At this year’s Black Hat security conference, one of the largest conferences on Internet and computer security, researchers demonstrated the potential for SMS-based attacks on the iPhone that could disable the device or extract sensitive information from it. Although Apple reportedly was informed of the vulnerability 6 weeks ago, the company released iPhone OS 3.0.1 on 31-Jul-09, the day after the demo. The update is available now, via iTunes.

Researchers Charlie Miller and Collin Mulliner, of Independent Security Evaluators, issued a denial-of-service attack on CNET correspondent Elinor Mills’s iPhone by sending her a specially crafted SMS message, or more accurately, hundreds of specially crafted SMS control messages, only the first of which was seen.

While the researchers only showed how attackers might use the method to disable a user’s phone, Miller said it was also possible to utilize this exploit to steal data, make calls, and send text messages. In fact, once having gained access to a user’s phone, an attacker could then spread the attack further by sending SMS messages to the numbers listed in the address book.

While a reboot would restore functionality to a disabled phone and is about all a user could do, it takes only seconds for an attacker to swipe sensitive data and gain access to the address book. Worse, although we haven’t seen commentary about this, since SMS uses a store-and-forward mechanism, messages sent while a phone was turned off would theoretically be delivered as soon as it was turned back on.

What’s especially dangerous about this attack is that it requires no action on the part of the user. Typically, iPhone attacks involve tricking the user into visiting a malicious Web site or opening a specially crafted file – thus giving potential victims at least some agency in their defense – but this one only requires that the attacker has the user’s phone number.

The exploit was made possible by a memory corruption bug in the way the iPhone handles SMS messages, and affects all versions of the iPhone OS before 3.0.1. If you haven’t yet updated to iPhone OS 3.0, now is your chance to go all the way to 3.0.1 and eliminate your vulnerability to this SMS vulnerability.

SMS-based attacks aren’t unique to the iPhone, with Miller and Mulliner also demonstrating this particular bug on an Android-based phone. Google patched the hole in Android last week, within a few days of being notified.

We have it on good authority that Joe Kissell does leave his Parisian garret occasionally for fresh air, bread, and cheese, but you’d never guess it given how prolific he’s been lately. In his latest ebook – a 120-page, brand-new second edition of “Take Control of Passwords in Mac OS X,” you can read Joe’s latest advice for choosing and managing the ever-growing list of passwords that we modern Mac users are expected to handle.

After helping you match your personality and risk factors to how long and complex your passwords ought to be, Joe walks you through all the details of setting up your Mac so it has secure passwords without requiring you to type them more than necessary. He explains the Mac’s Keychain Access password management utility, and clues you in on what a keychain is and what the common ones are that you’ll likely find on your Mac. He also covers setting and using Web passwords (with specifics on how passwords are stored in eight different Web browsers), how to sync passwords between different Macs and to an iPhone or iPod touch, and how to handle password-related problems.

The ebook costs $10, and it comes with a coupon for a 20 percent savings on 1Password, Joe’s top pick for a third-party password management utility.

If you bought the first edition during 2009, look in your email for a free download link to the second edition. If you bought the first edition prior to 2009, check your email for an update notice or open your PDF to the cover (page 1) and click the Check for Updates button to access a 50-percent-off upgrade offer.

It looks as if Apple won’t be able to fall back on the utterly lame “I can’t go into granular detail” answer for why certain applications have been rejected and removed from the App Store. On 31-Jul-09, the U.S. Federal Communications Commission (FCC) sent letters of inquiry to Apple, AT&T, and Google asking about the circumstances that led to Apple rejecting a Google Voice app and removing previously approved third-party apps that used Google’s service.

According to an article at eWeek, Google submitted a Google Voice application six weeks ago, which was rejected. Soon after, related third-party apps were removed from the store.

Because the App Store is the only point of sale for applications for the iPhone and iPod touch, Apple has the power to approve or reject apps. For example, the company does not allow apps that include pornography or that circumvent the App Store for purchasing products.

The trouble is, many apps recently have been rejected on the grounds of “duplicating iPhone functionality,” without further explanation from Apple. That’s the reason cited for the removal of Riverturn’s VoiceCentral (the source for the quote above, relating a frustrating phone call from “Richard” at Apple) and other apps.

Apple is clearly hanging a lot of weight on this particularly thin branch, however, since numerous existing apps duplicate the functionality of the Notes app, the Weather app, and the Calculator app, to name just a few.

