I want to allow network access in my app but I have an error
nw_proxy_resolver_create_parsed_array [C1.1.1 proxy pac] Evaluation error: NSURLErrorDomain: -1003
which crashes my app although the seek command works and I get a correct value back from the internet server. I understood I could fix this as foilows?
There is a section Info. Within Xcode 15 where you can find Custom macOS Application Target Properties. I selected App Transport Security Settings and the after pressing the drop down menu selected Allow Arbitrary Loads. Then to the left of that I press the menu and it shows YES and NO but if I try to select either of them neither appears in the key value box? Also I thought this would create a new Info.plist which I could then add my key values- but nothing happens..
I am very new to the so any help is much apprecated
Security
RSS for tagSecure the data your app manages and control access to your app using the Security framework.
Posts under Security tag
200 Posts
Sort by:
Post
Replies
Boosts
Views
Activity
Hi
I've been running after a problem on my iOS app, I'm creating hundreds of keypairs with SecKeyCreateRandomKey for several different usernames, in this case, different identifiers kSecAttrApplicationTag.
After I create the key pairs I extract the public keys using SecItemCopyMatching, again, hundreds of them.
Problem is, without a logic explanation, some of those keys cannot be extracted. After running after the issue for hours, I noticed that EVERY time I try to extract a public key and the identifier have exactly 87 chars, the public key cannot be found. Doesn't matter the content or names used on the identifier, every time the length hits 87, SecItemCopyMatching returns -25300
is this some kind of limitation that is not explained on the documentation?
thanks
digging deeply I noticed several identifier sizes fail to extract the key:
[982:69528] key with 7 chars is invalid
[982:69528] key with 23 chars is invalid
[982:69528] key with 39 chars is invalid
[982:69528] key with 55 chars is invalid
[982:69528] key with 71 chars is invalid
[982:69528] key with 87 chars is invalid
[982:69528] key with 103 chars is invalid
[982:69528] key with 119 chars is invalid
[982:69528] key with 135 chars is invalid
[982:69528] key with 151 chars is invalid
[982:69528] key with 167 chars is invalid
[982:69528] key with 183 chars is invalid
[982:69528] key with 199 chars is invalid
[982:69528] key with 215 chars is invalid
[982:69528] key with 231 chars is invalid
[982:69528] key with 247 chars is invalid
[982:69528] key with 263 chars is invalid
[982:69528] key with 279 chars is invalid
[982:69528] key with 295 chars is invalid
I wanted to delete the old data of the device by how do i do /var/Keychains/keychain-2.db DELETE FROM genp WHERE agrp<>'apple' which I tried many times but always got errors. I don't know what to do. Can you help me?
I am working on a Swift app which does a TLS connection to a server. I want to set an identity, which the server will validate. I'm given a pkcs12 file. The cert is not trusted locally on my system, but the server can validate it.
First, I didn't need to import the cert - I just want to create an identity that I can use with my connection. I don't think that's possible, so I do this:
var importStatus = SecPKCS12Import(pkcs12Data as CFData, importOptions as CFDictionary, &importArray)
The first time I call this, it's successful. I have come to extract the identity (and certificate) from the importArray returned, but in my case, even though I get an errSecSuccess return status, the importArray is empty.
So first question: why would it be empty?
( if the code is run again, I get an errSecDuplicateItem - I don't need to store it in the keychain but I guess I'm being forced to)
When I imported, I used a UUID as my identifier - I set it in the options:
let importOptions: [String: Any] = [
kSecImportExportPassphrase as String: password,
kSecImportItemLabel as String: identifier
]
So I try to retrieve the identity from the keychain:
let identityQuery = [
kSecClass: kSecClassIdentity,
kSecReturnRef: true,
kSecAttrLabel: identifier
] as NSDictionary
var identityItem: CFTypeRef?
let status = SecItemCopyMatching(identityQuery as CFDictionary, &identityItem)
where I pass the UUID as identifier, but I actually get back my apple identity, not the certificate. However, if I pass in the certificate's CN, (hard-coded for my testing) I get the right identity back.
