Notarisation by Apple is fancy speak for having the developer certificate issued and it does not mean much except for the fact that the developer had the money to pay for the Apple Developer membership. There have been instances of malware and spyware distributed on both the iOS and the Mac App Stores which were not caught in Apple’s testing and which were all properly ‘notarised’.
The current owners of Bartender have already sneakily released a notarised version containing tracking spyware without telling anyone. At this point, using Bartender is trusting a largely unknown venture capital fund with permission to record your screen. Exercise caution.
I doubt that they get to see to the source code and I’m also not sure that they check outgoing connections (how people with a firewall like Little Snitch or LuLu detected the sneaky Amplitude integration in a new build of Bartender).
I don’t know what to make of all this - but it has prompted me to look at alternatives for the first time.
Thanks to this thread, I investigated ICE and I like it a lot. It doesn’t yet have the second drop-down menu bar (they’re working on it apparently) but in other respects I actually prefer its very simple UI to Bartender. Free (with donations) and open source.
I am not the user but before I use every app I do look into their background like who the main people are and where their headquarters are. I found that most of them won’t state. Seems like nowadays we are living in a global village but these information do matter for me.
Of course, transparency doesn’t mean everything is safe but I will think the developers don’t respect users if they don’t say who they are.
The incident will make me more determined to either all in Apple or use open format like plain text.
Amplitude is part of the problem, particularly how they covertly slipped it into the release without any opt-in/opt-out dialogs. I have no problem allowing some tracking for apps I regularly use and developers I mostly trust if that helps them improve their products (Readdle is in that group, as their support was always helpful and quick to respond). However I want to be notified of this.
The issue around screen recording – permission needed for Bartender to work at all – is more significant now as we don’t know exactly who’s behind the app, who the ‘developers’ are, and what their track record in app development is. They have neither identified themselves nor been particularly forthcoming. So, at this point, there’s this entity we know nothing about with granted permissions for their app to record the screens on who knows how many devices.
We can’t expect perfection. I think that we are a lot better off with the Notarization than without it.
Unfortunately, transparency doesn’t appear to be part of the Notarization check. Setapp is offering only Version 5.0.48 which, as far as I know, doesn’t include the “spyware.” We’ll see what develops and, I agree, we should exercise caution, but I feel fairly confident with the double check of Apple Notarization and Setapp vetting.
I am relying on Setapp’s reputation here. I have been using it for a number of years and have been unaware of any problems. I asked my AI (Perplexity Pro) and got a detailed, overall negative (no malware/spyware) answer with this summary:
“In summary, while there have been user concerns and discussions about Setapp’s behavior, there is no concrete evidence of malware or spyware being distributed through the platform. Setapp maintains that it is a secure and reputable service, supported by audits and a curated selection of apps.”
well in my situation, all I wanted to do is reorder icons in the menu bar. As most decently coded apps have an option to “not show in menu bar”, my menu bar is not that crowded to begin with and even less so now after this fiasco. Bartender was there, so I used it to organize my icons. I was not calculating my plans for world domination with it. It was probably always easily replaceable I just found it easier to give the dev a few bucks every year or so.
The other side of your coin is “Is it possible that some users love Bartender so much that they will just accept whatever happens to keep using Bartender instead of trying an alternative?”
I am an Ice user now with no plans to go back to Bartender and my nose is still intact.
Absence of evidence is not necessarily evidence of absence.
The new owner’s behavior has justifiably raised suspicions, and it’s now up to them rather than users to prove that the app isn’t a privacy or security risk.
Thew new devs have acknowledged the issue and appear to have removed the offending code in an update.
We should keep monitoring the barn for sure. But it seems to me the door is closed- and it is not even certain that it was opened for nefarious purposes.
Everyone’s risk tolerance is different. For me there are still a number of red flags.
The damage control press release claimed that they are a small group of developers passionate about software. Yet their website speaks only of providing an exit ramp for indie developers and says nothing about who these passionate developers are, what products they’ve developed, nor the portfolio of products they are now stewards of.
And given that some of their first moves were to add SEO blog posts, raise prices, and and add user tracking, does not bode well for future development. To me it signals how do we milk this for all it’s worth.
And the claims that there is already a subscription option (there isn’t) and that they announced the ownership change in their blog (they didn’t) certainly does not engender trust.
I referenced Hanlon’s Razor above. And maybe they are just incompetent. But as was rightly pointed out, incompetence is not a desirable trait for software developers.
“We are a small team …”, True. LinkedIn shows the company has five employees.
“… of indie devs …”, Hmmm, not a single profile shows the job title “software developer” or similar.
“… using Bartender for years.”, who knows?
“We are enhancing privacy …”, True, albeit with significant caveats.
“This was originally included to … encountering issues with permissions”, Hmmm, this doesn’t pass the eye test. Just what exactly would they do this info, given that it would be 100% of existing users?
An outright lie? Maybe not. Be certainly disingenuous.
It turns out I am still running BT 4.2.25 on Ventura – do folks here know whether this older version is now also calling home and may have privacy issues; or is this only affecting the new builds of V5 onwards?