We are currently implementing the payment flow, and for handling payment details — including card entry and validation — we are utilizing a WKWebView. The webview securely loads the payment provider’s page, ensuring sensitive information such as card numbers are entered and validated directly within the web context. I’d like to clarify that this change has not yet been released to Production. As part of a feature enhancement to our existing payment flow, we are transitioning to a new payment vendor, SnapPay. While trying to load the SnapPay URL embedded within an iFrame in our iOS app, I observed the following error in the Xcode console. While this error may be generic, I wanted to highlight it: 825a18 - [pageProxyID=7, webPageID=8, PID=67346] WebPageProxy::didFailLoadForFrame: frameID=24, isMainFrame=0, domain=NSURLErrorDomain, code=-999 Upon investigating, we compared the headers from our existing payment URL and SnapPay's URL, and found that SnapPay includes the following Content-Security-Policy (CSP) header: Content-Security-Policy: frame-ancestors ... "Content-Security-Policy" value="default-src 'self'; script-src 'self' https://hcaptcha.com https://.hcaptcha.com https://code.jquery.com https://www.gstatic.com https://code.jquery.com/jquery-3.3.1.min.js https://test.lightbox.cardx.com/v1/lightbox.min.js https://www.ssa.gov/accessibility/andi/ https://c.evidon.com 'unsafe-inline' 'unsafe-eval'; style-src 'self' https://hcaptcha.com https://.hcaptcha.com https://fonts.googleapis.com/css https://stage.snappayglobal.com/Resource/ https://www.ssa.gov/accessibility/andi/andi.css 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' *.googleapis.com *.gstatic.com ; connect-src 'self' https://demo1.cditechnology.com https:; form-action https://hcaptcha.com https: 'self' *.ipg-online.com secure.bluepay.com https://test.api.lightbox.cardx.com https://3ds-acs.test.modirum.com/ https://demo1.cditechnology.com/; frame-ancestors https://snappaydirect-perf.fiserv.com 'self' file: https: http; frame-src .snappayglobal.com 'self' https://hcaptcha.com https://.hcaptcha.com https: https://www.google.com .ipg-online.com secure.bluepay.com https://.cardconnect.com https://test.api.lightbox.cardx.com/ https://test.lightbox.cardx.com https://paywithcardx.com/payment/auth.cgi securepayments.cardpointe.com *.cardpointe.com https://3ds-acs.test.modirum.com/ https://www.yokohamatire.com http://uat1-txt.ad.portal.texas.gov https://uat1-txt.ad.portal.texas.gov " After multiple working sessions with the SnapPay team, we were able to confirm that when they disable CSP or remove the frame-ancestors directive, the iFrame loads successfully within our app. However, SnapPay cannot change on their CSP. To enable the iFrame to load in the iOS app, we added the following line of code: webView.configuration.preferences.setValue(true, forKey: "allowFileAccessFromFileURLs"). This resolved the issue with loading the iFrame. Note: the file being loaded is a local .html file,. Before submitting this update to the App Store, I’d like to confirm whether this usage of allowFileAccessFromFileURLs is acceptable for App Store review. I wanted to confirm that with this change is there a security concern for WKWebview?

Hi, is it legal to use open APIs to get the users's country country code using the Ip address in the app? I mean I want to know the user country for the game leaderboards data, and there are sites say this is free and open. So, I have two questions, first, is this making the user calling open api to get its country code concept legal? second question, what if these sites suddenly decided that it is not legal to use their apis for commercial use, and i miss that announcement; will you remove my app from the store? or what action will you take exactly?

For an app that plan to integrate Apple HealthKit to allow app users to upload and download their health data, where can I locate the Data Processing Addendum that specifies who the data controller and processor will be, and how such health data will be used or distributed?

Hi everyone, I’m developing a multiplayer iOS game that uses Multipeer Connectivity for local peer-to-peer networking. I’d like to display user-assigned device names in the UI to help players identify each other during the connection process. In iOS 16 and later, accessing UIDevice.current.name requires the User-Assigned Device Name Entitlement. The documentation states that the entitlement is granted for functionality involving “interaction between multiple devices that the same user operates”. My game is strictly multiplayer, with devices owned by different users, not a single user managing multiple devices. I have a few questions regarding this: Does the requirement for “devices operated by the same user” definitively exclude multiplayer scenarios where devices belong to different players? Can a Multipeer Connectivity-based game qualify for the entitlement in this case? If the entitlement is not applicable, is prompting users to enter custom names the recommended approach for identifying devices in a multiplayer UI? Has anyone successfully obtained this entitlement for a similar multiplayer use case with Multipeer Connectivity? Thanks in advance.

As the image access policy has changed with Android targeting SDK 34, I’m planning to update the way our app accesses photos. We are using the react-native-image-picker library to access images. On Android, the system no longer prompts the user for image access permissions, but on iOS, permission requests still appear. Since Android no longer requires explicit permissions, I’ve removed the permission request logic for Android. In this case, is it also safe to remove the permission request for iOS? In our app, photo access is only used for changing the user profile picture and attaching images when writing a post on the bulletin board. Are there any limitations or considerations for this kind of usage?

