In realms of app and UI, A tapestry of code so fine, There lies a typo small, unseen Within the onboarding scene.

Yet let us not forget, my friend, The privacy we must defend, To clearly state, with policy, The text discarded, logs set free.

And so, amidst these digital features, I find delight in poetry's creatures, Conversion, art, in cyberspace, A wondrous blend of code and grace.

Beautiful.

Apple Music has replaced the biography and music for Ian Curtis, lead singer of the highly influential band Joy Division, with a different artist also named Ian Curtis.

Previously the page had both artists mixed together, I opened a bug report about it (FB12066940), and they deleted the legend instead of separating it into two separate artist pages.

The “bearer” prefix indicates the token is a “bearer” type token, as defined in RFC6750. As opposed to, for example, a “mac” token type.

The bearer token can be a JWT, but can also be a different format of bearer token as long as it conforms to the requirements in the spec (ie, only certain characters are allowed).

A “bearer” token means whoever has the token has authorization to perform the action. (Section 1.2 of the RFC goes into more details.)

Isn't that just fancy phrasing for a username/password?

Most APIs just have you set a key in the "Authorization" header. I don't get what value the "Bearer " prefix adds.

That RFC is strange and seems it can be summarized in one line:

Include header "Authorization: Bearer [API key]" for authenticating API calls.

The specified (rfc7235) syntax of the Authorization header is that it starts with an authentication scheme, followed by the parameters for that scheme. "Bearer" is one of those schemes. "Basic" and "Digest" are others.

> Isn't that just fancy phrasing for a username/password?

Not quite. username/password authenticate who or what something is; bearer tokens permit what actions can be taken by the holder of that token, and tend to be short-lived in nature and ideally for very specific actions.

This is cool, I love that gitlab lets you purchase extra minutes adhoc without a tier change. Neither GitHub nor CircleCi let you do that

You can pretty easily see all the traffic on your own phone. You can even do it on device

https://apps.apple.com/us/app/charles-proxy/id1134218562

Does this work with apps that do their own TLS using their own pinned certs? I don't see how it could. Surely that's a lot of high profile apps these days.

If this app works without root, it must be possible to apps on iPhone to add their own certificates to the system, which are then trusted by other applications - that would already be pretty alarming. I think Android still requires certificates to be manually imported by the user. Maybe this app points you to instructions on how to do this, but the description makes it sound very automatic.

If you've got a Jailbroken phone, this post explains how to extract the TLS keys (to decrypt the traffic) using a Frida script

https://andydavies.me/blog/2019/12/12/capturing-and-decrypti...

For sure, it can be done, I was just thinking that MITMing yourself on iPhone is not so easy these days as just installing this one app.

You can add an ssl certificate but if they do cert pinning then it breaks. Most don’t do cert pinning.

No, you’d need to jailbreak or modify the application for that.

If you can set your own DNS on iOS why not just use something like nextDNS.io?

NextDNS is fantastic. I use it to block ads on my iPhones and iPads.

Seeing it != blocking it.

If you can see it you can make an informed choice if the tradeoff is worth it.

If you can see it, but can't block it, then you've already lost a part of it before you can make that informed decision.

Of course you can block it, a private DNS with ad blocking is trivial to setup. Knowing about it is far important as you can make informed decisions.

You basically need your own VPN server with Pi-hole installed to control the tracking. It is a very effective way to block this, but not that easy to setup.

If you can use NextDNS, you have something akin to a Pi Hole.

So https://guardianapp.com then?

that's way less fun

Author here - let me know if you have any suggestions, it's easy to add more :)

It would be nice if the user could specify a title that will be used for all events.

I'd absolutely use this to block off some time for project work, and I have no reason not to label the events honestly ("Blocked off" or "Project X").

That's easy enough, e-mail me at aaron@lookbusy.app and I'll add you to the beta list

Yes, as indicated in the OP you can use otool to see which private APIs are being called.

That’s what secure coding guidelines say to do. It’s called “input validation”. For example here’s Apple’s: https://developer.apple.com/library/archive/documentation/Se...

Especially important on methods called on launch, if a crash would cause a problem.

(Swift or other strongly typed language would help here.)

The halting problem's existence means that there's no input validation that is guaranteed to work absolutely 100% of the time though, for sufficiently large inputs.

Wonder why he didn’t use the Core ML image analysis tools built in to Xcode?

... I didn't know that they existed? I just ran with the first thing I could get working.