Skip to content
Thoughtful, detailed coverage of everything Apple for 30 years
and the TidBITS Content Network for Apple professionals
Show excerpts

#1499: Apple’s record Q1 2020 profit; Google Voice as protection from spearfishing; iOS 13.3.1, iPadOS 13.3.1, macOS 10.15.3, watchOS 6.1.2, and tvOS 13.3.1

Apple has posted record-setting financial results for Q1 2020, with nearly $92 billion in revenue and over $22 billion in profit, thanks to the resurgent iPhone 11 and its popular wearables. The company also updated all of its operating systems last week, releasing iOS 13.3.1, iPadOS 13.3.1, macOS 10.15.3 Catalina, watchOS 6.1.2, and tvOS 13.3.1—read on for details and our update advice. Last but not least, Apple consultant Ivan Drucker joins us to explain how to use Google Voice as the centerpiece of a two-factor authentication scheme that addresses some of the problems with two-factor authentication apps. Notable Mac app releases this week include Security Update 2020-001 (Mojave and High Sierra), Safari 13.0.5, DEVONthink 3.0.4, URL Manager Pro 5.0, and Fantastical 3.0.

Michael E. Cohen Josh Centers 5 comments

In Apple’s Q1 2020, iPhone Rebounds and Wearables Soar

Reporting on its first-quarter 2020 financial results, Apple has announced net profits of $22.2 billion ($4.99 per diluted share) on revenues of $91.8 billion. The company’s gross revenues are up 9% compared to the year-ago quarter and net revenues are up by 11% (see Apple’s Q1 2019 Results: iPhone Bad, the Rest Good, 29 January 2019).

Although Apple’s overall results are very good—record-breaking, in fact—a look at the individual product categories reveals a more nuanced story, with income up for iPhone, Wearables, and Services, whereas both iPad and Mac sales were down in comparison to the year-ago quarter.

Q1 2020 revenue by product category

Q1 category revenues over time

Apple saw double-digit sales growth in the Americas and Europe, but only modest gains of 6.5% in Asia Pacific and 3.1% in Greater China, as well as a 9.9% decline in Japan. However, the China revenue growth, though low, is a cause for optimism, as it reverses that geographic sector’s revenue declines in recent quarters. In Europe, Apple brought in $23.3 billion, and sales in the Americas hit $41.4 billion.

Q1 2020 revenues by region

Apple faces a unique virus threat for the current quarter. Not a computer virus, but coronavirus, which was a topic in the quarterly investor call. CEO Tim Cook confirmed that Apple does have some suppliers in the Wuhan region, which is the epicenter of the outbreak, and that their facilities would be closed until at least 10 February 2020 at the recommendation of the Chinese government. Apple has closed all of its stores and offices in mainland China until 9 Feburary 2020. Apple has also halted all non-essential employee travel to China for now, and while the company is taking reasonable precautions, such as cleaning stores, it’s a factor ultimately beyond Apple’s control.

iPhone

After a drop in Q1 2019, iPhone sales were up by 7.6% in Q1 2020, rebounding from $51.9 billion to $55.9 billion year over year. Cook said that the iPhone 11 was Apple’s top-selling model every week in the quarter. Cook credited the iPhone 11’s success in part due to the new payment plan available for Apple Card holders, showing the value of the credit card to Apple besides just interest and transaction fees.

Q1 iPhone revenue over time

iPad

The iPad had a disappointing quarter, with sales dropping from $6.73 billion in Q1 2019 to $5.98 billion in Q1 2010, a double-digit drop of 11.2%. Cook, however, called out iPad sales growth in emerging markets such as Mexico and India. CFO Luca Maestri said that the decline can largely be explained by the release of the iPad Pro during last year’s first fiscal quarter with no such release this year. That does make sense, given that Q1 2020 is otherwise in line with the first quarters of 2017 and 2018.Q1 iPad revenue over time

Mac

Mac sales were also somewhat disappointing, with a year-over-year decline of 3.5%. Apple sold $7.16 billion of Macs in Q1 2020, as opposed to $7.46 billion in Q1 2019. Although the Mac did see new models during the quarter, the release of the 16-inch MacBook Pro and the long-awaited Mac Pro may have come too late (or been too high-end) to make the kind of difference that last year’s release of the latest MacBook Air and refreshed Mac mini made.

