Hi, A certificate imported on macOS 15 using the security command with the "non-exportable" option was imported in an exportable state. I would like to know how to change this certificate to be non-exportable. Regards, CTJ

We are implementing a connection between iPad and iPhone devices using LocalPushConnectivity, and have introduced SimplePushProvider into the project. We will have it switch between roles of Server and Client within a single project. ※ iPad will be Server and the iPhone will be Client. Communication between Server and Client is via TLS, with Server reading p12 file and Client setting public key. Currently, a TLS error code of "-9836" (invalid protocol version) is occurring when communicating from Client's SimplePushProvider to Server. I believe that Client is sending TLS1.3, and Server is set to accept TLS1.2 to 1.3. Therefore, I believe that the actual error is not due to TLS protocol version, but is an error that is related to security policy or TLS communication setting. Example: P12 file does not meet some requirement NWProtocolTLS.Options setting is insufficient etc... I'm not sure what the problem is, so please help. For reference, I will attach you implementation of TLS communication settings. P12 file is self-signed and was created by exporting it from Keychain Access. Test environment: iPad (OS: 16.6) iPhone (OS: 18.3.2) ConnectionOptions: TLS communication settings public enum ConnectionOptions { public enum TCP { public static var options: NWProtocolTCP.Options { let options = NWProtocolTCP.Options() options.noDelay = true options.enableFastOpen return options } } public enum TLS { public enum Error: Swift.Error { case invalidP12 case unableToExtractIdentity case unknown } public class Server { public let p12: URL public let passphrase: String public init(p12 url: URL, passphrase: String) { self.p12 = url self.passphrase = passphrase } public var options: NWProtocolTLS.Options? { guard let data = try? Data(contentsOf: p12) else { return nil } let pkcs12Options = [kSecImportExportPassphrase: passphrase] var importItems: CFArray? let status = SecPKCS12Import(data as CFData, pkcs12Options as CFDictionary, &importItems) guard status == errSecSuccess, let items = importItems as? [[String: Any]], let importItemIdentity = items.first?[kSecImportItemIdentity as String], let identity = sec_identity_create(importItemIdentity as! SecIdentity) else { return nil } let options = NWProtocolTLS.Options() sec_protocol_options_set_min_tls_protocol_version(options.securityProtocolOptions, .TLSv12) sec_protocol_options_set_max_tls_protocol_version(options.securityProtocolOptions, .TLSv13) sec_protocol_options_set_local_identity(options.securityProtocolOptions, identity) sec_protocol_options_append_tls_ciphersuite(options.securityProtocolOptions, tls_ciphersuite_t.RSA_WITH_AES_128_GCM_SHA256) return options } } public class Client { public let publicKeyHash: String private let dispatchQueue = DispatchQueue(label: "ConnectionParameters.TLS.Client.dispatchQueue") public init(publicKeyHash: String) { self.publicKeyHash = publicKeyHash } // Attempt to verify the pinned certificate. public var options: NWProtocolTLS.Options { let options = NWProtocolTLS.Options() sec_protocol_options_set_min_tls_protocol_version(options.securityProtocolOptions, .TLSv12) sec_protocol_options_set_max_tls_protocol_version(options.securityProtocolOptions, .TLSv13) sec_protocol_options_set_verify_block( options.securityProtocolOptions, verifyClosure, dispatchQueue ) return options } private func verifyClosure( secProtocolMetadata: sec_protocol_metadata_t, secTrust: sec_trust_t, secProtocolVerifyComplete: @escaping sec_protocol_verify_complete_t ) { let trust = sec_trust_copy_ref(secTrust).takeRetainedValue() guard let serverPublicKeyData = publicKey(from: trust) else { secProtocolVerifyComplete(false) return } let keyHash = cryptoKitSHA256(data: serverPublicKeyData) guard keyHash == publicKeyHash else { // Presented certificate doesn't match. secProtocolVerifyComplete(false) return } // Presented certificate matches the pinned cert. secProtocolVerifyComplete(true) } private func cryptoKitSHA256(data: Data) -> String { let rsa2048Asn1Header: [UInt8] = [ 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00 ] let data = Data(rsa2048Asn1Header) + data let hash = SHA256.hash(data: data) return Data(hash).base64EncodedString() } private func publicKey(from trust: SecTrust) -> Data? { guard let certificateChain = SecTrustCopyCertificateChain(trust) as? [SecCertificate], let serverCertificate = certificateChain.first else { return nil } let publicKey = SecCertificateCopyKey(serverCertificate) return SecKeyCopyExternalRepresentation(publicKey!, nil)! as Data } } } }

