I'm using this library for encoding / decoding RSA keys. https://github.com/Kitura/BlueRSA It's worked fine up until macOS sequoia. The issue I'm having is the tests pass when in Debug mode, but the moment I switch to Release mode, the library no longer works. I ruled this down the swift optimization level. If I change the Release mode to no optimization, the library works again. Wondering where in the code this could be an issue? How would optimization break the functionality?

I am getting issue on my application that my device is jailbroken security message I updated my device 18.2 what the solution

Hi there, I have a Multiplatform app with just one app target with an iPhone, iPad and Мас Destination. On the Mac my app is a developer singed App that is being distributed outside of the Mac App Store. I want to use App Groups, but as long as there are multiple destinations, Xcode only allows Group Identifiers starting with group.. However, for macOS I need to have a group ID that starts with the TeamID as explained here. So I created two separate entitlements, which are identical, but with different group IDs: With Automatic Code Signing enabled, I get this warning: Xcode still seems thinks it has to use the macOS Group ID for the iOS version. In the App Groups section, the mac Group ID is red and the iOS Group ID is not checked. The app builds and runs without issues on all platforms. The App Store Connect validation (for the iOS version) also works without any errors. Am I doing something wrong? Do I need a separate Mac target because Xcode does not support separate Group IDs for Multiplatform apps?

Hello , I have obtained three strings from the server: ca (the root certificate), cert (the client certificate), and privateKey (the private key) for authentication between the iOS client and server. I have successfully used ca for server authentication. However, I am having trouble generating an NSURLCredential from the cert and privateKey strings for client authentication. Can anyone guide me on how to convert these strings into an NSURLCredential? Any example code would be greatly appreciated! Thank you for your help!

Since this file is protected by SIP, it can't just be changed by an installer/app without prompting the user. If the user chooses to deny the request, the sudo file won't be updated with a security critical pam module. I need to insert our custom pam module into /etc/pam.d/sudo without the user being able to deny the operation.

I generate a keys using : let attributes: NSDictionary = [ kSecAttrLabel: label, kSecUseKeychain: getSystemKeychain()!, kSecAttrKeyType: kSecAttrKeyTypeEC, kSecAttrKeyType: kSecAttrKeyTypeECSECPrimeRandom, kSecAttrKeySizeInBits: 256, kSecPrivateKeyAttrs: [ kSecAttrIsPermanent: true, kSecAttrApplicationTag: tag, ] as [CFString : Any] ] var error: Unmanaged<CFError>? // Generate a new private key guard let privateKey = SecKeyCreateRandomKey(attributes, &error) else { logger.error("failed to create a keypair \(String(describing: error))") return (nil, nil) } I keep getting this error : failed to create a keypair Optional(Swift.Unmanaged<__C.CFErrorRef>(_value: Error Domain=NSOSStatusErrorDomain Code=-2070 "internal error" (internalComponentErr) UserInfo={numberOfErrorsDeep=0, NSDescription=internal error})) The above code works absolutely fine on macOS Sonoma and older OS. This looks like a regression in the Apple API SecKeyCreateRandomKey(). What is a good workaround for this ?

Hi, I have recently encountered an app with some odd behaviour and wanted to clarify some details about the way sandboxing works with iOS apps installed on a Mac. I am unsure whether this is due to a misunderstanding of system behaviour or whether this is a bug. The app was installed from the Mac App Store, designed for iPad. The developer of the app informed me that in lieu of a sign-in process, the app tries to persistently store a UUID of the user on the device so that when the app is deleted and reinstalled, the user is automatically logged in again. The developer says that two mechanisms are being used: 1) NSUserDefaults (via Flutter shared prefs) and 2) identifierForVendor. In the case of 1), my understanding is that these are managed by cfprefsd. Using the 'defaults domain' command, the domain of the app appears. However, there are no keys or values stored. Using the 'defaults write' and 'defaults read' and 'defaults delete' commands on that bundle identifier works as expected, but since it starts out empty, it cannot be read or deleted. Furthermore, the app's data is supposed to be sandboxed in /Library/Containers. When the app is uninstalled from Launchpad, I have confirmed that the folder is missing. When reinstalled, the app's settings and data are missing, but crucially, the cloud identifier is still persistent and is evident after 'setup'. In the case of 2), the developer documentation states that identifierForVendor changes when all apps from a developer have been removed from a device. The app in question is the only app that was installed from this developer, so logically this identifier should have changed when the app was deleted and reinstalled. I have confirmed that iCloud drive is not being used to store this data as there is no data in iCloud for this app. In any case, when the app is uninstalled and reinstalled, the app automatically logs the user into the "account" it was previously logged into, along with all of that user's data in the cloud. I have a sense that this type of persistent identifier tracking is what sandboxing was meant to address, but I am unsure why I have been unable to remove the UUID tag from my system. Any insight would be greatly appreciated!