So my second question: am I doing something wrong? If i pass an ItemLabel on import, can I retrieve the certificate using that same label?
So for me to get this working, I need to know the CN of my cert, or I need the ItemLabel to work so that I can just retrieve using a UUID.
To determine the CN of my cert, the only apple API I found is this:
SecCertificateCopyCommonName
which requires the cert to be in .der format, rather than .pkcs12. So I have a bit of a chicken and egg problem.
So my last question - is there a way to extract the CN from the pkcs12 file, or to convert the Data from .pkcs12 to .der?
Thanks!
Hi, I'm currently looking for the exact criteria which sets NEHotspotNetwork.isSecure() value.
I guess this boolean value depends on whether protocol >= WPA2 or 3, but I'm not sure.
I hope someone tell me.
If possible, linking references would be a great help.
Please help me.
I am trying to run something I built with the CLI versions of clang on my M3 MBP. The application is signed:
codesign -d -v /usr/local/bin/wine*
Executable=/usr/local/bin/wine
Identifier=org.winehq.wine
Format=Mach-O thin (arm64)
CodeDirectory v=20400 size=275 flags=0x0(none) hashes=3+2 location=embedded
Signature size=8972
Timestamp=Dec 15, 2023 at 10:35:06 AM
Info.plist entries=12
TeamIdentifier=L479DU3G63
Sealed Resources=none
Internal requirements count=1 size=176
Executable=/usr/local/bin/wineboot
Identifier=wineboot
Format=generic
CodeDirectory v=20200 size=168 flags=0x0(none) hashes=1+2 location=embedded
Signature size=9053
Timestamp=Dec 15, 2023 at 10:35:06 AM
Info.plist=not bound
TeamIdentifier=L479DU3G63
Sealed Resources=none
Internal requirements count=2 size=216
Executable=/usr/local/bin/winebuild
Identifier=winebuild
Format=Mach-O thin (arm64)
CodeDirectory v=20400 size=1933 flags=0x0(none) hashes=55+2 location=embedded
Signature size=8972
Timestamp=Dec 15, 2023 at 10:35:06 AM
Info.plist=not bound
TeamIdentifier=L479DU3G63
Sealed Resources=none
Internal requirements count=1 size=172
Executable=/usr/local/bin/winecfg
Identifier=winecfg
Format=generic
CodeDirectory v=20200 size=167 flags=0x0(none) hashes=1+2 location=embedded
Signature size=9053
Timestamp=Dec 15, 2023 at 10:35:07 AM
Info.plist=not bound
TeamIdentifier=L479DU3G63
Sealed Resources=none
Internal requirements count=2 size=216
Executable=/usr/local/bin/wineconsole
Identifier=wineconsole
Format=generic
CodeDirectory v=20200 size=171 flags=0x0(none) hashes=1+2 location=embedded
Signature size=9053
Timestamp=Dec 15, 2023 at 10:35:07 AM
Info.plist=not bound
TeamIdentifier=L479DU3G63
Sealed Resources=none
Internal requirements count=2 size=220
Executable=/usr/local/bin/winegcc
Identifier=winegcc
Format=Mach-O thin (arm64)
CodeDirectory v=20400 size=747 flags=0x0(none) hashes=18+2 location=embedded
Signature size=8972
Timestamp=Dec 15, 2023 at 10:35:07 AM
Info.plist=not bound
TeamIdentifier=L479DU3G63
Sealed Resources=none
Internal requirements count=1 size=168
Executable=/usr/local/bin/winedbg
Identifier=winedbg
Format=generic
CodeDirectory v=20200 size=167 flags=0x0(none) hashes=1+2 location=embedded
Signature size=9052
Timestamp=Dec 15, 2023 at 10:35:07 AM
Info.plist=not bound
TeamIdentifier=L479DU3G63
Sealed Resources=none
Internal requirements count=2 size=216
Executable=/usr/local/bin/winedump
Identifier=winedump
Format=Mach-O thin (arm64)
