Security

RSS for tag

Secure the data your app manages and control access to your app using the Security framework.

Security Documentation

Posts under Security tag

346 results found
Sort by:
Post not yet marked as solved
50 Views

Generating key pair in System Keychain

In our macOS Application I am trying to generate a keypair in the system keychain using SecKeyCreatePair for legacy reasons, but keep receive an error -61 (Write permission error). What is the best approach to making this work or is this simply not possible (anymore)? The End User running this Application is typically an Admin and we would normally use the SFAuthorization to grab sudo for this type of issue. This is not possible using Apple Security Framework functions as far as I can see, not even the latest function SecKeyCreateRandomKey.
Asked
by pyro_90.
Last updated
.
Post not yet marked as solved
44 Views

SecItemCopyMatching certificate not found

Hi, I'm adding certificate to keychain as describe Here I add the certificate to keychain successfully but when I try to fetch it, it always return error item not found (25300) I'm running on macOS Big Sur (ver 11.6) Below is the code. What am I missing ? Thanks, Tal // code that insert the certificate NSDictionary* addquery = @{ (id)kSecValueRef: (__bridge id)cert, (id)kSecClass: (id)kSecClassCertificate, (id)kSecAttrLabel: @"ClientCert"}; OSStatus status = SecItemAdd((__bridge CFDictionaryRef)addquery, nullptr); // code that fetch the certificate NSDictionary *queryDict = @{ (id) kSecClass : (id) kSecClassCertificate, (id) kSecAttrLabel : @"ClientCert", (id) kSecReturnRef : @YES}; auto sanityCheck = SecItemCopyMatching((__bridge CFDictionaryRef) queryDict, (CFTypeRef *) &m_client_cert);
Asked
by taloz.
Last updated
.
Post not yet marked as solved
23 Views

How to use aes-256-gcm in objective-c

We used ecb mode before, but now we need to change to aes-gcm algorithm to encrypt and decrypt messages and verify signatures. I know that there is “/AES/GCM/NoPadding” in java to achieve gcm. Does Apple provide corresponding function libraries?
Asked
by sz-oic.
Last updated
.
Post marked as solved
34 Views

Code Directory Hash from Audit Token

Hi I was wondering how I could get the code directory hash string of an app given its audit token. I would like to do this in Swift. Thanks.
Asked Last updated
.
Post not yet marked as solved
28 Views

SecKeychainItem Unique Identifier, how to replace SecKeychainItemGetUniqueRecordID

Is there a replacement for "SecKeychainItemGetUniqueRecordID"? I'm getting certificates from two different places and I would like a safe way to confirm if these two item are referencing the exact same object in the entire keychain. p.s. Why is "Keychain" or "SecKeychainItem" not a tag?
Asked
by rowlands.
Last updated
.
Post not yet marked as solved
1.2k Views

SecItemAdd returns errSecAuthFailed

Hello, I'm experiencing a weird issue on the iOS 15 simulator (unfortunately I don't have a device with 15 installed yet). The issue I see is that the call to SecItemAdd returns OSStatus -25293 (errSecAuthFailed). The attributes dictionary passed looks like this: var query: [String : Any] = [ kSecClass as String: kSecClassGenericPassword, kSecAttrAccount as String: key, kSecAttrService as String: service, kSecAttrAccessControl as String: getSecAccessControl(), kSecUseAuthenticationContext as String: context, kSecValueData as String: data         ] the getSecAccessControl returns a SecAccessControl created like this:         access = SecAccessControlCreateWithFlags(nil,   kSecAttrAccessibleWhenUnlockedThisDeviceOnly,   .userPresence,   &error) if I do not add the kSecAttrAccessControl item I don't see any error. The same code works as expected on the simulator with iOS 14. Looking at the documentation didn't help, anybody has hints about this? Maybe it's bug I'm not aware of? Thank you in advance
Asked
by AlessioP.
Last updated
.
Post not yet marked as solved
89 Views