Q1 Mac revenue over time

Services

As has been the recent trend, Services saw tremendous year-over-year growth, up 16.9%, from $10.9 billion in the year-ago quarter to $12.7 billion in Q1 2020. “Apple TV+ is off to a rousing start,” Cook said, although we have to assume that most Apple TV+ subscribers received it for free with the purchase of Apple hardware. Services achieved double-digit growth in all of its geographic sectors, and Maestri reported that Apple now has 480 million subscribers to the company’s paid service offerings. Apple expects that number to reach 600 million by the end of this calendar year.

Q1 Services revenue over time

Wearables

The Wearables category knocked it out of the park in Q1 2020 (Cook called it a “blowout quarter”), with an eye-watering 37% increase in revenue from last year, climbing from $7.31 billion in Q1 2019 to $10 billion last quarter. While Cook remains cagey with the real numbers, he said that the Apple Watch set an all-time revenue record in the quarter and that the Wearables category alone is now the size of a Fortune 150 company, largely thanks to the success of the AirPods. The AirPods revenues would have been even higher had the intense demand not created product shortages.Q1 Wearables revenue over time

Overall

Apple’s revenues grow more complicated to track and forecast every year: for example, figuring out how Apple TV+ subscriptions contribute to overall Services revenue is complicated by the complimentary subscriptions Apple offers to new hardware buyers and by variable costs of producing Apple TV+ content—show business is like no business anyone knows!

In addition, Apple’s global supply chain and sales are always dependent on unexpected outside factors, such as the current coronavirus epidemic and political climate. Nonetheless, Apple looks to be on a roll, with its new products and services paying off and with more in the pipeline. You don’t need AR-enhanced glasses to see Apple’s near-term future as rosy.

Josh Centers 18 comments

Apple Releases iOS 13.3.1, iPadOS 13.3.1, macOS 10.15.3, watchOS 6.1.2, and tvOS 13.3.1

With its engineers back on the job after the end-of-year holiday, Apple has released updates for all its major operating systems, though without any particular theme. iOS 13 gains a new privacy setting, iOS and iPadOS receive a fix for an easily circumvented parental control, and macOS tweaks performance for recent Apple hardware. Once again, watchOS and tvOS don’t merit detailed release notes.

iOS 13.3.1 and iPadOS 13.3.1

iOS 13.3.1 and iPadOS 13.3.1 offer a grab bag of fixes and one privacy-related improvement. In general, we see no reason to delay upgrading for more than a week or so to make sure there aren’t unexpected problems lurking in the updated code.

After privacy concerns surfaced about the ultra-wideband technology in the iPhone 11, Apple has added a feature to turn it off entirely in iOS 13.3.1. Just go to Settings > Privacy > Location Services > System Services and turn off Networking & Wireless.

The new Networking & Wireless setting

Almost immediately after iOS 13.3 and iPadOS 13.3 introduced the long-delayed capability for parents to limit who their children can contact via calls, FaceTime, and iMessage (see “Apple Pushes Out iOS 13.3, iPadOS 13.3, iOS 13.3 for HomePod, macOS 10.15.2 Catalina, watchOS 6.1.1, and tvOS 13.3,” 10 December 2019), kids found a way around it. iOS 13.3.1 claims to fix that.

Other changes include:

  • Both iOS 13.3.1 and iPadOS 13.3.1 resolve a mistake in Mail that could cause remote images to load even when the Load Remote Images setting is disabled.
  • Both iOS and iPadOS fix a bug that could cause multiple undo dialogs to appear in Mail.
  • Both operating systems address a bug that prevented push notifications from being delivered over Wi-Fi.
  • iOS 13.3.1 eliminates a momentary delay before editing a Deep Fusion photo taken on an iPhone 11 or iPhone 11 Pro.
  • iOS addresses an issue where FaceTime could use the rear-facing ultra-wide camera instead of the wide camera.
  • iOS addresses a CarPlay bug that could cause distorted sound when making phone calls in certain vehicles.