Hello there, Starting from iOS 18.4, support was included for QWAC Validation and QCStatements. Using the official QWAC Validator at: https://eidas.ec.europa.eu/efda/qwac-validation-tool I was able to check that the domain "eidas.ec.europa.eu" has a valid QWAC certificate. However, when trying to obtain the same result using the new API, I do not obtain the same result. Here is my sample playground code: import Foundation import Security import PlaygroundSupport PlaygroundPage.current.needsIndefiniteExecution = true @MainActor class CertificateFetcher: NSObject, URLSessionDelegate { private let url: URL init(url: URL) { self.url = url super.init() } func start() { let session = URLSession(configuration: .ephemeral, delegate: self, delegateQueue: nil) let task = session.dataTask(with: url) { data, response, error in if let error = error { print("Error during request: \(error)") } else { print("Request completed.") } } task.resume() } nonisolated func urlSession(_ session: URLSession, didReceive challenge: URLAuthenticationChallenge, completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void) { guard let trust = challenge.protectionSpace.serverTrust else { completionHandler(.cancelAuthenticationChallenge, nil) return } if let certificates = SecTrustCopyCertificateChain(trust) as? [SecCertificate] { self.checkQWAC(certificates: certificates) } let credential = URLCredential(trust: trust) completionHandler(.useCredential, credential) } nonisolated func checkQWAC(certificates: [SecCertificate]) { let policy = SecPolicyCreateSSL(true, nil) var trust: SecTrust? guard SecTrustCreateWithCertificates(certificates as CFArray, policy, &trust) == noErr, let trust else { print("Unable to create SecTrust") return } var error: CFError? guard SecTrustEvaluateWithError(trust, &error) else { print("Trust evaluation failed") return } guard let result = SecTrustCopyResult(trust) as? [String : Any] else { print("No result dictionary") return } let qwacStatus = result[kSecTrustQWACValidation as String] let qcStatements = result[kSecTrustQCStatements as String] print("QWAC Status: \(String(describing: qwacStatus))") print("QC Statements: \(String(describing: qcStatements))") } } let url = URL(string: "https://eidas.ec.europa.eu/")! let fetcher = CertificateFetcher(url: url) fetcher.start() Which prints: QWAC Status: nil QC Statements: nil Request completed. Am I making a mistake while using the Security framework? I would greatly appreciate any help or guidance you can provide.