The features that Google Voice and related apps duplicate are ones provided by Apple’s Phone app – more specifically, features for which AT&T charges iPhone owners. Google Voice gives you a phone number, voicemail service (including text transcription of messages), and free phone calls. (Om Malik notes that the Google Voice service still uses AT&T’s network for calls, so AT&T is still making money from the minutes used by Google Voice subscribers.)

The FCC’s actions are part of a broader probe into exclusive mobile handset deals, such as the one that ties Apple and AT&T. Reading the FCC letter to Apple (PDF), it’s clear the FCC is interested in whether Apple acted on instructions from its cellular partner in the United States. Question #2 reads:

"Did Apple act alone, or in consultation with AT&T, in deciding to reject the Google Voice application and related applications? If the latter, please describe the communications between Apple and AT&T in connection with the decision to reject Google Voice. Are there any contractual conditions or non-contractual understandings with AT&T that affected Apple's decision in this matter?"

John Gruber at Daring Fireball noted that “a reliable little birdie has informed me that it was indeed AT&T that objected to Google Voice apps for the iPhone. It’s that simple.”

The FCC brings up questions that numerous iPhone developers have been asking. Question #6 reads:

"What are the standards for considering and approving iPhone applications? What is the approval process for such applications (timing, reasons for rejection, appeal process, etc.)? What is the percentage of applications that are rejected? What are the major reasons for rejecting an application?"

Although these seem to be easy questions, Apple so far hasn’t shared the answers. The company’s inconsistency when rejecting applications – and, more so, the black hole of communication about the review process – is making some developers question whether it’s worth investing time and money into creating iPhone apps. (Steven Frank, Justin Williams, Craig Hockenberry, and Layton Duncan have all written must-read essays about troubles developing for the iPhone, focusing
on the App Store and Apple’s lack of meaningful communication, as well as the effects of low pricing of apps.) A blog called Application Submission Feedback is also collecting “unpublished rules and clarifications from Apple’s App Review team that can cause your iPhone app to be rejected.”

The FCC letter notes Apple can request that information or documents be treated confidentially, so we may not learn about the specifics of the Google Voice app rejection. Responses are due to the FCC by 21-Aug-09.

Kudos to David Pogue for using his New York Times soapbox to point out how the cellular carriers are padding their profits by adding short messages to voicemail greetings, to instructions for listening to your own voicemail, and so on. Sure, it’s only a few seconds, but when you multiply that by all the times you listen, it adds up. And when you multiply all the times it’s heard by all the cellular subscribers in the country (and indeed in the world), you can see how increasing call time by just a little bit can result in real money – our money – for the carriers. (Also be sure to read his followup post.)

This isn’t a conspiracy theory – cellular carrier executives have admitted this fact to Pogue. What can we do? Complain en masse. If the customer revolt is loud enough, perhaps the carriers will back down from these policies. Pogue assembled the following links to the four major U.S. carriers; I encourage you to complain to at least the one that’s billing you each month.

• Verizon: Post a complaint here.
• AT&T: Send email to AT&T Customer Issues address.
• Sprint: Post a complaint here.
• T-Mobile: Post a complaint here.

At least the iPhone does away with the extra messages; according to Pogue, Apple insisted that AT&T drop the pre-beep message for those using the iPhone.

Apple has pumped up the capacity of the Time Capsule, adding a 2 TB model for $499. The 1 TB version remains available, reduced from $499 to $299. The 500 GB Time Capsule has been discontinued.

The Time Capsule can host Time Machine backups on a local network, as well as acting as network-attached storage over AFP and SMB. The product also includes all the functionality of the simultaneous dual-band AirPort Extreme Base Station.

I’ve been down on Apple for a while for charging $499 for the 1 TB Time Capsule as drives of that capacity dropped to $100 or less, even with some of the same server-grade specs as those used in the Time Capsule.

The new price is in line with the value of a $179 AirPort Extreme plus a hard drive plus a little something for putting it into a single box.

For more information on using a Time Capsule for backups and networking, see my book, “Take Control of Your 802.11n AirPort Network,” and Joe Kissell’s “Take Control of Easy Backups in Leopard.”

Eye-Fi has extended its line of Wi-Fi-enabled memory cards with the $60 Geo model, which combines support for iPhoto with geotagging – the addition of geographic coordinates to a photo – at a relatively low price. The location data works with iPhoto ’09’s Places feature to position photos on a map. Eye-Fi sells a line of cards from $50 to $150 with varying features; this model will be available only from the online and retail Apple Stores.