Our Watchlist contributor, Agen Schmitz, tells us that iPadOS 13 on his iPad Air 2 ran slowly and stuttered frequently, but the iPadOS 13.3.1 update has restored its snappiness.

The iOS 13.3.1 update includes 21 security fixes.

You can install the iOS 13.3.1 update—278.8 MB on an iPhone 11 Pro—and the iPadOS 13.3.1 update—180.6 MB on a 10.5-inch iPad Pro—from Settings > General > Software Update, in the Finder in macOS 10.15 Catalina, or using iTunes in earlier versions of macOS.

For older devices that can’t upgrade to iOS 13, Apple also released iOS 12.4.5 with “important security updates” but did not publish any CVE entries.

iOS 13.3.1 for HomePod

The 117.3 MB iOS 13.3.1 update for HomePod introduces an Indian English Siri voice, along with general fixes.

You can change your HomePod Siri voice by opening the Home app, touching and holding the HomePod tile, tapping the gear icon in the lower-right corner, and then selecting Siri Voice.

To update the HomePod manually (it should update itself soon enough), open the Home app, touch and hold the HomePod’s tile, tap the gear icon to bring up HomePod settings, and then tap Install.

macOS 10.15.3 Catalina

The 2.96 GB macOS 10.15.3 Catalina update offers 27 security fixes and a pair of highly specific improvements for recently released Apple hardware:

  • Optimizes gamma handling of low gray levels on Pro Display XDR for SDR workflows when using macOS
  • Improves multi-stream video editing performance for HEVC and H.264-encoded 4K video on the 16-inch MacBook Pro

Apple made no mention of the Mail data loss bugs that we’ve been hearing about (see “Beware Mail Data Loss in Catalina,” 11 October 2019), but our own Michael Cohen reports that after installing the update, macOS informed him that it was updating his Mail database. Let us know if you experience any data loss problems with Mail in 10.15.3.

Michael Tsai, who has been tracking this issue, wrote:

There’s nothing about it in Apple’s release notes, but from what I’ve heard macOS 10.15.3 fixes the bug where large numbers of messages stored “On My Mac” could be deleted when updating to Catalina or rebuilding Mail’s database. It does not fix the bugs where moving messages between mailboxes (via drag and drop, rules, or AppleScript) can delete them, duplicate them, or simply not move them at all.

You can install the macOS 10.15.3 update from System Preferences > Software Update. If you’re editing video on a 16-inch MacBook Pro or using a Pro Display XDR, you probably should install it soon. Otherwise, assuming you’re already running Catalina, it’s worth waiting to install it for a few days to make sure the community doesn’t report new problems. For those who haven’t yet upgraded from Mojave, and especially for those who move messages in Mail frequently, there’s still no harm in sitting tight for now.

watchOS 6.1.2

The watchOS 6.1.2 update “provides important security updates and is recommended for all users.” You can install the update, which weighs in at 98.8 MB on an Apple Watch Series 4, from the iPhone’s Watch app: go to Watch > General > Software Update.

There’s no reason to avoid this update, but it’s hard to get excited about installing it quickly. Do it some night when your Apple Watch is charging anyway.

tvOS 13.3.1

As usual, the tvOS 13.3 update notes are sparse, promising only “general performance and stability improvements.” The update includes 13 security updates, largely shared with the other operating systems. If automatic updates aren’t on, you can update your Apple TV HD or Apple TV 4K by going to Settings > System > Software Updates. We just let ours update automatically when they get around to it. Let us know if you notice any changes.

Ivan Drucker 37 comments

Alternative Ways to Protect Yourself from Being Spearfished

If you, or people you know, have a public presence, high net worth, or something desirable to online thieves, conventional security best practices may not be sufficient. Increasingly, online thieves are targeting individuals directly via a technique called “spearfishing,” which relies on the shocking ease of stealing a cell phone number and then using it to reset passwords (see “SMS Text Message Login Codes Autofill in iOS 12 and Mojave, but Remain Insecure,” 4 October 2018). Authenticator apps are the generally accepted solution to this problem, but they can be problematic for a number of reasons, including being too difficult to use for non-technical users.