Hello, I've noticed some unexpected behavior when updating a user's FileVault password. The set up: All actions are performed in virtualized macOS 14 and 15.5 guests on a 15.5 Apple Silicon host. FileVault is enabled. sjsp is a standard user with a Secure Token. The Mac is bound to AD, and the domain is reachable. Reproduction: systemctl -secureTokenStatus sjsp shows it's ENABLED. fdesetup remove -user sjsp fdesetup add -usertoadd sjsp systemctl -secureTokenStatus sjsp shows it's DISABLED. Surprisingly, sjsp is still able to unlock FileVault. Looking at unified logs for opendirectoryd and fdesetup, I see that a password change is being attempted in response to fdesetup add, which is unexpected. default 13:34:41.320883+0100 opendirectoryd Changing password for <private> (E5CC46D7-0C1F-4009-8421-9AA8217CB784) info 13:34:41.321317+0100 opendirectoryd No unlock record exists for E5CC46D7-0C1F-4009-8421-9AA8217CB784 info 13:34:41.321331+0100 opendirectoryd <private> (E5CC46D7-0C1F-4009-8421-9AA8217CB784) is not a SecureToken user: no unlock record default 13:34:41.321341+0100 opendirectoryd Changing password for <private> (E5CC46D7-0C1F-4009-8421-9AA8217CB784): user <private> SecureToken, only new password provided, credential <private> default 13:34:41.321454+0100 opendirectoryd Changing password for <private> (E5CC46D7-0C1F-4009-8421-9AA8217CB784) with no existing unlock record info 13:34:41.321857+0100 opendirectoryd No unlock record exists for E5CC46D7-0C1F-4009-8421-9AA8217CB784 default 13:34:41.321873+0100 opendirectoryd Record <private> (E5CC46D7-0C1F-4009-8421-9AA8217CB784) is eligible for SecureToken default 13:34:41.322637+0100 fdesetup DMAPFS cryptoUserForMacOSUserForVolume DMErr=-69594 retErr=-69594 outAPFSCryptoUser=(null) default 13:34:41.322699+0100 opendirectoryd While changing password for <private> (E5CC46D7-0C1F-4009-8421-9AA8217CB784): Not adding SecureToken; other unlock records exist, but no existing unlock record provided If I disconnect the network and follow the reproduction steps then the Secure Token is retained. Reconnecting and waiting a while doesn't cause the Secure Token to be lost. There are no log entries about attempting to change the password. Any help or explanation would be appreciated, thanks in advance.