CodeDirectory v=20400 size=3052 flags=0x0(none) hashes=90+2 location=embedded
Signature size=8972
Timestamp=Dec 15, 2023 at 10:35:07 AM
Info.plist=not bound
TeamIdentifier=L479DU3G63
Sealed Resources=none
Internal requirements count=1 size=168
Executable=/usr/local/bin/winefile
Identifier=winefile
Format=generic
CodeDirectory v=20200 size=168 flags=0x0(none) hashes=1+2 location=embedded
Signature size=9053
Timestamp=Dec 15, 2023 at 10:35:07 AM
Info.plist=not bound
TeamIdentifier=L479DU3G63
Sealed Resources=none
Internal requirements count=2 size=216
Executable=/usr/local/bin/winegcc
Identifier=winegcc
Format=Mach-O thin (arm64)
CodeDirectory v=20400 size=747 flags=0x0(none) hashes=18+2 location=embedded
Signature size=8972
Timestamp=Dec 15, 2023 at 10:35:07 AM
Info.plist=not bound
TeamIdentifier=L479DU3G63
Sealed Resources=none
Internal requirements count=1 size=168
Executable=/usr/local/bin/winegcc
Identifier=winegcc
Format=Mach-O thin (arm64)
CodeDirectory v=20400 size=747 flags=0x0(none) hashes=18+2 location=embedded
Signature size=8972
Timestamp=Dec 15, 2023 at 10:35:07 AM
Info.plist=not bound
TeamIdentifier=L479DU3G63
Sealed Resources=none
Internal requirements count=1 size=168
Executable=/usr/local/bin/winemaker
Identifier=winemaker
Format=generic
CodeDirectory v=20200 size=169 flags=0x0(none) hashes=1+2 location=embedded
Signature size=9052
Timestamp=Dec 15, 2023 at 10:35:07 AM
Info.plist=not bound
TeamIdentifier=L479DU3G63
Sealed Resources=none
Internal requirements count=2 size=224
Executable=/usr/local/bin/winemine
Identifier=winemine
Format=generic
CodeDirectory v=20200 size=168 flags=0x0(none) hashes=1+2 location=embedded
Signature size=9052
Timestamp=Dec 15, 2023 at 10:35:08 AM
Info.plist=not bound
TeamIdentifier=L479DU3G63
Sealed Resources=none
Internal requirements count=2 size=216
Executable=/usr/local/bin/winepath
Identifier=winepath
Format=generic
CodeDirectory v=20200 size=168 flags=0x0(none) hashes=1+2 location=embedded
Signature size=9053
Timestamp=Dec 15, 2023 at 10:35:08 AM
Info.plist=not bound
TeamIdentifier=L479DU3G63
Sealed Resources=none
Internal requirements count=2 size=216
Executable=/usr/local/bin/wineserver
Identifier=wineserver
Format=Mach-O thin (arm64)
CodeDirectory v=20400 size=5838 flags=0x0(none) hashes=177+2 location=embedded
Signature size=8972
Timestamp=Dec 15, 2023 at 10:35:08 AM
Info.plist=not bound
TeamIdentifier=L479DU3G63
Sealed Resources=none
Internal requirements count=1 size=172
but I still get:
default 11:47:19.051342-0500 kernel ASP: Security policy would not allow process: 1501, /usr/local/bin/wine
Permissions:
ls -al wine*
-rwxr-xr-x 1 root wheel 28368 Dec 15 10:35 wine
-rwxr-xr-x@ 1 root wheel 1973 Dec 14 23:41 wineboot
-rwxr-xr-x 1 root wheel 245424 Dec 15 10:35 winebuild
-rwxr-xr-x@ 1 root wheel 1973 Dec 14 23:41 winecfg
-rwxr-xr-x@ 1 root wheel 1973 Dec 14 23:41 wineconsole
lrwxr-xr-x 1 root wheel 7 Dec 14 23:41 winecpp -> winegcc
-rwxr-xr-x@ 1 root wheel 1973 Dec 14 23:41 winedbg
-rwxr-xr-x 1 root wheel 388400 Dec 15 10:35 winedump
-rwxr-xr-x@ 1 root wheel 1973 Dec 14 23:41 winefile
lrwxr-xr-x 1 root wheel 7 Dec 14 23:41 wineg++ -> winegcc
-rwxr-xr-x 1 root wheel 91840 Dec 15 10:35 winegcc
-rwxr-xr-x@ 1 root wheel 95127 Dec 14 23:41 winemaker
-rwxr-xr-x@ 1 root wheel 1973 Dec 14 23:41 winemine
-rwxr-xr-x@ 1 root wheel 1973 Dec 14 23:41 winepath
-rwxr-xr-x 1 root wheel 747120 Dec 15 10:35 wineserver
