apple
- A friend sends you email.
- Mail.app periodically checks your email account to see if you have new mail, then fetches it.
- Mail.app gives you some sort of notification that you have a new message.
- A friend sends you email.
- The Gmail mail server sends a “push notification” to your phone, waking it up and alerting it that you have new email.
- The Gmail app on your phone fetches it.
- The Gmail app on your phone notifies you that you have a new message.
- The Spark app on your phone sends your email username and password to Readdle’s server where it’s stored until you ask Readdle to delete it.
- A friend sends you email.
- Readdle’s server continually checks your account for new email, and then fetches it.
- Depending on the contents of the email, Readdle’s server may do some extra processing on your behalf, and may send the Spark app on your phone a push notification to tell it you have new mail.
- The Spark app on your phone fetches your email from your mail server.
- The Spark app on your phone notifies you that you have a new messages.
- iCloud Keychain (includes all of your saved accounts and passwords)
- A text-based language for writing Shortcuts,
- A compiler that turns the text language into “real” Shortcuts, and
- An IDE for writing the language.
- I pick a type of workout (like strength, core, or yoga) I’d like to try, and use the filter to choose a length of time I’d like to work out. I want to do strength training for 20 minutes? Here’s a list.
- From that list I choose a trainer. This is convenient if there’s one I like and I want to see more of their workouts, but not as helpful for choosing between them. The app makes the trainers’ biographies available but I was overwhelmed with choices the first time.
- Which exercises a workout includes. If my shoulder hurts, I might want to skip lateral raises.
- Which muscles groups it exercises. Sometimes I’d like to target specific areas like glutes or biceps or shoulders or quads.
- I log in to their store website.
- I view my order history and find my laptop.
- Apple has my MacBook Pro’s serial number on file with this order, and they also have a list of equipment covered by AppleCare. Since my laptop isn’t already covered, the site displays a “Buy AppleCare” button next to it.
- I click the “Buy AppleCare” button, choose to use my billing information that Apple already has on file, and click “Buy it now”.
- I get a confirmation email and move on to other things.
- A customer visits Apple’s store website.
- Under “Mac Accessories”, they click “AppleCare”.
- They see a new form titled “What’s your Mac’s serial number?” and a link to how to find that information.
- When the user enters their serial number, the website looks up that part information and selects the appropriate AppleCare plan for their hardware.
- They add the plan to their cart and check out normally.
- The user gets a confirmation email and moves on to other things.
- I logged into their store website and looked for a process like the one I described above.
- When that failed to materialize, I browsed around until I found the AppleCare plans in the store.
- After some rooting around, I found the correct plan and added it to my cart.
- I was given the option of picking my plan up in an Apple Store or having it mailed to me. Wait, what? Pickup? Mail? For a warranty? Fine — mail it.
- After a couple of days, my AppleCare plan arrived in the mail. It came in a large cardboard box with a tiny cardboard box inside it. The tiny box contained some printed material and a registration number, but no Apple stickers or anything else I’d actually want.
- Per instructions, I went to a separate section of the Apple website and entered my laptop’s serial number (which they already have on file from when I bought it last year!) and the AppleCare registration number (which they already have on file from when I bought it a few days earlier!).
- I agreed to the Terms of Service, which were identical to the now-completely-unnecessary printed copy that came in the box.
- After submitting those numbers, Apple asked if I wanted my coverage certificate sent by email or by postal service. “Telegraph” and “carrier pigeon” were not available options, so I chose email.
- Apple informed me that I’d successfully completed my application, that my registration was now in progress, and that I would receive my certificate when they had finished verifying my registration.
- That was over 12 hours ago. I didn’t get any kind of confirmation email, but my browser history helped me find the status page so I could check in on it today. It’s still stuck at “Registration in progress”, presumably while Gertrude from Accounts finds my punchcard in the filing cabinet.
Unusual shipping fail from Apple
I ordered a couple of Apple AirTags and keychain holders this weekend, and UPS dropped the package off on my doorstep a few minutes ago. The outer box had not been sealed in any way — no glue, tape, or anything:
The packages inside were bent on arrival, likely from the warehouse:
I hope this is an exception. If I were a new Apple customer, I’d be unimpressed with their vaunted first impression.
The Risks of Third-Party Email Clients
There are a lot of neat third-party email applications available for Mac and iOS. From an end user perspective, many of them are amazing and useful. From an information security, privacy, or legal perspective, many are horrible.
For example, Readdle makes a popular email client, Spark. Now, to be clear, I think Readdle is a good, competent, well-meaning company and that Spark is a nice app. My problem with their product isn’t because I don’t trust them, but because I have to trust them, and unnecessarily.
Here’s why.