I regularly help developers with keychain problems, both here on DevForums and for my Day Job™ in DTS. Many of these problems are caused by a fundamental misunderstanding of how the keychain works. This post is my attempt to explain that. I wrote it primarily so that Future Quinn™ can direct folks here rather than explain everything from scratch (-: If you have questions or comments about any of this, put them in a new thread and apply the Security tag so that I see it. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" SecItem: Fundamentals or How I Learned to Stop Worrying and Love the SecItem API The SecItem API seems very simple. After all, it only has four function calls, how hard can it be? In reality, things are not that easy. Various factors contribute to making this API much trickier than it might seem at first glance. This post explains the fundamental underpinnings of the keychain. For information about specific issues, see its companion post, SecItem: Pitfalls and Best Practices. Keychain Documentation Your basic starting point should be Keychain Items. If your code runs on the Mac, also read TN3137 On Mac keychain APIs and implementations. Read the doc comments in <Security/SecItem.h>. In many cases those doc comments contain critical tidbits. When you read keychain documentation [1] and doc comments, keep in mind that statements specific to iOS typically apply to iPadOS, tvOS, and watchOS as well (r. 102786959). Also, they typically apply to macOS when you target the data protection keychain. Conversely, statements specific to macOS may not apply when you target the data protection keychain. [1] Except TN3137, which is very clear about this (-: Caveat Mac Developer macOS supports two different keychain implementations: the original file-based keychain and the iOS-style data protection keychain. IMPORTANT If you’re able to use the data protection keychain, do so. It’ll make your life easier. See the Careful With that Shim, Mac Developer section of SecItem: Pitfalls and Best Practices for more about this. TN3137 On Mac keychain APIs and implementations explains this distinction. It also says: The file-based keychain is on the road to deprecation. This is talking about the implementation, not any specific API. The SecItem API can’t be deprecated because it works with both the data protection keychain and the file-based keychain. However, Apple has deprecated many APIs that are specific to the file-based keychain, for example, SecKeychainCreate. TN3137 also notes that some programs, like launchd daemons, can’t use the file-based keychain. If you’re working on such a program then you don’t have to worry about the deprecation of these file-based keychain APIs. You’re already stuck with the file-based keychain implementation, so using a deprecated file-based keychain API doesn’t make things worse. The Four Freedoms^H^H^H^H^H^H^H^H Functions The SecItem API contains just four functions: SecItemAdd(_:_:) SecItemCopyMatching(_:_:) SecItemUpdate(_:_:) SecItemDelete(_:) These directly map to standard SQL database operations: SecItemAdd(_:_:) maps to INSERT. SecItemCopyMatching(_:_:) maps to SELECT. SecItemUpdate(_:_:) maps to UPDATE. SecItemDelete(_:) maps to DELETE. You can think of each keychain item class (generic password, certificate, and so on) as a separate SQL table within the database. The rows of that table are the individual keychain items for that class and the columns are the attributes of those items. Note Except for the digital identity class, kSecClassIdentity, where the values are split across the certificate and key tables. See Digital Identities Aren’t Real in SecItem: Pitfalls and Best Practices. This is not an accident. The data protection keychain is actually implemented as an SQLite database. If you’re curious about its structure, examine it on the Mac by pointing your favourite SQLite inspection tool — for example, the sqlite3 command-line tool — at the keychain database in ~/Library/Keychains/UUU/keychain-2.db, where UUU is a UUID. WARNING Do not depend on the location and structure of this file. These have changed in the past and are likely to change again in the future. If you embed knowledge of them into a shipping product, it’s likely that your product will have binary compatibility problems at some point in the future. The only reason I’m mentioning them here is because I find it helpful to poke around in the file to get a better understanding of how the API works. For information about which attributes are supported by each keychain item class — that is, what columns are in each table — see the Note box at the top of Item Attribute Keys and Values. Alternatively, look at the Attribute Key Constants doc comment in <Security/SecItem.h>. Uniqueness A critical part of the keychain model is uniqueness. How does the keychain determine if item A is the same as item B? It turns out that this is class dependent. For each keychain item class there is a set of attributes that form the uniqueness constraint for items of that class. That is, if you try to add item A where all of its attributes are the same as item B, the add fails with errSecDuplicateItem. For more information, see the errSecDuplicateItem page. It has lists of attributes that make up this uniqueness