The Geo automatically either transfers images to a folder on your Mac or imports the pictures into iPhoto. For an extra $10 per year, the Geo can be upgraded to upload images over the Internet to photo-sharing services, including MobileMe and Flickr. Eye-Fi also sells a model with local and Internet photo uploading and geotagging; it costs a flat $100, and also provides video uploads.

The Eye-Fi firmware originally uploaded every photo you took to a computer or an online service. A software update earlier this year lets you use the protect or lock feature that’s available in most digital cameras to select which pictures to upload (see “Eye-Fi Pro Card Adds Raw Uploads, Computer Transfers,” 2009-06-10).

Eye-Fi embeds a Wi-Fi radio and a processor into a Secure Digital (SD) card. The Geo sports 2 GB of storage; other models have as much as 4 GB. The Eye-Fi has to be configured with the company’s software while mounted on a computer, but can then automatically connect to networks you’ve programmed it to recognize and for which you provided Wi-Fi passwords.

The geotagging feature relies on Skyhook Wireless’s system for associating a snapshot of Wi-Fi network identifiers and signal strengths with latitude and longitude – it’s not using GPS and thus will work only when you’re within range of a Wi-Fi network that Skyhook has mapped. Skyhook’s system underpins the Wi-Fi positioning feature in iPhone OS 1.1.3 and later, and is used in various Mac OS X, Windows, and Android software as well. (See “Loki Here,” 2007-06-18, for background on Skyhook’s system.)

We’ve written about Eye-Fi extensively because of its Mac support. Adam Engst wasn’t fond of the Eye-Fi features as of a year ago – see “Why I Hate the Eye-Fi Share Wireless SD Card,” 2008-08-18 – while I was generally positive – see “Why I Like the Eye-Fi Explore Wireless SD Card,” 2008-08-18. Newer software and hardware have modified our opinions slightly.

Apple has announced that Eric Schmidt, CEO of Google, has stepped down from his position on the Apple Board of Directors. He held that position since August of 2006. Genentech chairman Arthur Levinson remains on the board of directors for both Apple and Google.

In the statement, Steve Jobs said, “Unfortunately, as Google enters more of Apple’s core businesses, with Android and now Chrome OS, Eric’s effectiveness as an Apple Board member will be significantly diminished, since he will have to recuse himself from even larger portions of our meetings due to potential conflicts of interest. Therefore, we have mutually decided that now is the right time for Eric to resign his position on Apple’s Board.”

That’s a telling acknowledgement that Google and Apple are now competitors, something that has been becoming increasingly obvious over the last year, first with Google’s release of the Android mobile phone operating system and then with the recent announcement of the Chrome OS project, which is aimed at creating a Web-focused operating system for netbooks. The most recent dustup came with Apple’s rejection of Google’s official Google Voice app for the iPhone (see “FCC Queries Apple, AT&T, and Google about Google Voice App,” 2009-08-03).

In the past, it seemed as though Google and Apple were in some ways allied against Microsoft’s hegemony, despite working together only in limited ways, such as inclusion of the Google search field in Safari and support for Google Maps in the iPhone. Originally, Google and Microsoft competed largely in Web services, in Web searching, and with Gmail and Hotmail, for instance. Most recently, Microsoft sealed an agreement with Yahoo that uses Microsoft’s Bing search engine to power Yahoo Search.

But as Google has broadened its product scope, it’s become clear that we’re in a three-way game, with Apple, Google, and Microsoft all trying to compete in roughly the same ballpark. What’s most interesting about this three-way competition is that it’s as much a referendum on business models as products. Consider the following:

• Apple uses a highly integrated product strategy to exert far more control over the entire user experience than either Google or Microsoft. Whether you’re talking about the Mac, MobileMe, iTunes, the iPhone, or the App Store, Apple controls all the pieces. The benefit is great product design in terms of both hardware and software, and a nearly seamless user experience. Apple makes money throughout the entire chain, but as a single supplier, Apple can’t always reach as many market niches. And on the downside, as we’re seeing with the App Store policies, when Apple does something wrong, there’s no recourse. Apple makes its money largely from selling hardware: Macs, iPhones, and iPods, with other products like iTunes and MobileMe
  adding value to the hardware.
• Google focuses all of its efforts on increasing use of the Web, since 97 percent of its income comes from Web-based advertising. Aside from its search algorithms, which Google guards jealously, most Google products and services have open APIs and are released as open source. With Android and Chrome OS, it appears that Google will attempt to encourage widespread use by mobile phone and netbook manufacturers as a way of driving users ever more toward the Web and Google’s advertising. Although Google has been wildly successful on the Web, it remains to be seen if this product strategy will lead to significant revenue or if it’s more a way of achieving some level of independence from Apple and Microsoft, upon whose operating systems and
  browsers Google is largely dependent.
• Microsoft has long used what is essentially a combination of Apple’s and Google’s approaches, mixing proprietary software with broad licensing. All the variants of Windows are proprietary, but Microsoft licenses versions of Windows to nearly all PC manufacturers and many mobile phone makers, and encourages independent software development. This gives Microsoft huge reach and incredible influence over the market, but far less control over the user experience than Apple exerts. Windows, Microsoft Office, and server tools remain major moneymakers for the company, while Microsoft’s online services continue to lose money; the company’s entertainment division turned a profit in 2008 after years of losses.

So we have three companies with very different business approaches: Apple makes money from hardware, Google makes money from Web advertising, and Microsoft makes money from software. And yet, they’ve all started to collide because the secret sauce for Apple’s hardware is its operating system software, because Google’s Web advertising is viewed primarily on Macs and Windows-based PCs, and because Microsoft is continually looking for new markets.

Thanks to the differences between these three companies, there will never be a single winner, which makes the competition even stranger, a bit like sumo wrestlers bumping each other around in the ring with no chance of winning or losing. It’s therefore impossible to predict anything about the future, short of that it will be interesting to watch.

In the wake of rolling out our in-article commenting system three weeks ago – see “Introducing the TidBITS Commenting System,” 2009-07-03 – we’ve upped the ante with a pair of RSS feeds, one for comments on each article and another that displays all the comments posted on our site. The per-article feed lets you track comments on an article in which you’re interested or upon which you’ve commented without revisiting its Web page repeatedly, and the full “firehose” feed lets you get an overview of what’s being said across all our current articles.

On every article page with comments and new articles from now on, the per-article RSS feed is included in the page’s header so Web browsers can detect it, and an RSS icon with a link appears next to the start of comments for each article. The firehose comment feed is included in all page headers.

To subscribe to one of these RSS feeds, either click the RSS icon next to an article’s comments, or click the RSS button in the address field and choose your preferred RSS feed. (The RSS button in the address field appears in at least Safari and Firefox.)

Unfortunately, if you subscribe to the RSS feed for a particular article, you’ll have to delete that feed from your RSS reader manually once comments stop flowing in. It would be nice if the RSS spec had a way to say, “this feed is no longer being updated,” but that doesn’t seem to be the case. Note that we close comments 30 days after the publication of an article, so no comment feed will remain active for longer than a month.

RSS isn’t everybody’s cup of tea: Adam Engst avoids RSS like the plague to avoid spending his entire day reading interesting posts, while Glenn Fleishman regularly scans through the headlines of several hundred feeds in his RSS reader. Nonetheless, if you’re a fan of RSS, we hope you’ll find these new feeds useful, and we welcome suggestions of ways to improve them. (It’s difficult to simulate a threaded commenting system in a chronological and linear RSS feed.)

In the future, we plan to revamp our TidBITS account management system entirely to let you manage a variety of preferences surrounding TidBITS and Take Control. Once we have that new system in place, we anticipate providing some sort of email notification of new comments to subscribers.

Ah, it seems like only yesterday that Apple made my just-released book on .Mac obsolete with their unexpected introduction of MobileMe (see “MobileMe Oh My (or, Apple Breaks Record in Making My Book Obsolete),” 2008-06-09). But clearly, Apple has continued to watch me carefully, because now, less than a week after we released version 1.1 of “Take Control of MobileMe,” the company has begun offering their free MobileMe iDisk app for the iPhone and iPod touch. We knew it was coming eventually, of course, since Apple announced it back in June, but we had no idea exactly when it
would drop and didn’t want to hold off publication of the updated book indefinitely. (But don’t worry, we have readers covered, as I explain later.)

My inconvenience aside, I’m delighted to see the app, and I can report from one day’s use that it appears to do what it promises to do quite well.

The app is so simple, straightforward, and obvious, it’s hard to imagine why we haven’t had something like it all along. It lets you view the files on your iDisk (or another user’s public folder) from your mobile device – and share your iDisk-hosted files with others by emailing links to the files, much like you can do from the MobileMe Web site (see “Apple Adds iDisk Sharing Feature to MobileMe,” 2009-02-13). The app requires an iPhone or iPod touch (any model) with iPhone OS 3.0 or higher as well as, naturally, a MobileMe membership.