xattr wine*
wineboot: com.apple.cs.CodeDirectory
wineboot: com.apple.cs.CodeRequirements
wineboot: com.apple.cs.CodeRequirements-1
wineboot: com.apple.cs.CodeSignature
winecfg: com.apple.cs.CodeDirectory
winecfg: com.apple.cs.CodeRequirements
winecfg: com.apple.cs.CodeRequirements-1
winecfg: com.apple.cs.CodeSignature
wineconsole: com.apple.cs.CodeDirectory
wineconsole: com.apple.cs.CodeRequirements
wineconsole: com.apple.cs.CodeRequirements-1
wineconsole: com.apple.cs.CodeSignature
winedbg: com.apple.cs.CodeDirectory
winedbg: com.apple.cs.CodeRequirements
winedbg: com.apple.cs.CodeRequirements-1
winedbg: com.apple.cs.CodeSignature
winefile: com.apple.cs.CodeDirectory
winefile: com.apple.cs.CodeRequirements
winefile: com.apple.cs.CodeRequirements-1
etc., etc...
Since this is a new machine, maybe something is missing? How do I debug this problem? The most common response to ASP would not allow progress is that there is an unsigned binary. If this is the case, how do I find what binary it is?
Thanks!
Gene R.
on our web pages we have allowed certain sources of scripts though content-security-policy meta tag which is working fine as expected on Chrome browser and on Internet Edge.
However there is a script called morosa.top when it inserted in our html page, safari is not able to block it while it was supposed to block.
if this script gets executed it start taking screenshots of screen and post it to hacker.
Please check this could be a potential issue.
[Edited by Moderator]
Hi,
I'm developing an app that saved some passwords in login keychain. There is a requirement that we need to provide an IT tool to help management. One of the IT tool feature is regenerate the app keychain passwords of ALL users.
The IT tool is designed to run as root, so permission is not a problem. I studied keychain API and found this is most likely one:
OSStatus SecKeychainOpen(const char *pathName, SecKeychainRef _Nullable *keychain);
But it is deprecated from 10.10. The app is designed to on macOS 11 - 14.
What is the proper way to access login keychain of all users as root? Thanks.
Hello,
I've come across information regarding macOS endpoint protection software: It seems Apple no longer allows them to create kernel extensions.
It seems that endpoint software should now function with MACF by implementing hooks from userland.
Does this mean the Endpoint Security Framework will soon become deprecated?
I'm currently searching for a sample source code for MACF hooks, but I haven't found anything in the Apple developer documentation.
Thanks
I would like to develop a macOS application in Swift. This application will consist of 2 programs: a main program to be run by the user (standard account) and another one that will run with root privileges. The second program will only be invoked to perform privileged tasks. Running the main program under root permanently would be too risky.
XPC will be used to trigger calls from the main program to the privileged program.
How can I secure the privileged program to ensure that the calling program is indeed my main program and not another unauthorized program?
Hello,
I know this is not a good practice but i want to make a test.
I would like to write a file into /System folder on macOS Sonoma.
I have tried to reboot in recovery mode. I have disabled SIP. But i can't write into /System. This folder is mounted as read only.
