clumsy interface. 1Password’s user interface, by contrast, is far more user-friendly. It’s easy to search, sort, organize, tag, and edit items, and you can even do things like sort your passwords by strength to see which ones might
    be in need of changing.

  • Teams and Families: If you want to share certain passwords securely with other people — coworkers or family members, say — you can’t do so with iCloud Keychain. (Like most iCloud features, it’s all about sharing stuff across your own devices, not sharing stuff with other people.) 1Password has long offered a primitive way to share data using Dropbox, but with 1Password for Teams or 1Password Families (each available for a modest monthly fee), your business or family, respectively, has a simple yet secure and versatile mechanism for sharing passwords.

  • Other Details: 1Password also stores a history of the passwords you’ve used previously for each site. It can alert you to passwords that may need to be changed due to a security breach or because they’re duplicates. And it has quite a few other small conveniences that add up to a much better experience in managing passwords. (If I’ve skipped over anything you find particularly important, please remind me in the comments!)

iCloud Keychain’s Benefits — Having said all that, let me now change my tune slightly and say some nice things about iCloud Keychain:

  • Better in Safari for iOS: Because iCloud Keychain is built right into Safari for iOS, it takes at most a tap or two to fill in your credentials and submit a form. Since the advent of extensions in iOS 8, it’s reasonably convenient to access 1Password from within an iOS browser, but you’ll still have to tap an icon to open the Share sheet, tap the 1Password icon, authenticate with Touch ID (or a PIN or your master password, depending on your device and configuration), and tap the desired login item. Of course, 1Password is doing the best it can given the restrictions Apple imposes, but if you want the least possible friction when entering credentials in Safari for iOS, iCloud Keychain is the way to go.
  • System-level Credential Syncing: iCloud Keychain isn’t just for Web forms. It can also store credentials that are used at a system level, such as Wi-Fi passwords and Internet accounts (Google, Facebook, Twitter, email servers, and so on). So, if you enter the password for a new Wi-Fi network on one of your devices, then as soon as iCloud Keychain syncs to your other devices (usually within seconds), they’ll have that password too and can join the new Wi-Fi network without so much as a password prompt. (For some reason, iCloud Keychain syncs email accounts only with other Macs, not with iOS devices.) Because 1Password doesn’t have the system-level access that would be necessary for such a feat, it can’t
    perform the same trick.

  • Reliability: Your mileage may vary, but I’ve found iCloud Keychain to be almost shockingly reliable — it syncs quickly and nearly always does exactly what I expect. I’ve often griped about other types of iCloud synchronization working poorly, but in this case I can’t complain. Because it’s part of OS X and iOS, there’s never any software to update separately, never any data to back up separately, and no worries about compatibility.

Sure, that’s a shorter list of compliments than the one I gave 1Password, but they’re not insignificant. If you use only Safari on Apple devices; have only a modest number of accounts; prefer iCloud syncing; and have no need to store other data types, share credentials, or use one-time passwords, you might be perfectly content with iCloud Keychain. Without question, using iCloud Keychain is a thousand times better than using no password manager at all, and if you like it, more power to you.

However, keep in mind that this isn’t an either/or decision. You can use iCloud Keychain and 1Password together. For example, you might rely on iCloud Keychain to handle your Wi-Fi passwords and the credentials you use most frequently in Safari for iOS, but 1Password for everything else. Or you could try to keep both apps updated with the majority of your passwords, using whatever happens to be easiest at any moment (given your current platform and browser). Or use 1Password to generate new passwords but iCloud Keychain to store and fill them. Although using both together is more work and arguably a bit less secure than picking just one, it’s not an unreasonable approach.

TidBITS Staff No comments

TidBITS Watchlist: Notable Software Updates for 4 April 2016

Banktivity 5.6.7 — IGG Software has released Banktivity 5.6.7 with a number of bug fixes for the financial app formerly known as iBank (and a high-ranking option in our recent survey; see “Your Favorite Mac Personal Finance Apps,” 29 February 2016). The update resolves a number of bugs, including an error when canceling password input during file open, a hang with the Assistant after submitting an iBank ID edit with a null password, rounding the share price on the Portfolio Summary report, misinterpreted NeatReceipts dates, and the removal of preserved Direct Access
connections by other new connections. ($59.99 new from IGG Software and the Mac App Store, free update, 39.3 MB, release notes, 10.9+)

Read/post comments about Banktivity 5.6.7.

Parallels Desktop 11.1.3 — Parallels has released Parallels Desktop version 11.1.3 (build 32521) with a number of bug fixes for the virtualization software. The release resolves an issue with virtual machines crashing with Nested Virtualization enabled, avoids a crash on an OS X 10.10 Yosemite host OS when connecting a USB device, improves the Chinese (Simplified) input method in Coherence, rectifies a problem with an incompatibility error message when starting OS X virtual machines, and sorts out a performance degradation issue when running a 3D intensive application in Windows. ($79.99 new for standard edition,
$99.99 annual subscription for Pro/Business Edition, $49.99 upgrade, free update for version 11 licenses, 293 MB, release notes, 10.9.5+)

Read/post comments about Parallels Desktop 11.1.3.