The first time you use the app, it asks for your MobileMe member name and password. It then shows a list of all the folders on your iDisk, and you can navigate through the hierarchy as in any other iPhone app.

Tap the name of any file to download and display it. The app supports all the usual file types, such as PDF, text, rich text, Microsoft Office, iWork ’09, and most popular audio, video, and graphics formats.

As you download files, the app keeps cached copies so you can view them repeatedly without waiting for them to download again. The cache size is adjustable from 50 to 200 MB. Unfortunately, caching doesn’t apply to audio and video files. Those are always streamed from your iDisk rather than being copied to your mobile device.

To share a file, you tap a sharing icon, enter one or more email addresses, and optionally change the subject and enter a message (just as in the mobile Mail app). To change the expiration date (1 month ahead by default) or add password protection, tap the Options field, make the desired changes, and then tap Email Link at the top.

The iDisk app also enables you to delete files, view any user’s public folder (as well as saving a list of frequently accessed public folders), view all your shared files (regardless of where they are on your iDisk), and see all recently viewed files.

Unfortunately, the iDisk app doesn’t let you move files to other locations on your iDisk, rename them, or edit them – not even simple text files. If you need any of these additional features, or the option to access other WebDAV servers, you can try any of numerous third-party apps that offer iDisk access. The downside to most third-party iDisk apps is that they require any file you share to first be downloaded to your iPhone or iPod touch and then sent as an attachment (so you must wait for it to transfer twice!). In other cases, you can email a link, but only to a file in your public folder, or to a file that’s been uploaded to a third-party server. By contrast, Apple’s iDisk app lets you email a link to any file already on your iDisk
(whether in your public folder or not) – without having to download it to your iPhone/iPod touch at all.

Of course, I’ve been doing the same thing for more than a year already, thanks to SugarSync, which I described in “SugarSync Sweetens Online Syncing” (2008-08-30). Although SugarSync works just fine for what it does, it doesn’t connect to an iDisk (relying instead on the developer’s own online storage system). For those who store files on their iDisk for easy sharing and syncing between Macs, this new iPhone app is going to be immensely useful.

As for the now-outdated book: Since we knew this app was coming sooner or later, we have a plan in place to update the book with the latest information. In fact, I’ve already written the new material (some of which I excerpted in this article), and I’ve put it on the Web for owners of “Take Control of MobileMe,” version 1.1. Simply click the Check for Updates button on the first page of the PDF and then click the Blog tab – it’s all in there, and we’ll create a revised PDF as soon as our schedule permits.

I woke up last week to find the tech blogs had gone berserk speculating on the rumors swirling around the Apple Tablet – even going so far that PC World’s Michael Scalisi published a column declaring that the unseen, unannounced, completely hypothetical Apple Tablet was already a train wreck.

Inspired by John Moltz’s (mostly still on hiatus) Crazy Apple Rumors site, I decided to start posting on Twitter the silliest rumors I could think of for the Apple Tablet. So, for your reading pleasure, here are a few of my speculations on what must surely be the real Apple Tablet specifications.

I heard the Apple Tablet will be round.

I heard the Apple Tablet will be exclusively available at the Microsoft Store.

I heard the Apple Tablet in Scotland will be available in the colors of your clan tartan.

I heard the Apple Tablet will have a super battery saver mode where the GUI is turned off, leaving just Terminal.

I heard the Apple Tablet's back will be covered in solar panels and can recharge a Prius in 2 hours.

I heard the Apple Tablet will run so hot that men will be required to wear a modified iPod sock to protect the family jewels.

I heard the Apple Tablet will have a dock where you insert your iPod touch/iPhone and have a dual CPU.

I heard the Apple Tablet will have not one but two cup holders.

I heard Apple Tablet will have a "Back to My Owner" feature where when lost it will call a cab to come take it home.

I heard the Apple Tablet will fold to fit in your pocket.

I heard the Apple Tablet will not only be the Technicolor Kindle but comes with a free Technicolor DreamTurtleNeck.

I heard the Apple Tablet will play movies in 2168p.

I heard the Apple Tablet will include support for FidoNet for free.

I heard the Apple Tablet will include a vibrate mode intended to help with lower back pain.

I heard 1 in 1000 Apple Tablet boxes will actually contain a gold brick.

I heard the Apple Tablet touch screen will be so sensitive it will pick up each individual bristle in a paint brush.

