How an Automated Mistake by Apple Killed All of a Mac Developer's Apps (9to5mac.com)
- Reference: 0134483331
- News link: https://apple.slashdot.org/story/20/08/08/017237/how-an-automated-mistake-by-apple-killed-all-of-a-mac-developers-apps
- Source link: https://9to5mac.com/2020/08/05/mistake-by-apple/
> Popular Mac developer Charlie Monroe woke up to find that none of his users could run his software. Instead, Mac OS was giving a message saying that it "will damage your computer".
Monroe described the ensuing hassle in a blog post titled " [2]A day without business ." In a later update he added that Apple "has called and apologized for the complications. The issue was caused by my account being erroneously flagged by automated processes."
But 9 to 5 Mac describes how Apple's mistake affected Monroe's apps:
> Users were unable to open them, and a message flagged them as malware, [3]advising users to delete the apps to avoid damaging their Macs .
>
> Developer Charlie Monroe, creator of the Downie video downloader, among other apps, said that Apple didn't even send him a message saying it had happened, and for several hours he didn't know whether he still had a business or not⦠He said that it took Apple 24 hours to partly fix the problem, removing the flags, though that still left him having to recompile, re-sign, and redistribute everything... Most app users will never know the story behind this, only that they bought an app, Apple told them it was malware, and they deleted it as instructed.
>
> It also seems unlikely to help Apple's antitrust battles, where many are arguing that the company holds too much power over users and developers alike.
[1] https://slashdot.org/~philml
[2] https://blog.charliemonroe.net/a-day-without-business/
[3] https://9to5mac.com/2020/08/05/mistake-by-apple/
Such an impact should have a human review (Score:3)
If you are going to revoke a certificate and warn people an app could damage their computer so it should be removed, you should have a human verify the action prior to taking it; at least if the developer has been a developer for some long enough period to indicate chances are they haven't gone rogue. . I would also at least send the developer an email noting the action taken; even if it really is malware it's not like the developer won't realize something happened the first time they try to log into their account.
I doubt this type of kill switch happens that often that it can't be quickly verified; if it is a common occurrence, Apple has other problems than automated kill switches.
Re: (Score:2)
What would the human do? Run the script that checks a program for naughtiness?
Re: Such an impact should have a human review (Score:2)
> I doubt this type of kill switch happens that often that it can't be quickly verified; if it is a common occurrence, Apple has other problems than automated kill switches.
I agree wholeheartedly with your entire post. I think maybe the Automated system could block purchasing of the App and put up an "Under Reviewâ page on the App's listing-page; giving Apple time to conduct a thorough manual review, contact the Developer, etc. before a human makes the decision to Notify Users, Blacklist the App, and so forth.
As you said, this doesn't happen often enough to negate the feasibility of human "final say".
A step that I bet will be added to this process, pronto!
Horsecrap (Score:2)
> Most app users will never know the story behind this, only that they bought an app, Apple told them it was malware, and they deleted it as instructed
No. This isn't App Store, to get his software you download it from his website, where he is more than capable of putting a big fucking sign saying "Sorry, Apple fucked up my Developer Certificate so you need to download this update."
Re: Horsecrap (Score:2)
Why would someone who thinks their software is malware go back to his website? Also they revoked his certificate, which triggered this whole thing. It's entirely likely that non app store installs were also affected.
More to come - Stay tuned! (Score:2)
Just wait until an automated mistake kills everybody onboard a commercial airliner, say a Boeing 737 Max, or something
It can't have been that bad (Score:2)
We're talking Apple. That's like what, one thousand people or so?
Mac OS security (Score:4, Interesting)
I have a software bundle that I use to teach Software Defined Radio to Electrical Engineering students. The bundle includes an OpenJDK runtime, Eclipse along with software modules the students can write or modify.
I modify eclipse.ini to point within the directory tree of the bundle to make the whole thing self-contained. When I create a package and then try installing that bundle from the package, I get some kind of "This software is corrupted, it could be malware" message. I localized the problem to not using the Eclipse image as-is with eclipse.ini unchanged.
Our ECE department computer support dude is Mac-centric, but between the two of us we could not get this to work with the modified eclipse.ini text file. I suggested it may have something to do with a checksum in Eclipse and some manner of software signing protocol.
I am not making any money off this apart from being paid to teach at the U, but it seems the Mac Universe is adverse to this kind of thing. Maybe the problem is that Eclipse for Mac OS is signed and I am wanting to redistribute a modified Eclipse that triggers a malware detection?