Fantastical 2.2 — Flexibits has released Fantastical 2.2 (dubbed “the massively big, massively awesome update”) with a plethora of additions to the calendar app, starting with the addition of native Exchange support. Previously, Exchange support was dependent upon Apple’s built-in calendar support, but with Fantastical’s native implementation, the app now supports responding to invitations, meeting room scheduling and lookup, Global Address List lookup, and more (see this blog post for the full list
of Exchange additions). Additionally, Fantastical 2.2 brings a new invitee availability view that works with compatible services such as Exchange and Google (but not iCloud).

The update also adds the capability to print calendars and reminder lists in a variety of different views, adds support for iCloud shared calendar notifications, displays Google Hangout links with Google Apps accounts, ensures that Push for Google accounts shows changes immediately, adds a preference to start month view on the current week, improves search speed in calendars with large numbers of recurring events, highlights selected date in week and month views, and adds multiple selection (enabling you to move and delete multiple items at once). ($49.99 new from Flexibits and the Mac App Store, free update, 13.2 MB, release notes, 10.10+)

Read/post comments about Fantastical 2.2.

Evernote 6.6 — Evernote has released version 6.6 of its eponymous information management app with a new navigation scheme for switching between notes and notebooks (pressing Command-J brings up the new popover; the previous notebook selector is available via Command-Option-J). The release also adds a Duplicate Note command to the Note menu, adds the capability to manage tags from the note view, redesigns the audio recorder (for OS X 10.10 Yosemite and later), ensures that the left side navigation highlights your current selection (instead of always highlighting the Notes tab), and fixes several crashes. Note that the Mac App Store is still stuck at version 6.5 as of this writing. (Free from Evernote or the Mac App Store, 52.7 MB, release notes, 10.9+)

Read/post comments about Evernote 6.6.

OmniFocus 2.5 — The Omni Group has released OmniFocus 2.5 with the addition of the new Style preference pane, which enables you to create styles from built-in font and color collections or from imported styles. The Getting Things Done-inspired task management app also adds a quiescence timer that monitors activity so that OmniFocus can block integrating sync changes while you are actively typing, italicizes inherited dates to differentiate them from explicitly set dates, fixes a bug that temporarily rearranged the order of Projects, ensures compatibility with TextExpander for filling in snippets in the sidebar,
and ensures Inspector text fields retain focus when switching between applications. ($39.99 new for Standard edition and $79.99 for Pro edition from The Omni Group Web site, $39.99 for Standard edition from Mac App Store (with in-app purchase option to upgrade to Pro), 27.6 MB, release notes, 10.10+)

Read/post comments about OmniFocus 2.5.

OmniOutliner 4.5.1 — The Omni Group has released OmniOutliner 4.5.1 with a number of bug fixes, most of which are targeted at printing. The outlining and information organization app no longer links the print scale value in Page Setup to the Scale to Fit Page Width setting, ensures the Print dialog option text is not longer cut off in OS X 10.10 Yosemite, properly splits long notes between pages, ensures image attachments print in the matching display state of either an icon or inline, and fixes some issues that caused incorrect layout of text. The update also correctly sizes rows pasted while at less than 100 percent
zoom, and the sidebar section list no longer animates when showing or hiding the style palette. ($49.99 new for standard edition (Mac App Store), $99.99 for Pro edition (Mac App Store), free update, 24.1 MB, release notes, 10.10+)

Read/post comments about OmniOutliner 4.5.1.

MoneyWell 2.3.10 — No Thirst Software has released MoneyWell 2.3.10 (a top vote getter in our recent survey; see “Your Favorite Mac Personal Finance Apps,” 29 February 2016), which now uses HTTPS for in-app update checks to address a security issue with the Sparkle framework (see “Sparkle Vulnerability Real, but Exploits Highly Unlikely,” 15 February 2016). The release also trims white space from license keys so that pasting from email works more reliably and updates copyright strings. Normally priced at $59.99, MoneyWell
is currently on sale for $30 from the No Thirst Software site in anticipation of the release of MoneyWell 3 later this year. Stalled at version 2.3.9 as of this writing, the Mac App Store edition is priced at $49.99. ($59.99 new, free update, 9.9 MB, release notes, 10.7+)

Read/post comments about MoneyWell 2.3.10.

iBooks Author 2.4.1 — Apple’s iBooks Author has been updated to version 2.4.1 with just a single security patch. According to this Apple Support document, an XML external entity reference issue existed with iBook Author parsing that could lead to disclosure of user information if viewing a maliciously crafted iBooks Author file. However, this vulnerability has been patched with improved parsing. (Free from the Mac App Store, 419 MB, 10.10+)

Read/post comments about iBooks Author 2.4.1.