I heard the Apple Tablet will not only include TiVo functionality but can do so in HD over EDGE networks.

I heard the new Apple Tablet won't have a DVD drive, but will support scent-releasing odor disks.

I heard for every Apple Tablet you buy, Apple will donate two to needy kids in private schools.

I heard the Apple Tablet will come with free cell access like the Kindle but includes voice!

I heard the Apple Tablet will play Xbox and Wii games.

I heard the Apple Tablet will have a screen on both sides.

I heard the Apple Tablet will ship with the entire Beatles collection and be signed by John Lennon.

Twitter has a tagging mechanism called hashtags that enables you to group tweets by a particular subject. I tagged all my tweets as #FakeAppleTabletRumors so they’re easy to find. I have no monopoly on this brilliant idea, so be sure to chime in with your own fake rumors. Lots of people, including a number of TidBITS staffers, have already joined in. Just be sure to tag your posts in Twitter with the #FakeAppleTabletRumors hashtag as well, so they’ll be easy for everyone to find in the Twitter search engine.

The App Store’s tenuous grip on sanity continues to slip. Selznick Scientific Software’s PasswordWallet is a password storage and auto-typing utility that can synchronize its files with the Mac version of the program. Sounds like exactly the sort of thing you’d want to keep young children away from, doesn’t it? If you were to believe its 17+ rating in the App Store, you might do just that.

Here’s the story. Under recently changed App Store policies, any app that enables the user to visit an arbitrary Web site, which is true of PasswordWallet and many other programs, must be rated 17+ or it will be rejected. Apple’s goal is obvious – there are plenty of things on the Web that parents might not want their young kids to see. But as is all too common with the App Store, Apple has biffed the implementation of this goal.

As you can see in this screenshot from the App Store, PasswordWallet’s capability to display any Web page awards it not just a 17+ rating, but an almost shocking array of reasons for the rating, including such parent-worrying descriptions as “Frequent/Intense Sexual Content or Nudity,” “Frequent/Intense Horror/Fear Themes,” and “Frequent/Intense Realistic Violence.” Dangerous things, those password utilities.

It’s certainly true that there are plenty of Web sites that meet these descriptions, but given that the iPhone’s own Safari provides access to exactly the same ghastly Web sites as PasswordWallet, it seems like overkill to splash warnings all over PasswordWallet’s page on the App Store. (Not all similar apps yet have this rating; I believe that it is being applied only to new apps and updates submitted after the policy change.)

Now, you might say, “But what about parental restrictions? Perhaps the great and benevolent Apple is just protecting the sensibilities of our tender youth, since Safari can be disabled in the Restrictions area of the General settings.”

You have a point, but Sanford Selznick, PasswordWallet’s developer, is one step ahead of you. If you disable Safari in the Restrictions, it disappears from the Home screen entirely. PasswordWallet remains, but as soon as you attempt to visit a site via PasswordWallet, it reports “Content Disabled. Check your Safari Restrictions in General Settings.”

So PasswordWallet isn’t doing anything that Safari can’t do, and it’s even honoring the parental restrictions set for Safari, which should alleviate any concerns that your little nipperkin will immediately start browsing the Web for naughty pictures when you let him play with your iPhone during a boring dinner party. And if you think about it, PasswordWallet is even less prone to abuse than other apps, since it must be fed a password before any browsing can be done. In fact, it’s a useful way to bookmark sites that might be inappropriate for a kid to view without letting them appear in Safari.

But PasswordWallet’s virtues aside, every Web-enabled app in the App Store will start being branded with that scary list of descriptions, since it’s the only way to get in. That’s going to generate an increased customer support load for all such developers, will result in all these apps explaining why they’re 17+ in their descriptions, and will likely hurt sales in the short term. Eventually, the overuse of the 17+ descriptions will render them entirely meaningless, which won’t be good for the App Store in general.

Sanford tells me that he’s already started to receive a non-trivial number of questions about the 17+ rating for what seems like a thoroughly innocuous utility, so I think the process has started.

Sanford tried to explain all this to Apple, but to no avail. He submitted PasswordWallet three times, each time upping the rating after being rejected. For the final attempt, he gave PasswordWallet the highest possible rating, since each rejection took 8 to 10 days, and he couldn’t afford to keep playing the guessing game with Apple when his explanation of how he was honoring the Safari restrictions was falling on deaf ears.