My partner Caroline Green and I co-own a Mac consulting firm in Manhattan. This year, we’ve seen two cases of spearfishing and heard of several others. In the cases we worked on, several critical accounts were stolen, such as email, domain hosting, and social media sites. While we were able to recover most of them eventually, there’s no guarantee that we could do so successfully in other situations. Further, the accounts were inaccessible for days, and reputation damage could have easily occurred via abuse of the accounts.

We worry that spearfishing will become more common as the tools and techniques of malicious actors become more sophisticated and widespread. The challenge for us as consultants and tech experts is to be able to offer our clients—especially those with high profiles or high net worth—comprehensive online security in a way that is easy for them to manage.

We came up with a technique that uses Google Voice text messages as an alternative to authenticator apps—although it requires a bit more setup, we think it’s easier to use and understand, plus it acknowledges some people have to allow trusted assistants or consultants access to their accounts. Our goal in sharing this technique is twofold. First, we hope that it might help other people looking for a similar solution, and second, we’re hoping outside scrutiny will reveal any potential weaknesses or vulnerabilities.

Where Are You Exposed?

First, let’s review some basics about keeping online accounts secure.

  • Prioritize Your Accounts: Not every account, such as your average retail or content site, needs bulletproof security. But others do. These include your email account, Apple ID, Google account, Microsoft account, social media sites, financial sites, domain registrar, DNS host, Web host, Web site content management system, online business applications, cloud storage, cloud backup, and photo sharing sites. In short, you should put more effort into protecting any account that contains something you wouldn’t want to lose, wouldn’t want to be revealed to others, or wouldn’t want to misrepresent you if an attacker were to use it.
  • Use Strong, Unique Passwords: We’ve all heard this advice, but it bears repeating. Do not try to memorize every password. Doing so means reusing the same passwords, or variants of a similar password. The risk is that if any one site suffers from a security breach, a depressingly regular occurrence, thieves now have access to all of your accounts. Every online account needs a unique, computer-generated password, remembered by a password manager, such as 1Password, Dashlane, LastPass, or at least the simpler ones built into current versions of Web browsers. I know only three of my passwords: the administrator password for logging into my Mac, my 1Password master password, and the password for my Apple ID. 1Password knows the rest.
  • Use Two-Factor Authentication: Two-factor authentication (2FA) is when you enter your password and then get a separate code or prompt, via text message, onscreen dialog, or authentication app, to verify that it’s really you, and not just someone who knows your password. Most Apple users see this when signing in with their Apple ID on a new device. You should enable 2FA for any important site that supports it. There are several flavors of 2FA that I’ll discuss more below.
  • Provide Fake Answers to Security Questions: In general, if you have 2FA enabled, you shouldn’t have or need security questions. But some sites require them, and in those cases, operate under the assumption that there are unseen, nefarious databases about all of us that correlate all kinds of information we might assume to be separate and private (the best-known are called “Facebook” and “Google”). Imagine that anyone can learn everything about you with a few quick searches. One way to thwart attackers from hacking your security questions is to make up nonsense answers—different for every site, of course—and keep them in the notes area of your password manager. What was the name of your first pet? “Macatma Gandhi.” What’s your birthdate? Pick a random date like “1/9/1919.”.
  • Think You’re Important: It’s normal to think that good security is for other people because you’re too insignificant to warrant a thief’s attention. Alas, it’s 2020, and we’re all a lot more visible and important than we may believe we are. The phone number theft I’m about to tell you about was motivated simply because its owner also held a two-letter Instagram name—highly valuable on the Dark Web black market, as it turned out.

Your Cell Phone Number Is the Weak Link

Even if you do all of the above, you may not be safe. One of the two account thefts we saw involved a sophisticated attack in which the victim—who used strong passwords and a password manager—had thieves port his cell phone number from his SIM card to theirs. Once they had a phone with his phone number, it was trivial to gain access to his accounts by requesting password resets, since the confirmation codes were sent by text message.

You’re probably wondering how this could have happened. The thief used social engineering to persuade someone at the victim’s cellular provider to transfer the number. Lest you think that’s an unlikely scenario, consider it from this angle: anyone from anywhere in the world can call your carrier’s customer service, and every single employee who answers the phone has the capability of putting your number on another SIM card! That’s a lot of exposure. Most carriers offer a transfer lock, passcode, or PIN that they’ll require before porting a number.