KeyCue 8.0 — Ergonis has released KeyCue 8.0, a major new version of the keyboard shortcut utility that takes the app beyond being a menu shortcut viewer. Version 8.0 brings a flexible new way to define a wide variety of triggers to perform different actions, such as displaying the newly added collection of frequently used URLs, opening the KeyCue settings window, and more. The release also includes definable actions for right-clicking the menu bar icon, ensures that mouse movement no longer cancels the display, shows macros for all active macro tools (such as Keyboard Maestro, QuicKeys, and iKey), enables you to
increase the height of the Settings window to show more items in the trigger and custom lists, and improves compatibility with a number of apps, including Mail, Mailplane, Logic Pro, and Papyrus Autor.

If you purchased a KeyCue 7 license on or after 1 March 2015, you can upgrade to KeyCue 8.0 for free. For purchases made before that date, you can upgrade to the new version for €9.99 for a single user license or €14.99 for a family pack license. (€19.99 new with a 25 percent discount for TidBITS members, free update, 5.1 MB, release notes, 10.6+)

Read/post comments about KeyCue 8.0.

Default Folder X 5.0.3 — St. Clair Software has released Default Folder X 5.0.3, a maintenance update that fixes a number of bugs. The revised Open/Save dialog enhancement utility resolves an issue that caused the app to hang or stop enhancing dialogs, corrects reliability issues when switching folders, avoids a crash that could occur when selecting favorite or recent folders, rectifies a problem with tags sometimes not being applied when saving a file, and fixes some situations where rebound didn’t work. ($34.95 new, $14.95 upgrade from version 4, TidBITS
members
save $10 on new copies and $5 on upgrades, 8.0 MB, release notes, 10.10+)

Read/post comments about Default Folder X 5.0.3.

DEVONthink/DEVONnote 2.8.10 — DEVONtechnologies has updated all three editions of DEVONthink (Personal, Pro, and Pro Office) and DEVONnote to version 2.8.10 with added support for Airmail 2 and an update to the Sparkle framework. The three DEVONthink editions add support for videos from the Photos application in the Sharing extension, detect and repair more issues when verifying the database, fix an issue with rebuilt databases that didn’t retain thumbnails (an issue since version 2.8.8), add fullscreen mode support for search windows,
add additional commands to the contextual menu of HTML 5 videos, and fix a glitch in resizing PDF annotations.

The DEVONthink Pro and DEVONthink Pro Office editions now enable you to change the name of the global inbox via the Database Properties panel, and improve handling of databases that are being or have been moved to the trash. (All updates are free. DEVONthink Pro Office, $149.95 new, release notes; DEVONthink Professional, $79.95 new, release notes; DEVONthink Personal, $49.95 new, release notes; DEVONnote, $24.95 new, release notes; 25 percent discount for TidBITS members on all editions of DEVONthink and DEVONnote. 10.7.5+)

Read/post comments about DEVONthink/DEVONnote 2.8.10.

TidBITS Staff No comments

ExtraBITS for 4 April 2016

In ExtraBITS this week, the FBI has agreed to unlock an iPhone related to an Arkansas homicide, Verizon is adding a $20 fee to phone upgrades, and Amazon is trying to banish non-compliant USB-C cables from its store.

FBI to Unlock iPhone in an Arkansas Homicide Case — Apparently, it wasn’t just about one iPhone. Despite the government’s protestations that it wasn’t seeking a backdoor when asking Apple to unlock the iPhone in the San Bernardino terrorism case, the Associated Press is reporting that the FBI has now agreed to help an Arkansas prosecutor unlock an iPhone and iPod associated with a double homicide. It remains to be seen if the FBI will share its knowledge of how the unlocking is being achieved with Apple, but it’s conceivable that the hack works only on older
iPhones or models running a particular version of iOS. At that point, the FBI could both share the information with Apple and still use the technique on iPhones currently in the possession of law enforcement when possible.

Read/post comments

Verizon Wireless Adding $20 Upgrade Fee — According to a leaked memo published by MacRumors, Verizon Wireless is instituting a $20 flat rate upgrade fee for customers upgrading to a new iPhone or other smartphone in order to cover support costs. Starting 4 April 2016, the charge will be applied to new smartphones purchased on a Device Payment financing plan or at full retail price, and even to customers taking advantage of Apple’s iPhone Upgrade program. AT&T and Sprint, but not T-Mobile, have similar upgrade fees.

Read/post comments

Amazon Bans Non-compliant USB-C Cables — We’ve reported previously on how poorly made USB-C cables could ruin a laptop. Online retailer Amazon is now taking steps to protect its customers from such cables, adding to its list of prohibited items “Any USB-C (or USB Type-C) cable or adapter product that is not compliant with standard specifications issued by ‘USB Implementers Forum Inc.’” Amazon vendors caught selling faulty cables risk Amazon closing their accounts and destroying any merchandise stored in the company’s fulfillment centers. While this isn’t a
guarantee that all cables purchased through Amazon will work properly, third-party vendors now have extra incentive to sell only quality cables. We hope to see other online retailers follow Amazon’s lead, but even still, we recommend sticking with reputable manufacturers when buying USB-C cables.

Read/post comments