We currently are using private web security certificates for our URLs. Our users download, install, and enable a Root Certificate on their devices to reach our website (trusted). The web security certificates have expirations that are less than 13 months from expiration. Since the deployment of iOS 18, our users are now getting a "This Connection is not Private" warning in the web browser on both Mac and iOS devices. What change was implemented in iOS 18 that is causing this issue? Other than changing our web security certificates to Public ones, what solutions should be implemented to prevent this from occurring?

I have implemented SSL pinning by following this article https://developer.apple.com/news/?id=g9ejcf8y , however pen testing team was able to bypass SSL pinning using Objection & Frida tools. I am using URLSession for API calls. I used Xcode 16. My app's minimum iOS deployment version is 16 onwards. <key>NSAppTransportSecurity</key> <dict> <key>NSPinnedDomains</key> <dict> <key>*.mydomain.com</key> <dict> <key>NSIncludesSubdomains</key> <true/> <key>NSPinnedCAIdentities</key> <array> <dict> <key>SPKI-SHA256-BASE64</key> <string>my SHA256 key</string> </dict> </array> </dict> </dict> </dict> Could anyone suggest how to mitigate this bypass mechanism?

Wake up this morning and see this very concerning sticky message in Notification Center: bash was prevented from modifying apps It didn't say what parent program called `bash' so I clicked on the N.C. message to see if there was more information and it just disappeared (as if I had chosen to click on the X to clear the message-I wish I had taken a screenshot first). I have already sent in a request to Apple for them to give more detailed information on events like this. If there is an existing threat on a device it needs to be removed. The only thing that I know of that happened overnight was a SPAM email from "Norton Antivirus" came into my Gmail Inbox that wasn't filtered as SPAM and macOS announced it in Notification Center. I don't see anything funny in the RAW data of the email - and reported it to spamcop. Is it possible that a malicious email could contain html code that runs when it's announced via macOS Notification Center?

Option 1: Kurz und prägnant "Hilfe in jeder Situation! Unsere App alarmiert schnell und unkompliziert die Rettungskräfte. Egal wo du bist, wir helfen dir in Notfällen." Option 2: Detaillierter "Schnelle Hilfe für alle! Mit unserer App hast du rund um die Uhr einen zuverlässigen Helfer an deiner Seite. Ob du selbst in Not bist oder Zeugen eines Unfalls werden – mit nur einem Klick alarmierst du die Rettungskräfte und erhältst wichtige Informationen. Funktioniert für iOS und Android." Option 3: Fokus auf die Zielgruppe "Alle" "Für jeden ein Lebensretter! Egal, ob jung oder alt, sportlich oder weniger beweglich – unsere App ist für alle gedacht, die in einer Notlage schnell Hilfe benötigen. Einfach, intuitiv und immer für dich da." Option 4: Betonung der Notfallfunktion "Dein persönlicher Notfallhelfer! In kritischen Situationen zählt jede Sekunde. Unsere App sorgt dafür, dass die Rettungskräfte schnellstmöglich bei dir sind. Perfekt für unterwegs, zu Hause oder am Arbeitsplatz." Option 5: Hervorhebung der Plattformunabhängigkeit "Hilfe ohne Grenzen! Unsere App ist für iOS und Android Geräte verfügbar und sorgt dafür, dass du immer und überall Hilfe bekommst. Egal, welches Smartphone du hast, wir sind für dich da." Möchtest du, dass ich einen Text entwerfe, der alle deine Punkte vereint? Oder hast du weitere Wünsche oder Vorstellungen?