constraint, one for each class. These uniqueness constraints are a major source of confusion, as discussed in the Queries and the Uniqueness Constraints section of SecItem: Pitfalls and Best Practices. Parameter Blocks Understanding The SecItem API is a classic ‘parameter block’ API. All of its inputs are dictionaries, and you have to know which properties to set in each dictionary to achieve your desired result. Likewise for when you read properties in output dictionaries. There are five different property groups: The item class property, kSecClass, determines the class of item you’re operating on: kSecClassGenericPassword, kSecClassCertificate, and so on. The item attribute properties, like kSecAttrAccessGroup, map directly to keychain item attributes. The search properties, like kSecMatchLimit, control how the system runs a query. The return type properties, like kSecReturnAttributes, determine what values the query returns. The value type properties, like kSecValueRef perform multiple duties, as explained below. There are other properties that perform a variety of specific functions. For example, kSecUseDataProtectionKeychain tells macOS to use the data protection keychain instead of the file-based keychain. These properties are hard to describe in general; for the details, see the documentation for each such property. Inputs Each of the four SecItem functions take dictionary input parameters of the same type, CFDictionary, but these dictionaries are not the same. Different dictionaries support different property groups: The first parameter of SecItemAdd(_:_:) is an add dictionary. It supports all property groups except the search properties. The first parameter of SecItemCopyMatching(_:_:) is a query and return dictionary. It supports all property groups. The first parameter of SecItemUpdate(_:_:) is a pure query dictionary. It supports all property groups except the return type properties. Likewise for the only parameter of SecItemDelete(_:). The second parameter of SecItemUpdate(_:_:) is an update dictionary. It supports the item attribute and value type property groups. Outputs Two of the SecItem functions, SecItemAdd(_:_:) and SecItemCopyMatching(_:_:), return values. These output parameters are of type CFTypeRef because the type of value you get back depends on the return type properties you supply in the input dictionary: If you supply a single return type property, except kSecReturnAttributes, you get back a value appropriate for that return type. If you supply multiple return type properties or kSecReturnAttributes, you get back a dictionary. This supports the item attribute and value type property groups. To get a non-attribute value from this dictionary, use the value type property that corresponds to its return type property. For example, if you set kSecReturnPersistentRef in the input dictionary, use kSecValuePersistentRef to get the persistent reference from the output dictionary. In the single item case, the type of value you get back depends on the return type property and the keychain item class: For kSecReturnData you get back the keychain item’s data. This makes most sense for password items, where the data holds the password. It also works for certificate items, where you get back the DER-encoded certificate. Using this for key items is kinda sketchy. If you want to export a key, called SecKeyCopyExternalRepresentation. Using this for digital identity items is nonsensical. For kSecReturnRef you get back an object reference. This only works for keychain item classes that have an object representation, namely certificates, keys, and digital identities. You get back a SecCertificate, a SecKey, or a SecIdentity, respectively. For kSecReturnPersistentRef you get back a data value that holds the persistent reference. Value Type Subtleties There are three properties in the value type property group: kSecValueData kSecValueRef kSecValuePersistentRef Their semantics vary based on the dictionary type. For kSecValueData: In an add dictionary, this is the value of the item to add. For example, when adding a generic password item (kSecClassGenericPassword), the value of this key is a Data value containing the password. This is not supported in a query dictionary. In an update dictionary, this is the new value for the item. For kSecValueRef: In add and query dictionaries, the system infers the class property and attribute properties from the supplied object. For example, if you supply a certificate object (SecCertificate, created using SecCertificateCreateWithData), the system will infer a kSecClass value of kSecClassCertificate and various attribute values, like kSecAttrSerialNumber, from that certificate object. This is not supported in an update dictionary. For kSecValuePersistentRef: For query dictionaries, this uniquely identifies the item to operate on. This is not supported in add and update dictionaries. Revision History 2025-05-28 Expanded the Caveat Mac Developer section to cover some subtleties associated with the deprecation of the file-based keychain. 2023-09-12 Fixed various bugs in the revision history. Added a paragraph explaining how to determine which attributes are supported by each keychain item class. 2023-02-22 Made minor editorial changes. 2023-01-28 First posted.

