Linked List: June 4, 2025

Wednesday, 4 June 2025

9to5Mac Reports Apple Notes Will Gain Markdown Export at WWDC, and, You’ll Be Unsurprised to Know, I Have Thoughts ★

Marcus Mendes, in a piece at 9to5Mac with multiple spoilers for next week’s keynote:

Apple is working on supporting the ability to export notes in Markdown from Apple Notes, which is something third-party apps have supported for years. Granted, this is a niche feature, but as a fierce participant in the niche, I can confirm: this is huge.

When this story first started spreading this morning, it was getting repeated as Notes “gaining Markdown support”, which implied something like Bear or Obsidian, where you can type Markdown syntax characters while editing, and perhaps optionally see the Markdown syntax in your notes. “Markdown notes app” is really like a class of notes apps unto itself.

Some people find this surprising, but I personally don’t want to use a Markdown notes app. I created Markdown two decades ago and have used it ever since for one thing and one thing only: writing for the web at Daring Fireball. My original description of what it is still stands: “Markdown is a text-to-HTML conversion tool for web writers.” Perhaps an even better description of Markdown is Matthew Butterick’s, from the documentation for Pollen: “Markdown is a simplified notation system for HTML.”

The other great use case for Markdown is in a context where you either need or just want to be saving to a plain text file or database field. That’s not what Apple Notes is or should be. I can see why many technically-minded people want to use Markdown “everywhere”. It’s quite gratifying that Markdown has not only become so popular, but after 21 years, continues to grow in popularity, to the point now where there clearly are a lot of people who seemingly enjoy writing in Markdown more than even I do. But I think it would be a huge mistake for Apple to make Apple Notes a “Markdown editor”, even as an option. It’s trivial to create malformed Markdown syntax; it shouldn’t be possible to have a malformed note in Apple Notes. I craft posts for Daring Fireball; I dash off notes in Apple Notes.

Apple Notes offers a great WYSIWYG rich text editing interface that works great on an iPhone and even better on a Mac, which I think is exactly appropriate. Particularly clever are the limited formatting options, where you don’t pick a font per se, but rather only from a set of predefined styles, like headings, lists, and block quote. It’s not nerdy at all. You certainly shouldn’t need to “preview” (let alone keep a separate preview view open side-by-side with your editing view), nor switch between modes for editing and viewing. That’s the Macintosh way. (But that’s why I think Apple Notes’s use of hashtags, rather than real tokenized tags like in the Finder, was an enormous mistake on Apple’s part. Real tokenized tags can contain spaces (so a multi-word tag can just be “Words Written Naturally” not “#WordsCrammedTogether”) and don’t need to be prefixed with an ugly, nerdy-looking # character. Notes using hashtags is like if the Finder disallowed spaces and uppercase letters in filenames.)

But Markdown export from Notes? That sounds awesome. Frankly, perhaps the biggest problem with Apple Notes is that its export functionality is rather crude — PDF and, of all formats, Pages. Exporting and/or copying the selected text as Markdown would be pretty cool. Very curious to see how they handle images though, if this rumor is true.

Apple Might Release an iPhone ‘Air’ Battery Case, But What They Ought to Release Is an Updated MagSafe Battery Pack ★

Wayne Ma, reporting last month at The Information (a paywalled website so obnoxious that they force $300/year subscribers to click through an article-blocking popover pitching them on upgrading to a $500/year subscription), and summarized here by MacRumors:

However, the smaller size of the new thin model will require compromises to its capabilities. The device will contain only a single speaker instead of the two speakers that Apple’s other phones usually have, one rear camera lens instead of the three in Apple’s flagship phones, and reduced battery life. Internal testing shows that battery life for the thin model will fall short of that of previous iPhones. The percentage of users who can go a single day without recharging the thin phone will be between 60% and 70%. For other models, that metric is between 80% and 90%, one of the people said.

To solve this, Apple is developing an optional accessory — a phone case meant for the thin model that also contains a battery pack, according to three people familiar with the matter.

It sort of goes without saying that the super-thin iPhone will have less battery life. How could it be otherwise? If 60–70% of users can still get through the day on a charge while using it, that sounds like it’s the right time for Apple to try such a phone. People who currently run their phones down to the red each day aren’t going to think “Hey, maybe I should try this crazy thin iPhone.”

