Overview

We are currently working on a SCEP server implementation that operates in FIPS-approved mode. In this mode, RSA PKCS#1 v1.5 encryption is disallowed due to compliance requirements, and only FIPS-approved padding schemes such as RSA-OAEP are permitted. However, we have observed that the SCEP client functionality on Apple devices currently does not support RSA-OAEP for CMS EnvelopedData decryption. This creates a challenge for us in ensuring FIPS compliance while maintaining compatibility with Apple devices during certificate enrollment through SCEP. We would appreciate your guidance on the following: Are there any alternative FIPS-approved encryption algorithms or configurations supported by Apple devices for SCEP CMS EnvelopedData decryption? Is there any plan or timeline for future support of RSA-OAEP on Apple platforms for this use case? Feedback raised along with sysdiagnose logs as well : FB17655410

Hi all, I'm developing fitness app and I use healthkit to track user's "STEPS" count and "Heart Rate" from their iphone devices. I have been receiving this rejection and can't seem to get past this: Guideline 2.5.1 - Performance - Software Requirements The app uses the HealthKit or CareKit APIs but does not clearly identify the HealthKit and CareKit functionality in the app's user interface. Apps using these APIs should be clearly indicated to provide transparency and valuable information to users. Next Steps To resolve this issue, it would appropriate to clearly identify the HealthKit and CareKit functionality in the app's user interface. Resources Learn more about software requirements in guideline 2.5.1. How I tried to Resolve the Issue I have modified my app: adding user permission prompt, adding healthkit notification, adding healthkit indicator in the UI **1. Added a "Permission Primer" Screen (Pre-Alert) ** When a user taps "Connect Apple Health," they are now shown a dedicated explanation screen before the system permission prompt appears. This screen clearly states: "[App] integrates with HealthKit to read your Heart Rate and Steps... to calculate physical exertion." (Please see the "Connect" flow in the Session Detail view). **2. Added Explicit Source Attribution ** I have added a permanent text label reading "Health data sourced from Apple Health" directly below the heart rate and steps statistics on the Session Detail dashboard. This ensures that users always identify the source of the displayed metrics. 3. Deployment Target Correction I identified a configuration error where the Deployment Target was set to a future OS version. I have corrected this to the currently shipping iOS 18 to ensure full compliance with software requirements. 4. App Description Update I have updated the App Store description to explicitly mention the HealthKit integration and its specific purpose (tracking match intensity). However doing the above, I still continue to receive the same review message. When I asked the reviewer what else could be done to satisfy the requirement, I only get boiler plate message above. Anyone know what they really looking for? Any insights is appreciated. Thanks!

90809: Deprecated API Usage. New apps that use UIWebView are no longer accepted. Instead, use WKWebView for improved security and reliability. Learn more (https://developer.apple.com/documentation/uikit/uiwebview). I did not actively use UIWebView in my app, but this error occurred during the build upload process. This version has an additional integration of the iOS Ayla SDK and Public-9.0.7 SDK compared to the previous version. If there is indeed a call in a third-party SDK, how can I determine where the call exists? Thank you

Recently, I've noticed that background Bluetooth scanning stops when I move an app to the background on an iPhone 17 device with Bluetooth 6. I'm curious about a solution. Background Bluetooth scanning doesn't stop on devices older than iOS 26, or on devices that were updated from an iPhone 17 or earlier to iOS 26.

Some hacked my itunes connect or not sure any one tried to hack via remote desktop or else. Hacker transferred my apps to his account, how can I get those apps back?

When I start a Simulator (iPhone 13 mini) with iOS 26 and activate "Use the Same Keyboard Language as macOS", it still sets the keyboard to US (my Mac keyboard is in German). This makes the Mac keyboard unusable. It looks like a bug, because it clearly ignores the settings. When I type “@”, I get “¬”. Restarting the simulator did nothing, changing the settings back and forth also. BTW: Why does every single update of XCode come with a bug nowadays? I always have to spend half a day after an update to fix a problem I didn't have before. Highly frustrating.

When I use Xcode 26 (0.1, 1) for debugging and hit a breakpoint, using "step over" causes the debugger to freeze at a random line of code. Clicking "Pause program execution" indicates that the line is being executed, but the breakpoint never exits, seemingly causing a freeze. The application on the simulator also becomes unresponsive. However, when I do not use breakpoints, my program runs smoothly, and debugging on a physical device does not cause any freezes. This issue only occurs with the simulator. I am using Xcode on Apple Silicon, and due to some third-party SDKs that depend on Rosetta, our app can only run on the Rosetta simulator. We did not encounter this issue when using Xcode 16.x for simulator debugging. The current situation with Xcode 26.x significantly reduces our development efficiency. What could be causing this, and is there a solution?