I called my carrier and activated a PIN, and I keep it in my password manager. I strongly advise that you do the same—here are informational links for AT&T, Sprint, T-Mobile, and Verizon. However, I don’t want to rely solely on a carrier transfer lock. I don’t know how well they are implemented, and I assume that some thieves are really good at what they do and may be able to talk their way around it.

The Problem With Authenticator Apps

Security experts usually recommend that, rather than receiving a text message for two-factor authentication, you instead use an authentication app, such as Authy (see “Authy Protects Your Two-Factor Authentication Tokens,” 6 November 2014), Google Authenticator, or Duo Mobile. The app provides, on its own, a code that changes every 30 seconds. Some password managers, such as 1Password, can operate as an authenticator app as well. We agree that authenticator apps are a very secure method of getting a 2FA code.

Authy screenshot

The problem that we’ve found with standalone authenticator apps is that they’re not especially well designed. Our clients have difficulty setting up new accounts in them, and the apps are difficult to use even once set up. They’re serviceable for you and me, but I’m thinking about people who don’t read TidBITS. Even people who are already using a password manager that has authenticator app capabilities would have to scan QR codes and absorb concepts like “time-based one-time password” in order to set up 2FA.

Furthermore, for people like you and me, standalone authenticator apps have liabilities:

  • If an assistant, colleague, or consultant needs to access an account, both people have to configure the authenticator app for the account at the same moment, with the same seed.
  • Sometimes the account name shown within the app is obscured, causing confusion if the user has multiple accounts at the same site.
  • Support for authenticator apps on a desktop computer may be limited, hard to use, or nonexistent.
  • There is some risk of losing the 2FA codes after a device switch (we’ve seen this with Google Authenticator).
  • The user isn’t told exactly what to do during login—they need to remember to look at the correct authenticator app and find the single correct code from among the many listed.
  • Many sites don’t support authenticator apps at all and instead require that you be able to receive an SMS text message for 2FA.

1Password (and perhaps other password managers) elegantly addresses many of these concerns, such as by putting the security code on the clipboard during autofill, and notifying that it has done so. But building 2FA support into a password manager is not without its own issues:

  • Having both the password and the one-time code in the same app creates a risk of being permanently locked out of accounts if you lose access to the password manager due to a lost master password or data corruption.
  • Similarly, if there were some sort of breach of your password manager, a thief would have easy access to all accounts, despite 2FA being enabled.
  • Giving a colleague or other trusted party access to an account still requires either simultaneous setup, or a more expensive “Teams” plan that adds complexity by having a secondary shared vault.
  • Again, many sites don’t support 2FA via authenticator apps, instead requiring that you receive an SMS text message.

We went looking for another solution.

Google Voice as an Alternative to Authenticator Apps and Cell Phone Numbers

Google Voice is a free service that gives you a phone number suitable for both calls and text messages. You can access it via the Google Voice iOS app or a Web browser, and both can provide notifications.

Google Voice

The Google Voice service is attractive because it solves a lot of the problems we discussed with real cell phone numbers and authenticator apps:

  • The phone number can’t be ported without login access to the associated Google account—there’s no one to fall prey to social engineering.
  • Text messages are easily accessed from any browser or phone, making it easy for an assistant, colleague, or consultant to receive a code.
  • Users get a notification on their phone as they would with any text message, so there’s no change in user experience.
  • It’s easy for our clients to set it up for new accounts—all they have to do is provide an alternative phone number, rather than fuss with an authenticator app and a QR code.

Our approach is to create a new Gmail account—with no real, identifying information in the email address, first name, last name, or birth date fields—to host this Google Voice number. Then we add the Google Voice app to the user’s iPhone (and iPad if necessary) and sign them in. Because the account email address in no way identifies them and is used for nothing other than hosting the Google Voice number, a thief should never come across it. And, even if one did, they wouldn’t know to whom it belongs. (If you do try this Google Voice approach, be sure to remove your real cell phone number from your account, which is added by default during setup. If you don’t, an attacker stealing your cell phone number would still get the Google Voice text message codes. Also disable the default forwarding of text messages to your email address.)