What disappoints me is Ma’s reporting of an iPhone Air-only battery case from Apple. What I very much want Apple to make is a sequel to its amazing MagSafe Battery Pack with a Lightning connector that debuted in 2020 but was discontinued in 2023 (the year that the iPhones 15 switched from Lightning to USB-C). I’ve got two of these and they’re still, by far, my favorite iPhone battery packs. They’re the only Lightning devices left in my life and they’re so good I’m happy to still keep one Lightning cable in my travel bag to use them.

There are a zillion third-party “magnetic” (but not “MagSafe”) battery packs that work with iPhones, and most of them have larger batteries than Apple’s. But part of what makes Apple’s MagSafe Battery Pack great is that it’s so small, and shaped so comfortably. I don’t need a magnetic battery pack that tries to double my iPhone’s battery life. I just need like 1.5× on occasional phone-heavy days (like next Monday’s WWDC keynote), and Apple’s does just that. No third-party magnetic battery pack I’ve tried comes even close to attaching as securely to the back of the iPhone as Apple’s. And Apple’s has special integration with iOS, which gives you a cool animation on the screen when it’s first attached, and updates the battery life of the pack in the Battery widget alongside the iPhone’s own battery. (Apparently some newer third-party packs do now show the full-screen animation when first attached, but none yet integrate with the Battery widget — someone better call the European Commission.) Most importantly, with Apple’s MagSafe Battery Pack, iOS is smart, and doesn’t keep sucking juice when the phone has recharged up to 70% or so. By only slurping juice when it’s more efficient to do so, you get more effective battery life out of a noticeably slimmer battery back. It’s just so much better than any other battery pack I’ve tried.

This supposed iPhone “Air” seems like the perfect time to bring back the MagSafe Battery Pack, this time with USB-C — and unlike a model-specific case, it’d work with all MagSafe iPhones, not just the Air. (Sorry, 16e owners.) See also:

Chance Miller, writing back in November for 9to5Mac: “Apple’s MagSafe Battery Pack for iPhone Shouldn’t Have Been a One-And-Done Experiment”
Steven Aquino, writing back in September while he was still Forbes contributor: “Apple’s MagSafe Battery Pack Is Owed an Ode in Terms of Accessibility”

Meta and Yandex’s ‘Local Mess’ Exploit Seemingly Only Works on Android ★

Dan Goodin, writing at Ars Technica:

This abuse has been observed only in Android, and evidence suggests that the Meta Pixel and Yandex Metrica target only Android users. The researchers say it may be technically feasible to target iOS because browsers on that platform allow developers to programmatically establish localhost connections that apps can monitor on local ports.

In contrast to iOS, however, Android imposes fewer controls on local host communications and background executions of mobile apps, the researchers said, while also implementing stricter controls in app store vetting processes to limit such abuses. This overly permissive design allows Meta Pixel and Yandex Metrica to send web requests with web tracking identifiers to specific local ports that are continuously monitored by the Facebook, Instagram, and Yandex apps. These apps can then link pseudonymous web identities with actual user identities, even in private browsing modes, effectively de-anonymizing users’ browsing habits on sites containing these trackers.

I’ll note that among the so-called “interoperability” requirements the European Commission is demanding of iOS is for third-party apps to run, unfettered, in the background, because some of Apple’s own first-party software obviously runs in the background. And I’ll further note that Apple made clear, back in its December 2024 report laying out its objections to the EC’s demands, that:

No company has made more interoperability requests of Apple than Meta. In many cases, Meta is seeking to alter functionality in a way that raises concerns about the privacy and security of users, and that appears to be completely unrelated to the actual use of Meta external devices, such as Meta smart glasses and Meta Quests.

This newly uncovered “Local Mess” exploit — which seemingly only works on Android — is exactly the sort of scheme Meta wants to pull on iOS: to track users across millions of websites while they justifiably believe their web browsing is sandboxed from all native apps.

Back to Goodin:

Meta Pixel and Yandex Metrica are analytics scripts designed to help advertisers measure the effectiveness of their campaigns. Meta Pixel and Yandex Metrica are estimated to be installed on 5.8 million and 3 million sites, respectively.

Every one of the sites that includes these tracking scripts is complicit to some extent in the theft of hundreds of millions of Android users’ web browsing privacy.