One general solution to this problem is obvious and has been proposed already by Instapaper developer Marco Arment. When developers are describing their apps (Marco published a screenshot of the relevant interface), there could be an option for “Unfiltered Internet Content” that could go along with the 17+ rating on Web-enabled apps instead of the bits about sex and violence. That might not describe PasswordWallet accurately, given that it honors the Safari restrictions, but I’ll bet Sanford would far rather have his app described as allowing “Unfiltered Internet Content” than some of the nasty-sounding things it purportedly allows now.

Another solution would be for Apple to realize that what Sanford has done in honoring Safari’s restrictions could be a general requirement for apps that provide unfiltered access to the Internet. That way, any parent concerned enough about Internet content could restrict access to Safari and all equivalent apps simultaneously.

Either way, we can only hope that Apple will refine this policy to make future ratings accurate and sensible so Apple’s goals don’t hurt iPhone developers or the App Store in general.

SMS messages on the iPhone are priced usuriously at 20 cents each in the United States unless you pay for a monthly SMS plan, but there’s no question that they’re useful. That’s largely because the recipient is notified as soon as they arrive, but the interruption is minor in comparison with a voice call.

With the addition of push notifications in iPhone OS 3.0, many of us started looking for ways we could avoid SMS charges while still enjoying SMS’s basic functionality. The first possibility was a new version of AOL Instant Messenger that offers push notification of incoming messages (see “AIM for iPhone Adds Push Notification,” 2009-06-24). But with AIM for iPhone, you must sign in explicitly, and even though you can remain signed in for 24 hours, it still requires that you remember to sign in repeatedly and that your friends also be signed into AIM.

Thanks to a new $2.99 iPhone app called Boxcar, there’s an alternative. Boxcar is a special Twitter client that, once you’ve installed the app and connected it to your Twitter account, sends you push notifications of direct messages and @ mentions. Boxcar is rated at 17+ because Apple requires that all Internet apps be so branded, but the only mature content you might see is that sent to you by your Twitter friends (see “Apple: Web-enabled iPhone Apps Aren’t for Kids,” 2009-07-28).

(In Twitter, if you want to reply to someone publicly, you start a tweet with their username, prefixed with an @ sign; the @username convention is also used within tweets as a way of linking the tweet to that person. Boxcar picks up all @ mentions, regardless of where in the tweet the username appears. To send a private, direct message to someone you’re following and who is also following you, start the message with a D, followed by a space and the person’s username.)

Boxcar is utterly simple. A settings screen lets you select whether you want to be notified of direct messages and/or mentions, and it also lets you choose from a set of popular iPhone Twitter clients for reading incoming tweets; the main utility there is easy of replying to mentions in a familiar interface. Unfortunately, Boxcar can only launch another Twitter client; it can’t actually get the client (at least with Twitterrific) to display a particular tweet.

Boxcar also provides a list of people with whom you’ve traded direct messages, and tapping one shows the messages to and from that person, in an iChat balloon-style interface. You can easily reply to a direct message from within Boxcar itself, so you may prefer to have direct messages open Boxcar instead of another client.

You control how you’re alerted to notifications in the iPhone Settings app, in Notifications. I’ve turned off sounds, since even though I have the ringer off on my iPhone nearly all the time, even hearing the iPhone vibrate can wake me up if I have it in the bedroom (which I often do, since it makes a good alarm clock).

In my testing, Boxcar worked perfectly with direct messages, showing alerts with only a 20-30 second lag in comparison with when I saw the message in my email, and often faster than it appeared in TweetDeck. With mentions, Boxcar worked, but if two messages come in at the same time, one won’t appear as a push notification. Of course, it does appear in your Twitter client, so it’s not lost, just not displayed at the main screen.

I’m not certain how much control Boxcar’s developers can exert over push notifications, since I’m still becoming accustomed to them. If it were possible, I’d love to see Close and View buttons associated with each notification, much like Calendar notifications, rather than being forced to unlock the phone and go to a particular app. After all, with a Twitter message, you can likely see the entire thing in the notification.

More generally concerning is what will happen when there are too many apps pushing notifications to my iPhone. The current interface for displaying and handling push notifications clearly won’t scale, so hopefully Apple has something else in mind for iPhone OS 3.1. TechCrunch devoted an article to this worry recently as well.

Of course, for Boxcar to be useful, the people you want to be able to contact you must be able to use Twitter. Though it’s free and easy to use Twitter, it’s certainly less ubiquitous than SMS support across the mobile phone industry. For my purposes, though, the vast majority of people with whom I would want to trade SMS messages use Twitter much more commonly, so it’s not a significant limitation.