Beta Testing a Carnegie Mellon Tool for Privacy Nutrition Labels

I am part of a group of Carnegie Mellon University students working to help iOS developers fill out the app privacy details (privacy nutrition labels), which are required to list an application on the Apple App Store. We have created a software tool that has been designed to assist developers with creating or updating nutrition labels. Our research study involves asking iOS developers to use our tool and provide feedback on it. You will also be compensated in the form of a $15 Amazon gift card.    Participation involves a Zoom interview during which we will: (1) grant you access to our software tool to produce a report on your application’s data collection practices, (2) observe you as you use the provided report to fill out the app store questions, and (3) complete a 5-minute survey about your experience. We will not request access to your source code. This study is expected to take 30 minutes.   If this is your first time filling out the labels, the study may take longer because we will ask you to fill out the label for your app prior to using our tool.    If you are interested in participating, have an application already listed on the App Store, are over the age of 18, and are located in the U.S., please click the link below that will let you set up your study session.   Study sign up link (via Google Calendar): https://calendar.google.com/calendar/u/0/selfsched?sstoken=UUlYNU4xUndXR2NpfGRlZmF1bHR8OTI3NzA1YmU5MDk4MDRmODA3OWY3MzdlYWJhM2M5ZTY
Asked
by gards6.
Last updated
.
Post marked as solved
88 Views

SMJobBless fails when called from an XPC Service.