The work around is to have students with Macs install Java and Eclipse on their own and have them follow several pages of written instructions on how to configure the Eclipse project for the course. Actually, the introductory CS course in programming is a prereq for my course, so the already have Java and Eclipse on their Mac laptop. But still, I would like to put a load-and-go bundle on my Web page for use by members of the local amateur radio group.
How hard is it to get some manner of software signing privileges on MacOS for an academic setting?
Cute (Score:2)
It's really cute that they call this, an incident by a company that can spend $6B on a new spaceship campus, but obviously nothing on QA or to have someone monitor such an automated system to prevent such problems, a "mistake".
They should call it what this really was: a total fuckup.
Re: (Score:3)
That campus is a total fuckup. Its an open plan office designed by some extrovert asshole. The engineers literally revolted when they were told they have to work open plan. Eventually Apple added some conventional buildings to the campus and stuck the marketing folks in the open plan space. After Covid19 guess who is working from home.
apple is pushing hard for app store only with cene (Score:2)
apple is pushing hard for app store only with censorship and the only thing that will save them is to have an censorship free part of the store if they don't want to give up the lock in.
Sounds Like A Lawsuit (Score:4, Insightful)
I would say they did almost unrepairable damage to his venture and cost him quite a bit of money. They should have to reimburse him heavily for this. Automated systems should not be a replacement for human verification. If anything the lawsuit would help make the case against Apple. I mean they were so quick to take Microsoft to court over bundling IE4 with Windows....yet Apple is literally able to make or break a developer and nothing?
This type of shit has to stop.
Re: (Score:3)
> I would say they did almost unrepairable damage to his venture and cost him quite a bit of money. They should have to reimburse him heavily for this. Automated systems should not be a replacement for human verification. If anything the lawsuit would help make the case against Apple. I mean they were so quick to take Microsoft to court over bundling IE4 with Windows....yet Apple is literally able to make or break a developer and nothing? This type of shit has to stop.
While I agree with you, what are his actual damages? He could possibly prove he lost some sales on that day based on his daily sales volume, and some loss of reputation. I would think he could also claim damages for the time spent notifying users of the error on Apple's part; but that's likely an automated email to all registered users so not a lot of time. I am sympathetic to the idea that Apple owes damages, but the costs of pursuing a lawsuit may outweigh what he can collect.
Re: Sounds Like A Lawsuit (Score:3, Insightful)
Every single user decided to uninstall his app because they're sheep. There still has been no notification to any of the users of the app that it was a mistake (you'd think this is a first step), so he's lost every single customer he's had. I hope you never run a company that, one day everyone just decides not to use you.
Re: (Score:2)
I don't think it's fair to call someone a sheep when they get a warning that a program is malware, delivered by the OS, and then delete the program.
If they got that message and didn't delete the program, and it actually WAS malware, you'd call them computer-illiterate morons, wouldn't you?
Re: Sounds Like A Lawsuit (Score:2)
Loss of reputation? More like libel, as Apple told everyone that his apps were malware and to delete. Most won't go back to see the small developer to find the truth, since Apple has made a name of monitoring these things and knowing what's right from wrong (a la iOS app checking, and I know this isn't iOS).
Re: (Score:2)
Wait, if you paid for an app that gets flagged as malware you don't get an automatic refund?
Re: (Score:1)
Who wants to bet that as part of obtaining a license for all the development tools on the Mac, access to Apple's tools for signing and distributing Mac software, there are at least four or five instances of the fine print indemnifying Apple from all damages, no matter how much they fuck up?
Re: (Score:1)
Sorry you will find around here apple is never wrong.
Re: Sounds Like A Lawsuit (Score:2)
> Sorry you will find around here apple is never wrong.
Why do you make such ridiculous statements?
Here, I'll start: Apple was wrong. They should have backed-up their automated "malware watch" process with a final "human" approval step before doing all that Notification and Blacklisting shit.
But I'll bet it never happens again.
Re: Sounds Like A Lawsuit (Score:2)
> This type of shit has to stop.
One false positive in how many App Approvals, and you raise your fist and proclaim âoeThis sit has got to stop?!?!?
Please.
I'd say that is actually a pretty robust algorithm, that just needs a manual "final signoff" added to make it perfect, or at least as perfect as possible.
Apple no doubt added the automated screening to catch stuff the human App Approval process may have missed. Unfortunately, they forgot to properly "close the loop" by letting a human have the final say whether to Blacklist an App.