With a strong password, the Google Voice account is secure. What if those credentials were lost? This may be overkill, but for account recovery of the Google Voice account, should it be needed, we use another non-identifying email alias associated with the user’s iCloud address. The actual, non-identifying iCloud account behind the alias can either be checked directly or forwarded to our client’s actual email. So, if a thief were to discover the recovery address for the Google Voice account, they couldn’t log into anything with it. We also record the account creation date and fake birthday, as Google may ask for them during account recovery.

By using the Google Voice phone number, our clients can easily set up two-factor authentication on any account simply by using an alternate phone number. When a code is needed, they are actively notified via text message notification. An assistant, colleague, or consultant can access the code as well. And the alternate phone number can’t be moved to a thief’s SIM card without login access to the Google Voice account.

Downsides to Google Voice for Two-Factor Authentication

The most significant disadvantage that we can see to this Google Voice approach is that if you don’t send a text message or make a phone call every six months or so, the number expires. Google warns you about this, of course, but it is best to be proactive, as we are for our clients. It’s a good idea to forward all mail sent to the Google Voice account’s Gmail address to an actively checked account, so that any warnings sent by Google are seen. It would also be smart to set a biannual reminder on a calendar as well.

Some Web sites may reject a Google Voice number or may not accept text messaging as a primary means of 2FA. I have seen this in a handful of cases. For example, Facebook will not accept a Google Voice number unless it is the first number you add to the account. CrashPlan supports authenticator apps, but not SMS. For these kinds of accounts, you would need to make a strategic decision whether to use an authenticator app (or a password manager that acts as one), enter the real cell phone number, or do without 2FA. Also, some prominent Web sites don’t support 2FA at all (I’m looking at you, Spotify).

Filtering spam in the Google Voice appAdam Engst suggested another possible downside, which is the possibility of the Google Voice number receiving spam calls. We need to advise our clients to ignore all calls and voicemails in the Google Voice app. Better still, in the Settings area of the app, you can disable incoming calls, as well as filter possible spam, although this creates the risk of missing an important code if Google misidentifies it.

Finally, Google Voice is one of Google’s more peripheral products, so who knows if the company might drop it one day. Nonetheless, Google would likely provide sufficient warning for users to make alternate plans.

What Do You Think?

I’m not a professional security expert, but this system seems like it strikes the right balance between being safe enough and usable enough for our clients with high profiles or high net worth, or for those with an extra level of security consciousness. Do you see any glaring flaws or risks? Let us know in the comments.


Ivan Drucker is the founder and CEO of IvanExpert Mac Support in New York City. He is a former software quality engineer for Apple and began using his first Apple II in 1978, at the age of eight.

Watchlist

Security Update 2020-001 (Mojave and High Sierra) 3 comments

Security Update 2020-001 (Mojave and High Sierra)

Apple has released Security Update 2020-001 for macOS 10.14 Mojave and 10.13 High Sierra, patching a variety of security vulnerabilities in the older operating systems. The updates address several kernel-related issues that could allow malicious applications to execute arbitrary code with system privileges or read restricted memory, eliminate a memory corruption issue related to image processing that could allow a maliciously crafted JPEG to execute arbitrary code, patch a memory leak in the CoreBluetooth framework, and improve access restrictions to prevent malicious applications from overwriting arbitrary files. (Free. For 10.14 Mojave, 1.62 GB; for 10.13 High Sierra, 1.92 GB; security content release notes)

Safari 13.0.5 No comments

Safari 13.0.5

Apple has released Safari 13.0.5 for macOS 10.14 Mojave and 10.13 High Sierra, resolving two vulnerabilities that Apple also addressed in the version of the Web browser in macOS 10.15.3 Catalina; see “Apple Releases iOS 13.3.1, iPadOS 13.3.1, macOS 10.15.3, watchOS 6.1.2, and tvOS 13.3.1,” 28 January 2020. The update addresses an inconsistent user interface issue with improved state management to prevent address bar spoofing, and it improves UI handling in Safari Login AutoFill to prevent a local user from sending a password unencrypted over a network. Safari 13.0.5 is available only via Software Update. (Free, macOS 10.13.6 and 10.14.6)