I upgraded my Mac to Sequoia 15.4.1 an i hat to upgrade XCode to Version 16.3. I access a MQTT Broker by an sending an mosquitto_sub request to the Broker. Now its no longer possible the request fails i granted Network permission to my App

I develop a terminal app with c++. Everything was fin until i upgraded to Sequoia. If i debug my program with Xcode, all requests to a local network like MQTT fails. How can i grant XCODE the privilege to access the local network?

My app makes constant use of copy paste, allowing the user to past links into the app as a core function. Unfortunately users are forced to press the "Allow Paste" button every single time they copy paste, which in my app is constantly. Also the default option is "Deny" even after the user has previously given permission. Is there any way to eliminate the pop up after the user has given permission to the app? I would propose that there be a third option for "Always Allow" paste from this app for the user to select which would silence subsequent pop ups. If the goal is to make a seamless experience for users then we need to consider if we are making things too difficult in the name of security?

Hi, Xcode Instruments shows multiple Points of Interest with the information that the framework is not listed in my Privacy Manifest. However, I have already included them in the Privacy Manifest under the privacy tracking domains. I have this problem with every tracking domain i listed in the Privacy Manifest's Privacy Tracking Domains. Did I make a mistake in my Privacy Manifest declaration?

When developing and testing using my phone I got prompted for allowing app tracking. I later uploaded a build to TestFlight, deleted the old testing app and installed the TestFlight build. I am now stuck in an infinite loop of not getting prompted for allowing app tracking for the app. When entering the app settings the toggle for tracking never appears which leaves me not able to enter the app's content. My guess is that the prompt can only be shown once for the app bundle, but there has to be a way for me to get prompted again without changing the app bundle id. Help is appreciated since this app is scheduled to be published in a week.

We are developing a desktop app for macOS, built with Electron + Angular + Node.js. The app has the ability to access devices on the local network. We are having some trouble with the behavior of the "Local Network" feature added in macOS 15. Procedure: MacBook Pro 14inch (M1Pro) 2021, 16GB memory - macOS Sequoia15.4.1 Network Environment: The PC and the access point are connected by wire, and the target device and the access point are also connected by wire. Not connected to an external network Install the target app Start the application and allow the "Local Network" dialog that appears Open the "Local Network" item in "Privacy and Security" and make sure the target app is allowed. Confirm that you can access the target device on the local network Restart the PC Open the "Local Network" item in "Privacy and Security" and make sure the target app is allowed. Start the app and access the target device on the local network Result: Access to the target device may fail (this does not occur 100% of the time) If you turn the target app in the "Local Network" section of "Privacy and Security" OFF and then ON, you will be able to connect However, it seems that the problem may occur again if you restart your PC. According to our research, the probability of this happening increases if the target app is the only app allowed on the "local network". This happens not only with our app, but also when you follow the above steps in "Google Chrome". Based on the above investigation results, I suspect that this is a problem with the OS. What do you think?

Haptic or Sound queue to allow for the accessibility of the blind (sound) and deaf population (haptic) for even knowing when location services and the camera were last used? Also, the grey notification rather than the purple notification for location services should appear for the full 24 hours after an application has used the app, if the correct description is within the "copy" of Settings The green light lets them know that the application has changed to the camera and fade out orange light both could even have subtle simply click sounds, like a shutter, big haptic, softer sound, but editable in Settings, of course

Hello, We have a SwiftUI-based application that runs as a LaunchAgent and communicates with other internal components using Unix domain sockets (UDS). On Sequoia (macOS virtualized environment), when installing the app, we encounter the Local Network Privacy Alert, asking: "Allow [AppName] to find and connect to devices on the local network?" We are not using any actual network communication — only interprocess communication via UDS. Is there a way to prevent this system prompt, either through MDM configuration or by adjusting our socket-related implementation? Here's a brief look at our Swift/NIO usage: class ClientHandler: ChannelInboundHandler { ... public func channelRead(context: ChannelHandlerContext, data: NIOAny) { ... } ... } // init bootstrap. var bootstrap: ClientBootstrap { return ClientBootstrap(group: group) // Also tried to remove the .so_reuseaddr, the prompt was still there. .channelOption(ChannelOptions.socketOption(.so_reuseaddr), value: 1) .channelInitializer { channel in // Add ChannelInboundHandler reader. channel.pipeline.addHandler(ClientHandler()) } } // connect to the UDS. self.bootstrap.connect(unixDomainSocketPath: self.path).whenSuccess { (channel) in .. self.channel = channel } ... ... // Send some data. self.channel?.writeAndFlush(buffer).wait() Any guidance would be greatly appreciated.