How first-party email apps work
When I refer to a first-party mail client, I mean Apple’s own Mail.app, or the app that an email service company made to support their own system (such as Google’s Gmail app). These are a direct link between your computer and your email service, and are widely regarded as trustworthy and safe to use. That is, if you don’t trust Mail.app with your email, you probably wouldn’t be using a Mac or iPhone in the first place. If you don’t trust the Gmail app, you shouldn’t trust the Gmail service either. A third-party app, then, is one made by someone other than the company who made your computer’s operating system or your email service.
With that out of the way, here’s how the process of receiving an email works on these clients:
Alternatively:
That’s straightforward.
How some third-party email apps work
Spark could have been written to work like Mail.app, but Readdle chose not to, for a good reason that I understand and appreciate. All that “do I have new email?” checking can eat up a phone’s battery, and if someone sends you an email right this moment, it may take several minutes before you get a notification. However, this is where a giant privacy and security issue pops up. Spark works like this:
See the problem? Readdle has your login information and uses it to check email on your behalf. From their privacy policy:
INFORMATION WE COLLECT AND HOW WE USE THIS INFORMATION
OAuth login or mail server credentials: Spark requires your credentials to log into your mail system in order to receive, search, compose and send email messages and other communication. Without such access, our Product won’t be able to provide you with the necessary communication experience. In order for you to take full advantage of additional App and Service features, such as “send later”, “sync between devices” and where allowed by Apple – “push notifications” we use Spark Services. Without using these services, none of the features mentioned above will function.
By its design, you have to trust Readdle to read all your email if you want to use the Spark app, and that’s not OK. Depending on what line of work you’re in, it may not even be legal for you to allow another company to access your email if you don’t have a signed data use agreement (DUA) or HIPAA Business Associate Agreement (BAA) in place with that company. Google will sign a BAA if you ask them. Apple’s Mail.app design doesn’t require that because Apple never has access to your email account (unless you use iCloud email, which you shouldn’t be doing anyway if you’re working with HIPAA data). In fact, Apple can’t access your email usernames and passwords. From their iCloud security overview:
These features and their data are transmitted and stored in iCloud using end-to-end encryption:
And all of this to support push notifications, which are nice but that Mail.app never had in the first place. Note: Readdle’s service isn’t “push” behind the curtain, as their server has to regularly poll your email service to see if you have new mail. The difference is that it’s their server doing the polling using their electricity, not your iPhone. That’s a handy feature, but is it worth it? In my opinion, it isn’t. Further, I disagree with Readdle’s statement that the “send later” and “sync between devices” features require this arrangement. They could have been built to use an end-to-end encrypted service like iCloud, but Readdle chose not to. Again, they probably did that for decent reasons because Readdle is a good company, but they didn’t have to.
Conclusion
I’m using Readdle’s Spark as an example, but mail clients are all over the place privacy-wise.
Airmail’s privacy policy says:
If “Real-Time Mailbox Monitoring” is enabled for Gmail or Outlook, Office365, IMAP, and Exchange accounts, we store credentials solely to send push notifications.
Superhuman also stores your login information:
Authentication Tokens. When you sign in to the Service, we collect and store encrypted Gmail authentication tokens.
Postbox doesn’t collect your credentials:
We only communicate with Google’s email servers through IMAP, POP, and SMTP protocols, and never receive or store any messages or data from your Google email accounts on our servers. You can revoke Postbox’s access to Google services at any time.
That’s one of the less creepy terms in their privacy policy, though:
We may use information about your publicly available social media information, or your contacts’ publicly available social media information, in connection with our Services.
MailMate has a clear policy:
Passwords are most often required for MailMate to access the emails in your IMAP accounts and to send emails using SMTP servers. Regular passwords are stored (if you allow it) in the Keychain of macOS. Depending on your settings, this might be an iCloud-based keychain synchronized to your other devices.
Some accounts support OAuth2 authentication. In this case, a browser is used for authenticating your accounts and MailMate only gains access to so-called OAuth2 tokens. The tokens are used to access your accounts and MailMate never sees and never stores your password. The tokens are stored in your Keychain as described above.
If an app doesn’t have a privacy policy, don’t use it. If it does, read the policy. And if you work in a regulated industry like finance or healthcare, get your company’s legal team’s opinion before using a third-party app!
Wisdom of the ages
The iOS App Store recommended that I check out a meditation app named “Calm”, featuring “Wisdom from Shawn and Camila”. Shawn is 22 years old; Camila is 24.
With due respect, Apple, I’m not expecting a lot of wisdom from a couple younger than the sweater I’m wearing.
There are many wonderful things youth can bring. Experience of a life long-lived is not one of them. I don’t want to sound curmudgeonly, but they’re 22 and 24, and I expect they’ll have little to offer on mid-career thoughts, or watching one’s parents grow older, or coming to grips with mortality. Like, the guy’s been quarantined for the majority of the time it’s been legal for him to drink.