Hey there, I'm trying to employ the same pattern as demonstrated in the EvenBetterAuthorizationSample: an unsandboxed XPC service calls SMJobBless to install a privileged helper service on behalf a sandboxed main app (which isn't allowed to call SMJobBless). It then starts an XPC connection to the Mach service hosted by the privileged service, and hands over the connection back to the main app, along with the XPC service's connection to the security server (AuthorizationRef). When I try to do call SMJobBless from my XPC service, I get these messages: info authd Process /usr/libexec/smd (PID 28881) evaluates 1 rights with flags 00000003 (engine 629): ( "com.apple.ServiceManagement.blesshelper" ) error authd Fatal: interaction not allowed (session has no ui access) (engine 629) default authd Failed to authorize right 'com.apple.ServiceManagement.blesshelper' by client '/usr/libexec/smd' [28881] for authorization created by '/MyApp.app/Contents/XPCServices/IntermediatorXPCService.xpc' [29325] (3,0) (-60007) (engine 629) error authd copy_rights: authorization failed This seems reasonable to me, because I wouldn't expect an XPC service to be capable of running graphics. However, this works just fine in the "App-Sandboxed" app in the EvenBetterAuthorizationSample project. I poked around the available open source code, and found out that this message is logged when the processes' audit session doesn't have AU_SESSION_FLAG_HAS_GRAPHIC_ACCESS set. if (!(session_get_attributes(auth_token_get_session(engine->auth)) & AU_SESSION_FLAG_HAS_GRAPHIC_ACCESS)) { os_log_error(AUTHD_LOG, "Fatal: interaction not allowed (session has no ui access) (engine %lld)", engine->engine_index); return errAuthorizationInteractionNotAllowed; } Out of curiosity, I compared the audit sessions of my XPC service to the one in EBAS using this code: auditinfo_addr_t auditInfo; int result = getaudit_addr(&auditInfo, sizeof(auditInfo)); assert(result == 0 ); if (auditInfo.ai_flags & AU_SESSION_FLAG_IS_INITIAL) { NSLog(@"AU_SESSION_FLAG_IS_INITIAL"); } if (auditInfo.ai_flags & AU_SESSION_FLAG_HAS_GRAPHIC_ACCESS) { NSLog(@"AU_SESSION_FLAG_HAS_GRAPHIC_ACCESS"); } if (auditInfo.ai_flags & AU_SESSION_FLAG_HAS_TTY) { NSLog(@"AU_SESSION_FLAG_HAS_TTY"); } if (auditInfo.ai_flags & AU_SESSION_FLAG_IS_REMOTE) { NSLog(@"AU_SESSION_FLAG_IS_REMOTE"); } if (auditInfo.ai_flags & AU_SESSION_FLAG_HAS_CONSOLE_ACCESS) { NSLog(@"AU_SESSION_FLAG_HAS_CONSOLE_ACCESS"); } if (auditInfo.ai_flags & AU_SESSION_FLAG_HAS_AUTHENTICATED) { NSLog(@"AU_SESSION_FLAG_HAS_AUTHENTICATED"); } Sure enough, I got different results. EBAS: 2021-11-20 18:45:52.792512-0500 com.example.apple-samplecode.EBAS.XPCService[25296:592874] result: 0 2021-11-20 18:45:52.792527-0500 com.example.apple-samplecode.EBAS.XPCService[25296:592874] AU_SESSION_FLAG_HAS_GRAPHIC_ACCESS 2021-11-20 18:45:52.792539-0500 com.example.apple-samplecode.EBAS.XPCService[25296:592874] AU_SESSION_FLAG_HAS_TTY 2021-11-20 18:45:52.792549-0500 com.example.apple-samplecode.EBAS.XPCService[25296:592874] AU_SESSION_FLAG_HAS_CONSOLE_ACCESS (lldb) p auditInfo (auditinfo_addr_t) $0 = { ai_auid = 501 ai_mask = (am_success = 4294967295, am_failure = 4294967295) ai_termid = { at_port = 50331650 at_type = 4 at_addr = ([0] = 0, [1] = 0, [2] = 0, [3] = 0) } ai_asid = 100019 ai_flags = 8240 } My XPC service: 2021-11-20 21:33:44.355007-0500 IntermediatorXPCService[29325:698278] result: 0 (lldb) p auditInfo ▿ __C.auditinfo_addr - ai_auid: 4294967295 ▿ ai_mask: __C.au_mask - am_success: 4294967295 - am_failure: 4294967295 ▿ ai_termid: __C.au_tid_addr - at_port: 0 - at_type: 4 ▿ at_addr: (4 elements) - .0: 0 - .1: 0 - .2: 0 - .3: 0 - ai_asid: 102293 - ai_flags: 0 It looks like ai_flags is all 0. Any ideas why that might be? What is making EBAS special? And also, how can AU_SESSION_FLAG_HAS_TTY and AU_SESSION_FLAG_HAS_CONSOLE_ACCESS be false? I'm reading these logs from the console?! (Another curious observation: audit_session_flags is imported into Swift as RawRepresentable, but not as an OptionSet)
Asked Last updated
.
Post marked as solved
30 Views

SecIdentityCreateWithCertificate return errSecItemNotFound

I created public/private key with SecKeyCreateRandomKey. I then use openssl to create csr and a client certificate using the private key. The private key and certificate exist together in the keychain. I then query for the certificate with SecItemCopyMatching and use that certificate to create the identity: SecIdentityCreateWithCertificate( nullptr, client_cert, &identity) I get error result of errSecItemNotFound. Any idea what is wrong here ? I'm running on macOS version 11.6 Thanks, Tal
Asked
by taloz.
Last updated
.
Post marked as solved
1.5k Views

Register Token Extension with SecurityAgent

https://developer.apple.com/documentation/cryptotokenkit/authenticating_users_with_a_cryptographic_token states that a token extension needs to be registered by executing its hosting app as the _securityagent user. This unfortunately does not work for me: Launching my hosting app as described in the documentation does not register the token extension. Also I get the following output from the hosting app when executed as _securityagent:"*Forcing* IMK Distributed Objects (not XPC) in App = myHostingApp, euid=92"Launching my hosting app as the current, "normal" user causes the token extension to be registered just fine and except smart card logon every functionality you would expect from a token (pairing with user, unlocking system keychain etc) is available and functional.Did somebody else encounter this issue as well?
Asked
by julianmz.
Last updated
.
Post not yet marked as solved
432 Views