DEVONthink 3.0.4 1 comment

DEVONthink 3.0.4

DEVONtechnologies has posted DEVONthink 3.0.4, adding a preference option for disabling Dark mode for documents while leaving the rest of the user interface in the dark. The update also improves importing and indexing of files and folders located in cloud folders, defaults to displaying search results sorted by score, adds valid Markdown links to image files dropped from the Finder into Markdown documents, retains link formatting when printing rich text documents or converting them to PDF, improves responsiveness while handling indexed folders on network volumes, and performs garbage collection of sync stores immediately after uploading changes to avoid unnecessary and possibly large downloads on other devices and to free up disk space. ($99 new for DEVONthink, $199 for DEVONthink Pro, and $499 for DEVONthink Server with a 15% discount for TidBITS members; free update; 92.8 MB; macOS 10.11.5+)

URL Manager Pro 5.0 9 comments

URL Manager Pro 5.0

Alco Blom has released version 5.0 of his venerable URL Manager Pro, first mentioned in TidBITS back in 1996 (see “More Bookmarks than Books, Part III,” 29 April 1996). The app enables you to collect and manage bookmarks in a system-wide bookmarks menu that you can access from the menu bar and that supports most Web browsers, including Safari, Chrome, Chromium, Opera, Firefox, and Vivaldi. Rewritten from the ground up as a 64-bit application, URL Manager Pro now supports macOS 10.14 Mojave and 10.15 Catalina, plus introduces such macOS features as Auto Save, Versions, and the Share button. The app is free to download, but it costs $35 to unlock all features (including toolbar customization and importing bookmarks). You can upgrade to the full version of URL Manager Pro 5.0 from previous versions for $25. ($35 new, $25 upgrade, 8.7 MB, release notes, macOS 10.13+)

Fantastical 3.0 9 comments

Fantastical 3.0

Flexibits has updated Fantastical to version 3, a major release for the alternative to Apple’s Calendar app. Fantastical 3.0 boasts a refreshed user interface, a unified look across all platforms (macOS, iOS, iPadOS, and watchOS), and a new subscription pricing model. New features include the capability to propose multiple meeting times with others, 10-day AccuWeather forecasts that appear as a clickable icon on each day, support for Todoist tasks, and calendar sets that work across all platforms. Fantastical also lets users add “interesting” calendars that feature sports teams from around the globe (such as Fjölnir FC in Reykjavik, Iceland), favorite TV shows, and holidays from various countries, religions, and education systems.

Fantastical 3 Features

Previously priced at $49.99 as a one-time purchase for Fantastical 2 for the Mac, Fantastical 3’s new subscription rate for Fantastical Premium is $4.99 per month (or $39.99 annually, a 33% savings). The iPhone and iPad apps are now included with Fantastical Premium, whereas they previously cost $9.99 and $4.99, respectively.

If you own a Fantastical 2 license, launching the app will automatically offer to update it to version 3.0 with existing Fantastical 2 features unlocked and usable. However, that limited version lacks support for adding tasks, collaboration features, and even viewing the Day, Week, Month, and Year calendar views, thus limiting you to just the sidebar view. To use any of the new Fantastical 3 features or the standard calendar views, you’ll need to subscribe to Fantastical Premium.

A free, fully functional 14-day trial of Fantastical 3 is available after creating a Flexibits account and providing a credit card. ($39.99 annual subscription from Flexibits and the Mac App Store, 21.7 MB, release notes, macOS 10.13.2+)

ExtraBITS

2 comments

Antivirus Maker Avast Sold Data on Millions of Users

A joint investigation between Motherboard and PCMag revealed that antivirus maker Avast collected Web browsing data from users of its antivirus products and sold it through its Jumpshot subsidiary. Jumpshot boasted of having access to “Every search. Every click. Every buy. On Every site.” and claimed its clients included Google, Intuit, McKinsey, Microsoft, and others.

It was revealed last year that Avast was collecting data from its browser extensions, which led Google, Mozilla, and Opera to remove those extensions from their respective extension stores. However, Avast could still collect data from computers on which users had installed its Avast Security antivirus software, as well as AVG AntiVirus, which the company also owns.