Hello everyone, I'm trying to figure out how to transmit a UIImage (png or tiff) securely to an application running in my desktop browser (Mac or PC). The desktop application and iOS app would potentially be running on the same local network (iOS hotspot or something) or have no internet connection at all. I'm trying to securely send over an image that the running desktop app could ingest. I was thinking something like a local server securely accepting image data from an iPhone. Any suggestions ideas or where to look for more info would be greatly appreciated! Thank you for your help.

I am working on a SDK which helps identify the device authenticity. I am in need of something which can confirm the firmware/Hardware/OS is signed by Apple and is authentic. There will be no tempering to device?

I work for Brave, a browser with ~80M users. We want to introduce a new system for automatic updates called Omaha 4 (O4). It's the same system that powers automatic updates in Chrome. O4 runs as a separate application on users' systems. For Chrome, this works as follows: An app called GoogleUpdater.app regularly checks for updates in the background. When a new version is found, then GoogleUpdater.app installs it into Chrome's installation directory /Applications/Google Chrome.app. But consider what this means: A separate application, GoogleUpdater.app, is able to modify Google Chrome.app. This is especially surprising because, for example, the built-in Terminal.app is not able to modify Google Chrome.app. Here's how you can check this for yourself: (Re-)install Chrome with its DMG installer. Run the following command in Terminal: mkdir /Applications/Google\ Chrome.app/test. This works. Undo the command: rm -rf /Applications/Google\ Chrome.app/test Start Chrome and close it again. mkdir /Applications/Google\ Chrome.app/test now fails with "Operation not permitted". (These steps assume that Terminal does not have Full Disk Access and System Integrity Protection is enabled.) In other words, once Chrome was started at least once, another application (Terminal in this case) is no longer allowed to modify it. But at the same time, GoogleUpdater.app is able to modify Chrome. It regularly applies updates to the browser. For each update, this process begins with an mkdir call similarly to the one shown above. How is this possible? What is it in macOS that lets GoogleUpdater.app modify Chrome, but not another app such as Terminal? Note that Terminal is not sandboxed. I've checked that it's not related to codesigning or notarization issues. In our case, the main application (Brave) and the updater (BraveUpdater) are signed and notarized with the same certificate and have equivalent requirements, entitlements and provisioning profiles as Chrome and GoogleUpdater. The error that shows up in the Console for the disallowed mkdir call is: kernel (Sandbox) System Policy: mkdir(8917) deny(1) file-write-create /Applications/Google Chrome.app/foo (It's a similar error when BraveUpdater tries to install a new version into /Applications/Brave Browser.app.) The error goes away when I disable System Integrity Protection. But of course, we cannot ask users to do that. Any help would be greatly appreciated.

We are encountering a download issue in Safari 18.2 on macOS Sequoia 15.2 where file downloads initiated by our AngularJS application (such as Excel exports) are silently blocked. There are no errors in the browser console, and the download does not occur. Interestingly, after testing on Safari 18.3 with Sequoia 15.3, the downloads worked as expected. However, the problem reappeared on Safari 18.4 with Sequoia 15.4. We suspect that recent changes in Safari’s security or download handling may be preventing downloads triggered via asynchronous JavaScript (e.g., AJAX calls) that are not initiated directly by user interaction. We would appreciate any insights, suggestions, or possible workarounds from the community. Looking forward to your guidance on this matter.

I'm trying to develop a GUI app on macOS that takes control of the screen so that user must perform certain actions before regaining control of the desktop. I don't want the user to be able to kill the process (for example via an "********" shell script that looks for the process and terminates it with kill). Based on this post it is not possible to create an unkillable process on macOS. I'm wondering, however, if it's possible to run the GUI process in root (or with other escalated privileges) such that the logged in user cannot kill it. So it's killable, but you need privileges above what the logged in user has (assuming they are not root). I'm not worried about a root user being able to kill it. Such an app would run in a managed context. I've played around with Service Background Tasks, but so far haven't found what I'm looking for. I'm hoping someone (especially from Apple) might be able to tell me if this goal is even achievable with macOS Sequoia (and beyond).

Hi there, I'm trying to use SFAuthorizationPluginView in order to show some fields in the login screen, have the user click the arrow, then continue to show more fields as a second step of authentication. How can I accomplish this? Register multiple SecurityAgentPlugins each with their own mechanism and nib? Some how get MacOS to call my SFAuthorizationPluginView::view() and return a new view? Manually remove text boxes and put in new ones when button is pressed I don't believe 1 works, for the second mechanism ended up calling the first mechanism's view's view() Cheers, -Ken

Hello, I have noticed that some users have modified their real location through an app called "MGU" to bypass my app's security checks. I want to know how to protect my app and detect users using virtual location. I have reproduced the process of virtual positioning here: Insert a plug-in through the interface at the bottom of the phone and connect it via Bluetooth on the phone Set the desired positioning target on the "MGU" app Turn off your phone's WiFi, network, and location for 10 seconds, then turn it back on At this point, virtual positioning is successful. Please assist me in troubleshooting this issue and inform me of the principle of implementing virtual positioning in this app and how to prevent it. The following is the screen recording of virtual positioning operation: https://flowus.cn/share/145b3232-26c3-4ea3-b3ff-4aad1495eb4d