Hi Apple Devs & WebKit Team, We operate https://outdoorgala.com — a verified, HTTPS-secure Canadian ecommerce site focused on elite outdoor safety gear. We're Indigenous-owned, based in Alberta, and take customer trust and compliance seriously. However, Safari (iOS + macOS) is falsely flagging our site as “deceptive,” preventing customers from accessing us — even though: We use GoDaddy Website Builder with no redirections or malware All product links are clean, HTTPS-secure, and tracked ethically We recently implemented a fully compliant cookie banner (Accept/Decline logic) A public security.txt and OpenPGP key has been published: https://outdoorgala.com/security No phishing, malware, or cloaking behavior exists on the site We’ve already submitted a review via: ➡️ https://websitereview.apple.com And filed a bug report via Feedback Assistant (FB17608544) What else can be done to speed up review or get flagged domains unblocked in Safari? This is hurting our business and blocking consumer access — despite following all Apple guidelines. Would appreciate any insights or escalation tips. Thank you! – Derek Eiteneier Founder, Outdoor Gala

Hello Apple, I am trying to get information such as crash context whenever a user encounters a situation where the app is killed. I was wondering if the tool MetricKit is available to all users or is this a feature to those who has opted into it. I am aware that the whenever someone gets a new device or in settings, an option will appear that'll have users decide whether or not to have Apple receive data analytics during certain events on their device. Does this have any effect on whether some users may not have MetricKit? Overall, we are attempting to use MetricKit to better analyze performance of our app. It would be inefficient for us, if the population of users using MetricKit is only those who have opted into it. Thanks, dmaliro

I have an iOS app and that has CarPlay enabled. I have Siri capability and the feature has been tested in Car. The voice commands are working perfectly fine. However, I am facing a weird issue as described below, The key NSSiriUsageDescription, is set to custom text in info.plist. After generating archive, I exported and checked the package contents, in which the the key NSSiriUsageDescription was reset to default text(Describe why your app needs Siri access) in the info.plist. I do not have any dynamic build process that's writing to the info.plist. Only the Siri key is being reset, rest of keys like camera/location permissions are intact. Kindly suggest what needs to be done at my end

i unfortunatly upgraded to Sequoia since then I see when: i select XCode ->Product->run i see Error: No route to host i cannot grant access to local network for XCode i can no longer debug my program as i did with Sonora

I have read all the information and forum posts about local network, such as TN3179, etc., and have added NSLocalNetworkUsageDescription, but it does not solve my problem. The problem I encountered is described as follows: Device: iOS18.1.1 Signing method: automatic Xcode debug directly runs, and the app can access 17.25.11.128 normally. However, relase run or packaged into adhoc installation, this IP cannot be accessed. There is a phenomenon that the app package of the App Store can also be used. Our test team has few iOS18+ devices, and internal testing is not possible. Please contact us as soon as possible, thank you. ======= 我已经了解了所有关于local network 相关的资料和论坛帖子，比如TN3179 等等， 已经添加了 NSLocalNetworkUsageDescription， 但是不解决我的问题。 我遇到的问题描述如下： 设备：iOS18.1.1 签名方式：自动 xcode debug 直接运行，app是可以正常访问17.25.11.128的。 但是 relase run 或者 打包成 adhoc 安装，就无法访问这个IP了。 有一个现象， App Store 的app包 也是可以的。 我们的测试团队，iOS18+的设备就没几个，还不能内部测试了。请尽快联系我们，谢谢。

Xcode Version 16.3 (16E140) App developed in Flutter Flutter 3.29.3 Test iPhone device: iPhone 16 Pro running iOS 18.5 I have an app that requires Camera access. This used to work before with iOS 18.4.x. I have dumbed down my app to just get Camera permission. Even then it fails flutter: Camera permission: PermissionStatus.denied flutter: Photos permission: PermissionStatus.denied flutter: Microphone permission: PermissionStatus.denied flutter: --- End Debug Info --- flutter: Loaded translations from asset for en_US container_create_or_lookup_app_group_path_by_app_group_identifier: client is not entitled container_create_or_lookup_app_group_path_by_app_group_identifier: client is not entitled container_create_or_lookup_app_group_path_by_app_group_identifier: client is not entitled container_create_or_lookup_app_group_path_by_app_group_identifier: client is not entitled container_create_or_lookup_app_group_path_by_app_group_identifier: client is not entitled container_create_or_lookup_app_group_path_by_app_group_identifier: client is not entitled flutter: CAMERA PERMISSION STATUS: PermissionStatus.permanentlyDenied Camera permissions don't show up in my App settings or under "Settings -> Privacy and Security -> Camera" and I am at loss to understand why this is happening.

Title: Sporadical - Permissions Not Cleared After App Uninstallation on iOS18 I install and launch my private MAUI App I ask for example Bluetooth permissions (can be any other permission) I tap Allow button on native settings (or Don't Allow) I unistall app from real phone (we can wait for a while) I install and launch My Private MAUI App I ask for example Bluetooth permissions <- here is an issue. Bluetooth is already granted, so I cannot ask for it again. Occurrence: This issue occurs inconsistently: On iOS 18.5: approximately 5 out of 10 times On iOS 17: approximately 1 out of 50 times Tested using my automated system using Appium latest. After each scenario I unistall app using: "mobile: removeApp" with bundleId