Jumpshot claimed that the data was anonymized, but a client could easily connect that data to other information to reveal user identities:

At first glance, the click looks harmless. You can’t pin it to an exact user. That is, unless you’re Amazon.com, which could easily figure out which Amazon user bought an iPad Pro at 12:03:05 on Dec. 1, 2019. Suddenly, device ID: 123abcx is a known user. And whatever else Jumpshot has on 123abcx’s activity—from other e-commerce purchases to Google searches—is no longer anonymous.

Shortly after these reports were published, Avast announced that it was eliminating its data-collection practices and shutting down Jumpshot. Regardless, we still recommend that you uninstall any products from Avast and avoid them in the future, given that the company did the right thing only under tremendous pressure from the press and legislators. Trust abused in such a significant manner cannot be regained by a single positive action.

We don’t run or generally recommend antivirus software, particularly the sort that sits in the background and scans continuously, because it can hurt performance. However, if you need to help a less experienced user who might have been suckered by adware or other malware, try the free version of Malwarebytes and run scans manually every so often.

Running a Malwarebytes scan

8 comments

Apple Finishes Rolling Out Redesigned Maps in the US

When it made its efforts public in mid-2018, Apple had already spent four years overhauling its Maps data in the United States (see “Apple Is Overhauling Maps,” 29 June 2018). Now Apple says it has finished, and the improved US maps are available for all Maps users. Next on Apple’s radar is a set of improved maps for Europe. If you haven’t used Maps in a while, give it a try, since it has added substantially more detail with this update, as you can see in Apple’s animation.

An animation showing the new maps vs the old mapsApple also noted that it has expanded support for Look Around, Apple’s answer to Google Street View. Look Around now supports New York City, the San Francisco Bay Area, Los Angeles, Las Vegas, Houston, and Oahu, with more cities on the way.

Look Around on an iPad

2 comments

Tony Blevins: Tim Cook’s Cost Cutter

As iPhone sales growth slows, it’s becoming increasingly important for Apple to lower supply costs to maintain its profit margins. That’s where Apple’s Vice President of Procurement Tony Blevins steps in. Tripp Mickle of the Wall Street Journal profiled Blevins and his hardball tactics to get the best deals for Apple (if you can’t get past the Wall Street Journal paywall, AppleInsider has a good summary).

Apple has had a tumultuous relationship with Qualcomm over modem chip, and Blevins has been in the middle of it all:

At Qualcomm, which has dealt frequently with Mr. Blevins, executives found him friendly when asking for favors, calculating when pressing for lower prices and punishing when Qualcomm defied his demands.

Blevins has saved Apple hundreds of millions of dollars with tactics like inviting multiple glass suppliers for Apple’s new corporate campus to a Hong Kong hotel, putting them in separate conference rooms, and then bouncing from room to room, often with bluffed numbers. He’s also responsible for enforcing Apple’s strict non-disclosure policies, violations of which can open suppliers up to penalties of $50 million or more.

Before you judge Blevins or Apple harshly for such strong-arm tactics, it’s important to realize that the business world is often brutal, such that every large, successful company has—and needs—high-level executives like Blevins.

No comments

Apple in 2019: The Six Colors 2019 Report Card

How did Apple do in 2019 in the eyes of those who pay the most attention? Jason Snell of Six Colors has once again released his annual Apple report card, with ratings and comments from 65 Apple observers, including a number of TidBITS staffers and contributors. The Apple Watch and Wearables excelled in the report (as well as in Apple’s financial results, see “In Apple’s Q1 2020, iPhone Rebounds and Wearables Soar,” 28 January 2020), while the grades for Apple TV, HomeKit, and overall software quality suffered. No huge surprises there.

Six Colors 2019 Apple scores

Snell took the trouble to chart the differences from 2018, and you can observe some clear trends in the chart below. The two categories that took the biggest hits were software quality (thanks to shoddy work with iOS 13 and Catalina) and environmental/social advocacy (due in part to Apple’s actions related to the protests in Hong Kong), while Services saw a big uptick, reflecting Apple’s big investment in services in 2019.

Changes from 2018's Apple report card

As always, the full report is well worth reading, particularly for the pithy quotes from your favorite Apple pundits.