Hi, our IOS App will use the OpenSSL library for a secure websocket communication with network devices. As far as i have understood we need to provide "Export compliance documentation" because we are using "standard encryption algorithm instead of, or in addition to, using or accessing the encryption within Apple's OS". But the documentation here does not indicate that we need to provide anything. Independently of that, the App needs to include a Privacy Manifest, right ? How does that look like ? Thanks in advance

I am building a NEPacketTunnelProvider, and in its configuration I set a SecIdentity persistent reference. That reference is passed to the tunnel provider but when I try to use it there, I get an errSecInteractionNotAllowed error. The private key for that identity is protected by .userPresence. If I remove the protection, the network extension can access the identity and the private key. Is there any way that a VPN network extension can use a keychain item protected by .userPresence?

Hi, team. So, I'm working on reading certificates from the keychain that have been stored or saved by other apps into it. I understand that kSecAttrAccessGroupToken allows us to achieve that. It is a requirement to use com.apple.token group in the entitlements file. Having done that, I cannot store SecSertificates into the keychain, and into the security group. I can do it without the security group, but after adding in the dictionary the kSecAttrAccessGroup: kSecAttrAccessGroupToken, I can no longer add certificates. I get the famous -34018. No entitlement found. However, when I try to read certificates in the same access group, I do not get a -34018 error back. I instead get a -25300, which I understand means no keychain item was found in this access group. How can this be happening? Reading, the entitlement works, writing does not. Here are my queries: For adding: let addQuery = [ kSecClass: kSecClassCertificate, kSecValueRef: secCertificate as Any, kSecAttrLabel: certificateName, kSecAttrAccessGroup: kSecAttrAccessGroupToken ] as [CFString: Any] let status = SecItemAdd(addQuery as CFDictionary, nil) For reading: var item: CFTypeRef? let query = [ kSecClass: kSecClassCertificate, kSecMatchLimit: kSecMatchLimitAll, kSecReturnRef: kCFBooleanTrue as Any, kSecAttrAccessGroup: kSecAttrAccessGroupToken ] as [CFString: Any] let status = SecItemCopyMatching(query as CFDictionary, &item)

I have read that iOS data protection ensures most of the files to be stored encrypted. However, I saw someone insisting (elcomsoft blog) very few files are not encrypted. Are app’s cache files or tmp files not stored encrypted? For example, are safari history.db file and cache files stored in the flash encrypted?

Hello! My company makes use of SSL interception for its managed laptops (for various information security reasons). We've yet to find a good solution to avoid SSL cert errors in the Xcode Preview app. We've successfully installed/trusted our certs in the Xcode Simulator, but can't find any information on how to do the equivalent for the Xcode Preview. The inability to make use of the Preview App profoundly impacts productivity. It appears the Xcode Preview doesn't share the same certificate store as the Simulator, nor does it make use of the Mac's system keychain (where the certificates are also installed and trusted). If there’s anyone you can think of who might know a way around this issue it would be greatly appreciated. Many thanks!

Hello. I’m running the 18.3 beta on an 15 pro and have noticed the green camera indicator light turns on when I switch apps. I also am unable to use my flashlight until it turns off (usually a second or two). I’ve checked my privacy and access settings and nothing looks out of the norm. I’ve also closed all rubbing apps, but the issue continues.

I'm trying to set up a configuration profile on a supervised device for a kid's phone. I want to force a VPN 100% of the time except for local network activity and some specific domains. Or at the very least, have a few apps go outside the tunnel. Apple makes this IMPOSSIBLE even though according to the documentation it should be possible. The IKEv2 vpntype has a key "OnDemandUserOverrideDisabled" which is supposed to prevent a user from toggling off the vpn, which obviously defeats the purpose of having it. However, as other users have posted, this DOES NOT WORK. So anyone can just turn off the vpn and be connected to the internet unprotected. On the "AlwaysOn" vpntype, the element "ApplicationExceptions" which would allow you to list a few applications that can go outside the tunnel DOES NOT WORK. This is critical because so many domains automatically block vpn servers and it's a huge pain. Also local network activity also gets blocked, which makes it impossible to connect to local devices. And there's no split tunneling possible with this vpntype. So basically, it's impossible. I WOULDN'T BE SURPRISED IF APPLE DID THIS INTENTIONALLY TO KEEP KIDS ADDICTED AND IN DANGER SO THEY USE THE PHONE MORE.