Hello, I am currently process of migrating an app from Team A to Team B and attempting to generate transfer identifiers using the migration endpoint: POST https://appleid.apple.com/auth/usermigrationinfo. Content-Type: application/x-www-form-urlencoded However, I am consistently receiving an { "error": "access_denied" } response. [Current Configuration] Team A (Source): Primary App ID: com.example.primary Grouped App IDs: com.example.service (Services ID for Web) com.example.app (App ID for iOS - The one being transferred) All identifiers are under the same App Group. Team B (Destination): New App ID and Key created. [Steps Taken] Created a Client Secret (JWT) using Team A's Key ID and Team ID. The sub (subject) in the JWT is set to the Primary App ID of Team A. Requesting with client_id (Primary App ID), client_secret (JWT), and user_token. [Questions] 1. App Group Impact: Does the fact that the App being transferred is a Grouped App ID (not the Primary) affect the usermigrationinfo request? Should I use the Primary App ID or the specific Grouped App ID as the client_id? 2. Ungrouping Safety: If I need to ungroup the App ID from the Primary App ID to resolve this: Will existing users still be able to sign in without issues? Is there any risk of changing the sub (user identifier) that the app receives from Apple? Will this cause any immediate service interruption for the live app? Any insights on why access_denied occurs in this Primary-Grouped configuration would be greatly appreciated.

I'm testing app transferring, before, I have migrate user from teamA to teamB, including subA->transferSub->subB process, now I'm transfer the app from teamB to teamC, after the transfer requested, I can't get transfer_id by /usermigrationinfo api, which response 400 invalid request. the question is I can still get transfer sub by the auth/token api(grant_type: authorization_code) with teamB parameters(teamIdB/clientIdB/appSecretB/redirectUrlB/subB)，but the value is same as first time transfer_id which get during teamA to teamB. when use parameters above with target(teamIdC) to request /usermigrationinfo, invalid request was responsed. im sure that all parameters is correct, dose it cause by teamB still in 60-days first transferring(sure already accepted)?

For our research study, it is essential that the app can advertise BLE packets even when the app is no longer in the foreground (for example, when it is in the app switcher / recents state). Is it supported to advertise BLE packets while the app is in the background or recents state? If so, what are the specific requirements or limitations we should be aware of (background modes, payload size, timing, etc.)? Are there any constraints that would prevent consistent BLE advertising for research use cases?

You can't transfer this app because of the following reasons: App Transfers Disabled for This Account Due to irregular activity associated with your account, you cannot transfer or receive apps at this time. If you think this is an error, contact Developer Support.

When I try to show/hide the content in .safeAreaBar(edge: .bottom), especially the content with a large height, the background animation of the toolbar is very laggy. iOS 26 RC Feedback ID - FB19768797 import SwiftUI struct ContentView: View { @State private var isShown: Bool = false var body: some View { NavigationStack { Button("Toggle") { withAnimation { isShown.toggle() } } ScrollView(.vertical) { ForEach(0..<100) { index in Text("\(index)") .padding() .border(.blue) .background(.blue) .frame(maxWidth: .infinity) } } .scrollEdgeEffectStyle(.soft, for: .bottom) .safeAreaBar(edge: .bottom) { if isShown { Text("Safe area bar") .padding(64) .background(.red) } } } } } #Preview { ContentView() }

Hello, I am currently developing an iOS application using SensorKit. I encountered an issue when attempting to fetch SensorKit data in the background using background tasks (appRefresh, processing). The following error occurs: In the delegate function func sensorReader(_ reader: SRSensorReader, fetching fetchRequest: SRFetchRequest, failedWithError error: any Error) {}, I receive the error: SRErrorDataInaccessible. In code specific manner: start and handle background fetch (appRefresh) func handleAppRefreshTask(task: BGAppRefreshTask) { logger.logWithServer(level: .default, message: "background fetch start", category: String(describing: BackgroundTaskManager.self)) scheduleBackgroundFetch() let queue = OperationQueue() queue.maxConcurrentOperationCount = 1 let fetchOperation = FetchOperation() queue.addOperation(fetchOperation) task.expirationHandler = { self.logger.logWithServer(level: .error, message: "background fetch expirated", category: String(describing: BackgroundTaskManager.self)) queue.cancelAllOperations() } fetchOperation.completionBlock = { task.setTaskCompleted(success: !fetchOperation.isCancelled) } } Background fetch operation class class FetchOperation: Operation { override func main() { guard !isCancelled else { return } Task { // this function will execute fetch request for all user allowed sensorReader, 'func fetch(_ request: SRFetchRequest)' await SensorkitManager.shared.startFetchAndUpload() } } } I have the following questions: Is it possible to fetch SensorKit data in the background? If it is possible, why does the above error occur? If it is possible, could you provide the solution code and the correct workflow to avoid this error? Thank you.

Hi there, How can I best understand the changes on the eSIM Installation wizard, i.e. on iOS 18 and later after an eSIM installation you used to get steps such as labeling the eSIM, deciding what to use for iMessage & FaceTime, what to use for mobile data, main voice line, etc. Whereas on iOS 26 you are not prompted for these steps.