iOS App Contains Developer Path Information

Hi All, Xcode: Version 12.2 (12B45b) Language: Swift Version. 5.0 Development: iOS app How to fix developer workspace path informations that get appended into our IPA File. Issue:  The following information is displaying when you run "strings yourappname | grep Users" for specific files only. /Users/XXXXXXXXX/Documents/workspace/iOS/ Steps to reproduce:) Archive your application using XCode ) go to Archive file and - Show Package Contents ) go to Products - Application folder ) Click on your application and - Show Package Contents ) Open your terminal and navigate to the folder from above.   ) run following cmd: strings yourappname | grep Users Note: Only some of the files paths are showing up with local workspace information when we run strings yourappname | grep Users I would appreciate it if any came across this issue and have a solution.
Asked
by kamal_21.
Last updated
.
Post not yet marked as solved
44 Views

MailKit API Documentation

Does any have anyone have documentation on the usage related to the forMessageContext and messageContext parameters and for the methods below? This is undocumented while public making it an unusable API. func extensionViewController(messageContext: Data) -> MEExtensionViewController? func primaryActionClicked(forMessageContext context: Data) async -> MEExtensionViewController? The APIs are located here but lack any kind of proper documentation and examples https://developer.apple.com/documentation/mailkit/memessagesecurityhandler/3882908-extensionviewcontroller
Asked
by MobileTen.
Last updated
.
Post not yet marked as solved
302 Views

The user authentication logs in BSM shows wrong subject

I have logged in as an active directory domain user. When i lock the mac and unlock with Touch ID the following event is logged. <subject audit-uid="-1" uid="root" gid="wheel" ruid="root" rgid="wheel" pid="318" sid="100000" tid="0 0.0.0.0" /> <text>Touch ID authentication</text> <return errval="success" retval="0" /> <identity signer-type="1" signing-id="com.apple.biometrickitd" signing-id-truncated="no" team-id="" team-id-truncated="no" cdhash="0x8b061a4cd6a37b9228d5b894cc269aaa32ef8051" /> </record> This logs the subject as root rather than as the domain user through which i have logged in through. This is not the case when i use password log in.
Asked Last updated
.
Post not yet marked as solved
6.9k Views

Warning: unable to build chain to self-signed root for signer "Apple Development:

/usr/bin/codesign --force --sign 0CC6....97 --entitlements /Users/&lt;home&gt;/Library/Developer/Xcode/DerivedData/testcodesignin01-goacjvxyeavzuvdynuqnejjbaqjo/Build/Intermediates.noindex/testcodesignin01.build/Debug-iphoneos/testcodesignin01.build/testcodesignin01.app.xcent --timestamp=none /Users/&lt;home&gt;/Library/Developer/Xcode/DerivedData/testcodesignin01-goacjvxyeavzuvdynuqnejjbaqjo/Build/Products/Debug-iphoneos/testcodesignin01.appWarning: unable to build chain to self-signed root for signer "Apple Development: &lt;myappacountemail&gt; (myaccountid)"/Users/&lt;home&gt;/Library/Developer/Xcode/DerivedData/testcodesignin01-goacjvxyeavzuvdynuqnejjbaqjo/Build/Products/Debug-iphoneos/testcodesignin01.app: errSecInternalComponent
Asked Last updated
.
Post not yet marked as solved
50 Views

Force AutoFill Save Password dialog programmatically

I setup Password AutoFill in my iOS 14 app. The app uses multiple tabs. Associated Domains are also set up. All works as expected. I have a Test button below the user/password TextFields, which the user can press to test just entered credentials. Now, the Save Password dialog shows only when I change to another tab. Is there any possibility to programmatically force the Save Password dialog to appear on the same tab where the user/password TextFields are located? I would like to present it to the user right after the Test button is pressed and credentials are verified to be correct.
Asked
by geohei.
Last updated
.