Hello! I'm writing a System Extension that is an Endpoint Security client. And I want to Deny/Allow executing some XPC Service processes (using the ES_EVENT_TYPE_AUTH_EXEC event) depending on characteristics of a process that starts the XPC Service. For this purpose, I need an API that could allow me to obtain an execution context of the XPC Service process. I can obtain this information using the "sudo launchctl procinfo <pid>" command (e.g. I can use the "domain = pid/3428" part of the output for this purpose). Also, I know that when the xpcproxy process is started, it gets as the arguments a service name and a pid of the process that requests the service so I can grasp the execution context from xpcproxy launching. But are these ways to obtain this info legitimate?

We are experiencing a compatibility issue with our hybrid app related to the recent update in iPadOS 18.4, specifically concerning HTTPS connections. What are the key changes introduced in iPadOS 18.4 regarding HTTPS connections? Our app previously managed to bypass the DigitalSignature key usage missing error in the self-signed server certificate within the didReceiveAuthenticationChallenge method, as documented here: https://developer.apple.com/documentation/webkit/wknavigationdelegate/webview(_:didreceive:completionhandler:) . However, since the update to iPadOS 18.4, this method is no longer being called, resulting in direct failure of HTTPS connections. We are using cordova-ios 7.1. Thanks in advance for your help.

Problem Statement: Pre-requisite is to generate a PKCS#12 file using openssl 3.x or above. Note: I have created a sample cert, but unable to upload it to this thread. Let me know if there is a different way I can upload. When trying to import a p12 certificate (generated using openssl 3.x) using SecPKCS12Import on MacOS (tried on Ventura, Sonoma, Sequoia). It is failing with the error code: -25264 and error message: MAC verification failed during PKCS12 import (wrong password?). I have tried importing in multiple ways through, Security Framework API (SecPKCS12Import) CLI (security import &lt;cert_name&gt; -k ~/Library/Keychains/login.keychain -P "&lt;password&gt;”) Drag and drop in to the Keychain Application All of them fail to import the p12 cert. RCA: The issues seems to be due to the difference in the MAC algorithm. The MAC algorithm used in the modern certs (by OpenSSL3 is SHA-256) which is not supported by the APPLE’s Security Framework. The keychain seems to be expecting the MAC algorithm to be SHA-1. Workaround: The current workaround is to convert the modern p12 cert to a legacy format (using openssl legacy provider which uses openssl 1.1.x consisting of insecure algorithms) which the SecPKCS12Import API understands. I have created a sample code using references from another similar thread (https://developer.apple.com/forums/thread/723242) from 2023. The steps to compile and execute the sample is mentioned in the same file. PFA the sample code by the name “pkcs12_modern_to_legacy_converter.cpp”. Also PFA a sample certificate which will help reproduce the issue by the name “modern_certificate.p12” whose password is “export”. Questions: Is there a fix on this issue? If yes, pls guide me through it; else, is it expected to be fixed in the future releases? Is there a different way to import the p12 cert which is resistant to the issue? This issue also poses a security concerns on using outdated cryptographic algorithms. Kindly share your thoughts. pkcs12_modern_to_legacy_converter.cpp

We are trying to develop an app that will be responsible for managing 5000+ managed iPads through Intune MDM. The user flow is to have a device locked to a single app when a user is not logged in, but to make the device available to other apps once a user is authenticated. We already tried UIAccessibility GuidedAccess Mode and autonomous single app mode but those were not sufficient due to our need to be able to toggle this from the background. When the device may be asleep. So another way we could achieve this functionality would be to control all app access under a launching mechanism. That way we could allow one app to be visible in our MDM configuration and try to access our business app through that using deep links. If this were to work, we would have to be able to hide an app and still make it launchable from the manager. Any ideas? Thanks