Other Apps — As is unfortunately common in the App Store, when I found Boxcar, it was the only app providing push notifications for Twitter. Going back into the App Store after a few days of testing, I see that there are at least several other similar apps. The $1.99 iTweetReply looks quite similar (but claims to queue multiple notifications and offer badge-number updates), as does the $0.99 Tweet Push (although it requires a separately funded account and charges on a per-notification basis), whereas the $4.99 SimplyTweet appears to be more of a full-featured Twitter client.

In time, I imagine that most Twitter clients will offer push notifications of direct messages and mentions, but until then, Boxcar or one of these other apps will give you the immediacy of an SMS message without the cost.

Flash Player 10.0.32.18 from Adobe is a security update to the commonly used browser plug-in. The update addresses a critical vulnerability previously identified by Adobe (see “Adobe Warns of Critical Flash Vulnerability“, 2009-07-24) that could be exploited by an attacker to take control of a user’s system after a program crash. (Free update, 5.66 MB)

Adobe Acrobat 9.1.3 and Reader 9.1.3 from Adobe are security updates to the longstanding PDF software. The updates address the critical vulnerability in Flash (see “Adobe Warns of Critical Flash Vulnerability“, 2009-07-24) that could be exploited by an attacker to take control of a user’s system after a program crash. (Free update, 6.1/3.1 MB)

Path Finder 5.1.4 from Cocoatech is a feature-focused update to the advanced file search utility that Matt Neuburg recently praised in “Path Finder 5 Beats the Finder’s Pants Off” (2009-06-29). Changes include added support for Back to My Mac, the capability to remove the Finder icon from the Dock, adjustable desktop grid spacing, compatibility with trackpad swipe gestures for moving forward and backwards, and the capability to display WebDAV volumes. A full list of changes is available on Cocoatech’s Web site. ($39.95 new, $19.95 upgrade, 22.2 MB)

SpamSieve 2.7.5 from C-Command Software is a maintenance update to the powerful Bayesian spam filtering software. Changes include improved FAQ and instruction sections, new scrollable search fields, an enhanced crash reporter, and updated Dutch, Japanese, and Korean localizations. Also, two bugs have been fixed; one that would cause Apple Mail to freeze on launch if you had a created a rule involving address book groups, and one that would cause the program to crash if more than one copy was installed on your machine. ($30 new, free update, 3.9 MB)

Fetch 5.5.1 from Fetch Softworks is a maintenance update to the longstanding file transfer software. Several issues have been addressed, including rare crashes due to missing default editors when uploading files and opening preferences. Also fixed are rare freezes that could occur when getting file lists, and delays that could occur while renaming items when the list of recent folders is especially long. Several other smaller bugs have also been fixed and can be found in the update’s full release notes. ($25 new, free update from 5.5, 16 MB)

Apple Boots Google Voice Apps From App Store — Macworld reports on Apple’s rejection of both the Google Voice iPhone app and third party apps that interact with the telephony service. Apple cites the fact that the Google Voice app provides “duplicate features that come with the iPhone” as its basis for barring it from the App Store. Google Voice provides free SMS messaging and cheap international calling, thus arousing widespread suspicion that AT&T is behind the decision. (Posted 2009-07-29)

New iPhone 3GI Visible Only to Most Loyal of Customers — The Onion uncovers Apple’s newest device, the iPhone 3GI, which boasts a widescreen display that “features the most brilliant colors and finest resolution ever imagined.” However, in a nod to the company’s loyal fan base, only true believers can see the amazing device; it’s invisible to everyone else. (Posted 2009-07-29)

Cause of Font Cache Bug Revealed? Readers look for solutions to the font-related bug that Matt Neuburg wrote about. (3 messages)

Apple has 91% of market for $1,000+ PCs, says NPD — Readers talk about whether dramatic price cuts to the low end of the Mac line would actually boost sales. (30 messages)

Cinema Display — When replacing a monitor, do Apple displays actually stand out from the crowd in terms of image quality and color fidelity? (22 messages)

Microsoft Entourage database corruption — Learn how to correct database corruption in Entourage. (5 messages)

Deleting multiple PDF pages — nasty Preview bug — Deleting several non-contiguous pages in Preview deletes the right number of pages, but not the pages you selected. (2 messages)

Stream surround sound audio Mac to Mac? VLC may be the solution to streaming surround-sound audio. (2 messages)