Review: Jellycuts
Jellycuts for iOS and iPadOS is 2 things:
As a programmer, this is super exciting to me because it feels like I spend too much time fighting against the limitations of the visual language. Now I can use the programming tools I work with every day to write my little applets, and store them in version control so that I can track changes and roll back mistakes.
It’s not a perfect system as the design of the Shortcuts app means that getting the compiled code into it is a little convoluted (but automated and as smooth as possible). That’s on Apple, though, and not Jellycuts. The author has done an amazing job with the tools available to them.
Jellycuts is a game changer. I haven’t gotten far with it yet, but if it works as promised on larger projects, I see it becoming the way I write Shortcuts. Get it at https://apps.apple.com/us/app/jellycuts/id1522625245.
Review: Apple Fitness+
I’ve been using Apple’s Fitness+ service since it came available. It’s still a young product and has lots of room to improve, but its fundamentals are solid. This is what I like and dislike about it.
What I like: doing the exercises
First, the workouts themselves are excellent. They offer exercises I’m not used to, and I’ve found that working with a trainer, even a pre-recorded one that isn’t talking to me personally, motivates me to push harder than I do when I’m working out alone. At the end of a workout I’m exhausted, and the next day my body reminds me that I did something difficult.
This is the litmus test, after all. A trainer that doesn’t challenge and doesn’t push me harder than I would push myself isn’t much of a trainer. Fitness+ meets this requirement in spades.
Second, Fitness+ has a lot of workouts. When it’s time to use one, I want help picking one that’s appropriate to me. The app’s “discoverability” is… decent:
If I know what workout I want to do, and which trainer I want to work with, Fitness+ is fine.
What I don’t like: finding the exercises
But that discoverability is barely sufficient, and leads to my sole criticism. Fitness+ could and should help me find new workouts that are appropriate for me personally, and today it doesn’t.
Within selections, the main differentiator in a screenful of similar-seeming workouts is the genre of background music. I know people may have strong preferences here but I don’t. As of writing there are 15 “Strength with Gregg” workouts. At a glance, I can’t tell the difference between them. Every screenshot shows exercises for both upper and lower body, even though most workouts target certain muscles. Navigating through each available workout exposes that information but it’s a lot of work when I’m ready to start lifting weights and would rather lift than investigate. Better titles like “Leg Strength with Gregg” would help a lot here.
There’s not an option to like or dislike workouts. I want a recommendation system like Apple Music’s: tell me what I might like based on what I’ve enjoyed, not just what’s similar to what I did last time.
Descriptions of workouts are more vague than they should be. For example, one reads “the focus of this workout is upper body, with a new element added to each move as you go.” But what part of my upper body? I want to know:
If Fitness+ had filters that let me specify that I’d like to work my triceps and lats for 20 minutes, or find one that includes hammer curls because that sounds good today, I’d use it a lot.
Workouts need more audio cues. I spend a lot of effort trying to look at the TV so I can pace myself with the trainer, and would like a consistent signal to complete a rep. I wish the producer would add a chime or beep after each movement so that I could follow along without contorting to see the screen.
Finally, many other Apple apps use Siri to power smart recommendations. Putting all the above together, I’d like to see a Fitness+ notification like “you skipped leg day. Here’s a good leg workout you’ll going to like.” It’s easy to rationalize skipping a workout, but harder when someone’s reminding you that you’ve been a couch potato and giving you personalized suggestions for changing that.
Summary
It’s tricky to find an exercise I want in Fitness+, but that’s because there are so very many excellent ones to choose from. And that’s the important part: once I find workouts I like, they motivate me to work harder than I would on my own. I’ve found the accountability, even if it’s to someone who can’t see me and who I’ll never meet, to keep me moving. I am stronger and healthier for using the app than I would be without it.
Apple Fitness+ may have some rough edges, but for a new service that’s still improving, I’m into it.
Applecareless
While I almost never buy extended warranties, conventional wisdom is that you should always buy AppleCare for an Apple laptop. You have up to a year after buying your laptop to purchase the extended coverage. At a high level, you’re basically buying an insurance policy for a piece of hardware with a specific serial number. Why does Apple make this so difficult?
I bought my MacBook Pro directly from Apple’s website. Here’s how AppleCare purchase should work:
A lot of people bought their laptops through other sources, like local dealers, chain retail stores, and so on. Since Apple might not have any record of their purchase, here’s how that process should work:
In reality, the process is far less polished and, well, un-Apple-like:
I’d probably shrug the ordeal off if I were dealing with Best Buy, Microsoft, or some other company not known for their customer service. But Apple? This was the opposite of the kind of experience they usually provide and I’m disappointed that the process was so clumsy.