Meta and Yandex Have Both Been De-Anonymizing Android Users’ Ostensibly Sandboxed Private Web Browsing Identifiers ★

A team of researchers has uncovered a scheme they’ve dubbed “Local Mess” — used by Meta since September 2024, and Russian search engine Yandex since 2017 (!) — to de-anonymize Android users’ web browsing across millions of websites that include Meta’s and Yandex’s respective tracking scripts. From their extensively detailed report:

These native Android apps receive browsers’ metadata, cookies and commands from the Meta Pixel and Yandex Metrica scripts embedded on thousands of web sites. These JavaScripts load on users’ mobile browsers and silently connect with native apps running on the same device through localhost sockets. As native apps access programmatically device identifiers like the Android Advertising ID (AAID) or handle user identities as in the case of Meta apps, this method effectively allows these organizations to link mobile browsing sessions and web cookies to user identities, hence de-anonymizing users’ visiting sites embedding their scripts.

This web-to-app ID sharing method bypasses typical privacy protections such as clearing cookies, Incognito Mode and Android’s permission controls. Worse, it opens the door for potentially malicious apps eavesdropping on users’ web activity. [...]

The entire flow of the _fbp cookie from web to native and the server is as follows:

The user opens the native Facebook or Instagram app, which eventually is sent to the background and creates a background service to listen for incoming traffic on a TCP port (12387 or 12388) and a UDP port (the first unoccupied port in 12580-12585). Users must be logged-in with their credentials on the apps.

The user opens their browser and visits a website integrating the Meta Pixel.

At this stage, websites may ask for consent depending on the website’s and visitor’s locations.

The Meta Pixel script sends the _fbp cookie to the native Instagram or Facebook app via WebRTC (STUN) SDP Munging.

The Meta Pixel script also sends the _fbp value in a request to https://www.facebook.com/tr along with other parameters such as page URL (dl), website and browser metadata, and the event type (ev) (e.g., PageView, AddToCart, Donate, Purchase).

The Facebook or Instagram apps receive the _fbp cookie from the Meta Pixel JavaScript running on the browser. The apps transmit _fbp as a GraphQL mutation to (https://graph[.]facebook[.]com/graphql) along with other persistent user identifiers, linking users’ fbp ID (web visit) with their Facebook or Instagram account.

The same day the researchers published this report, Meta stopped doing it.

I’ve said it before but not in a while: Meta is a criminal enterprise. What they’ve done here may not have broken any laws, but there certainly should be laws against it. And in terms of simple common sense, the entire elaborate scheme only exists to circumvent features in Android meant to prevent native apps from tracking you while you use your web browser. Saying it’s not illegal doesn’t mean it isn’t theft. It’s like the privacy equivalent of Trump’s cryptocurrency grift, which might not violate any current laws, but clearly exists as a bribery scheme.

Trump Administration’s ‘MAHA’ Report Cites Studies That Don’t Exist ★

Emily Kennard and Margaret Manto, reporting last week for NOTUS (“News of The United States” — a seriously good up-and-coming national affairs publication):

Health Secretary Robert F. Kennedy Jr. says his “Make America Healthy Again” Commission report harnesses “gold-standard” science, citing more than 500 studies and other sources to back up its claims. Those citations, though, are rife with errors, from broken links to misstated conclusions.

Seven of the cited sources don’t appear to exist at all.

Shocking that these dipshits would generate their report with whatever came out of an LLM and not actually check — let alone, you know, read — the cited studies.

Joz Teases WWDC on X ★

Hard not to see the invitation and this new animation as a hint that the much-rumored UI redesign/refresh is, indeed, going to be glassy.

James Dyson Proves That Live On-Stage Demos Are Still the Best ★

Dyson:

Join James Dyson as he introduces the new Dyson PencilVac Fluffycones cleaner. Our latest, most advanced floorcare technology — now available in Japan.

Nine minutes, short and sweet. I watched the whole thing and loved it. If it had been pre-recorded, I bet I wouldn’t have gotten more than two or three minutes into it, even though the video would have been more polished. There’s just something compelling about a live demo, even when you’re watching on YouTube.

(The new PencilVac looks cool too, but it seems too good to be true. I’ll be interested to hear from reviewers whether it, uh, actually sucks or kinda sucks.)