I'm developing a passkey manager using ASCredentialProviderViewController. I've set a custom AAGUID in the attestation object during registration: let aaguid = Data([ 0xec, 0x78, 0xfa, 0xe8, 0xb2, 0xe0, 0x56, 0x97, 0x8e, 0x94, 0x7c, 0x77, 0x28, 0xc3, 0x95, 0x00 ]) However, when I test on webauthn.io, the relying party receives: AAGUID: 00000000-0000-0000-0000-000000000000 Provider Name: "iCloud Keychain" It appears that macOS overwrites the AAGUID to all zeros for third-party Credential Provider Extensions. This makes it impossible for relying parties to distinguish between different passkey providers, which is one of the key purposes of AAGUID in the WebAuthn specification. Is this expected behavior? Is there a way for third-party Credential Provider Extensions to use their own registered AAGUID? Environment: macOS 26.2 Xcode 26.2

We are currently experiencing the following: Developers who are invited to Appstore Connect in the "Administrator" role and are members of the development team no longer have access to the team's developer resources at https://developer.apple.com Even after deleting the user and a new invitation, there is no access to the developer resources. The problem has existed since yesterday and can be traced in several developer accounts.

Hello, I have a question about running tests on multiple simulators. Currently, my company has a WDIO+Appium test suite with XCUITEST driver that runs on a single simulator through a mockttp proxy (we are intercepting and mocking some of the responses from our APIs and pass through the rest). In order to route the traffic we are currently using 'networksetup -setsecurewebproxy '. Everything works as expected. With growing number of tests we'd like to scale number of simulators on a single host to 3-5. We have a working setup but the problem are system-wide proxy settings routing traffic from multiple simulators, which we can't distinguish by UDID or any other means, we know of. We can spin multiple mock servers on the same machine but we are struggling to find the way to route the traffic on a simulator basis. In the end, both options are viable: 1 mock server running for multiple simulators N number of mock servers for N number of simulators Has anyone had the same/similar problem? How to approach this? We are currently running on Sequoia OSX and platform version 18.6. Thanks!

Updated my app to include turn-based matches. Beta testing through FlightTest and all was well between iOS 18.x and 26.2 devices. One beta tester upgraded to 26.2 during beta testing and now when the MatchMaker VC is opened, it does not show existing matches. Worse, he can create new matches and play his turn, but the new match won't even show up in MMVC, even after opponent takes turn. My app has been reviewed and is ready for release, but I'd like to know how to solve this before I release. He has tried re-installing the app, including an updated FlightTest version that is the same as the about-to-be-released reviewed version.

Hello Apple Support Team, We are seeing a production crash on iOS 26 devices that appears to originate from Apple system frameworks rather than application code. Crash Summary Crash signature: _xzm_xzone_malloc_freelist_outlined Crashed thread: com.apple.network.connections Frameworks involved: CFNetwork, Security, libdispatch, libsystem_malloc Affected OS: iOS 26.x App built with: Xcode 16 Devices: Multiple models (not device-specific) Reproducibility: Intermittent, higher frequency during app launch / background networking Observed Stack Trace (top frames) _xzm_xzone_malloc_freelist_outlined dispatch_data_create_alloc xpc_data_deserialize SecTrustEvaluateIfNecessary CFNetwork HTTPProtocol / HTTP3Connection com.apple.network.connections App Context The app uses URLSession for networking. Multiple third-party SDKs are integrated (Firebase Analytics, Dynatrace, Appsflyer, and similar analytics/monitoring SDKs). These SDKs perform concurrent background network requests, especially during app launch and foreground transitions. No unsafe memory operations (manual malloc/free, unsafe pointers, or custom networking stacks) are used in the app code. Key Observations The crash is predominantly observed on iOS 26 and not on earlier iOS versions. Stack traces do not include application symbols. Disabling or delaying analytics SDK initialization significantly reduces the crash rate. Reducing concurrent network requests and limiting HTTP/3 usage also mitigates the issue. This suggests a potential regression in CFNetwork / Network.framework / HTTP/3 handling combined with the new memory allocator (xzone) on iOS 26. Impact Random app termination during background networking. Occurs without a clear deterministic repro path, making it difficult to fully mitigate at the app level. Request Could you please help investigate whether this is a known iOS 26 issue related to: HTTP/3 / QUIC networking XPC deserialization Memory allocation in the new xzone allocator High-concurrency network requests We would appreciate guidance on: Recommended mitigations Whether this issue is already tracked internally Any best practices for apps integrating multiple analytics SDKs on iOS 26 Crash logs and additional diagnostics can be provided if needed. Thank you for your support. Best regards, Dhananjay

Hello everyone, I’m currently enrolling as an Organization from Albania and I’ve been stuck on the "Enrolling" status for 8 business days now. I have my D-U-N-S number sorted and everything was submitted. I sent an email last week to the support but I haven't heard back yet. I’ve already sent another support message 2 days ago but no reply so far. I’m curious to hear from others who have enrolled recently (especially in 2026): How long did your organization verification take? Did you receive a verification phone call, or was it just approved via email? For those in the Balkans/Europe, did you have to provide extra local business registry documents (like the QKB extract) manually? I’m trying to time my launch with my Google Play release, so I’m a bit anxious about the "black hole" of waiting. Any experiences or "nudge" tips would be greatly appreciated! Thanks!