I'm sitting at my house and trying to sign my test device out of my apple ID so I can sign into a Sandbox user, but now I have an hour to kill because of this terribly broken "security" feature that thinks it's in an unfamiliar location, despite being at the only location it's ever known. Looks like I'll just be disabling this feature all together. Especially as a device with Developer Mode enabled, which gets reset regularly, there should be additional options here. Come on!

iOS 18.4 introduced some requirements on the Key Usage of 802.1x server certificates, as described here. https://support.apple.com/en-us/121158 When using TLS_ECDHE_RSA or TLS_DHE_RSA cipher suites, 802.1X server certificates containing a Key Usage extension must have Digital Signature key usage set. When using the TLS_RSA cipher suite, 802.1X server certificates containing a Key Usage extension must have Key Encipherment key usage set. It reads like the change is supposed to affect 802.1x only. However, we have found out that the new restrictions are actually imposed on all TLS connections using the Network framework, including in Safari. Unlike other certificate errors which can be either ignored by users (as in Safari) or by code (via sec_protocol_options_set_verify_block), these new ones can't. Even if passing completion(true) in the TLS verification block, the connection still ends up in waiting state with error -9830: illegal parameter. I understand that these requirements are valid ones but as a generic TLS library I also expect that Network framework could at least allow overriding the behavior. The current treatment is not consistent with those on other certificate errors. Since I can't upload certificates, here is how to reproduce a certificate that fails. Create a OpenSSL config file test.cnf [ req ] default_bits = 2048 distinguished_name = dn x509_extensions = v3_ca prompt = no [ dn ] CN = example.com [ v3_ca ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = CA:TRUE keyUsage = critical, keyCertSign, cRLSign Generate certificate and private key openssl req -x509 -new -nodes -keyout key.pem -out cert.pem -days 365 -config test.cnf And here is the client code to test. // Target server and port let host = NWEndpoint.Host("example.com") let port = NWEndpoint.Port("443")! // Configure insecure TLS options let tlsOptions = NWProtocolTLS.Options() sec_protocol_options_set_verify_block(tlsOptions.securityProtocolOptions, { _, _, completion in // Always trust completion(true) }, DispatchQueue.global()) let params = NWParameters(tls: tlsOptions) let connection = NWConnection(host: .init(host), port: .init(rawValue: port)!, using: params) connection.stateUpdateHandler = { newState in switch newState { case .ready: print("TLS connection established") case .failed(let error): print("Connection failed: \(error)") case .cancelled: print("Connection canceled") case .preparing: print("Connection preparing") case .waiting(let error): print("Connection waiting: \(error)") case .setup: print("Connection setup") default: break } } connection.start(queue: .global()) Output Connection preparing Connection waiting: -9830: illegal parameter Previously reported as FB17099740

Our project currently uses a value called k_uuid as the unique identifier for each user. This value is generated based on the Identifier for Vendor (IDFV) and is stored both in the Keychain and local storage to prevent changes when the app is uninstalled and reinstalled. However, we are now facing a critical issue. We plan to transfer the app from Developer Account A to Developer Account B using Apple’s App Transfer Process. During this transfer: Our backend services will remain unchanged Our development team will remain the same Only the developer account will change We understand that during this transfer process, the Team ID associated with the developer account will change, which in turn will make it impossible to access the existing Keychain data. As a result, if a user uninstalls and reinstalls the app after the transfer, their original unique ID (k_uuid) will change. This will lead to serious consequences, including: Inability to recognize returning users Loss of user data such as subscriptions, virtual currency, and usage history Therefore, we urgently request guidance and assistance from Apple to: Ensure that the k_uuid remains unchanged after the app transfer, or Provide a solution that allows us to map users between the old and new environment, ensuring data continuity and integrity for all existing users

Hi, It may be a stupid question, but we really wonder if there is a way for MDM to push a unique mTLS cert to our iOS application or if it can populate a client certificate in the iOS where our application can access it. Like browser app, how do browser mTLS certs get pushed? Thanks, Ying