How can i write into this folder ?
I know there is a kind of checksum mechanism to check if something has been modified in /System folder and i want to see what happens if this checksum does not match.
Thanks
Hello everyone! I'm currently working on implementing a Secure Enclave to encrypt data from the Login Screen with my application. I've followed the guidelines outlined in the developer documentation, which you can find here: Secure Enclave Documentation.
Despite following the documentation, I'm encountering issues with creating a key pair to encrypt data. I would appreciate any suggestions for necessary changes or additional permissions that might be required to address these challenges.
Thanks!
Hi,
Is there a way to restrict calls to a launch daemon?
Can I allow only my app to use my daemon?
cheers,
sivan
Consider a scenario:
There are two iOS apps,
App1: com.example.app1
App2: com.example.app2
App1 has no keychain access groups, other than its default group that is .com.example.app1
However, App2 has keychain access groups added which is bundle identifier of App1 i.e. .com.example.app1, So App2 access groups are as follows: [.com.example.app1, .com.example.app2]
This way App2 has access to App1’s private access group. Which means App2 can Create, Read, Update and Delete ALL the keychain items inside App1’s private group.
But, Apple’s Developer documentation says otherwise.
Referring to this document: https://developer.apple.com/documentation/security/keychain_services/keychain_items/sharing_access_to_keychain_items_among_a_collection_of_apps
In section “Establish your app’s private access group” (https://developer.apple.com/documentation/security/keychain_services/keychain_items/sharing_access_to_keychain_items_among_a_collection_of_apps#2974916), it says that “Because app IDs are unique across all apps, and because the app ID is stored in an entitlement protected by code signing, no other app can use it, therefore no other app is in this group”.
Focus on “therefore no other app is in this group”. But as proved from above scenario, App2 can be part of App1’s private access group.
I received the MOBSF security check result PDF, where I found some "High" severity issues.
1.Binary makes use of insecure API(s) with high CWE: CWE-676: Use of Potentially Dangerous Function OWASP Top 10: M7: Client Code Quality OWASP MASVS: MSTG-CODE-8. The binary may contain the following insecure API(s): _sscanf, _memcpy, _fopen.
2.Binary makes use of the malloc function with high CWE: CWE-789: Uncontrolled Memory Allocation OWASP Top 10: M7: Client Code Quality OWASP MASVS: MSTG-CODE-8. The binary may use the _malloc function instead of calloc.
I have utilized a static analyzer, but I am unable to identify the APIs such as _sscanf and others in my codebase.
This issue is not being shown in Xcode IDE either. I have attempted static analysis in Xcode using the approach: Product -> Analyze, but I am still unable to identify the mentioned issues.
Can anyone please help me overcome this scenario and successfully pass the MOBSF test?
Thanks in Advance
Hello,
is it possible to evaluate a certificate chain using one of the Bernstein curves ED25519/ED448 with the Security framework?
Using X.509 version 3 and own private CA for testing.
Signature Algorithm: ED448;
Public Key Algorithm: ED25519
The following setting/API is used:
SecPolicyCreateBasicX509,
SecTrustSetAnchorCertificatesOnly,
SecTrustEvaluateWithError
There are some requirements only for RSA keys regarding the key size since iOS 13:
https://support.apple.com/en-us/103769
"RSA key sizes smaller than 2048 bits are no longer trusted for TLS"
And here are some information about TLS:
https://support.apple.com/en-gb/guide/security/sec100a75d12/web
"minimum 2048-bit RSA key or 256-bit elliptic curve key"
Findings:
The OpenSSL (v3.1.4) certificate verification was successful.
The evaluation is working fine in the iOS Simulator (iOS 15) and Playground.
But on real devices (e.g. iPhone/iOS 17) it is failing with the following error:
Error Domain=NSOSStatusErrorDomain Code=-67735 "“...” certificate is using a broken key size" UserInfo={NSLocalizedDescription=“...” certificate is using a broken key size, NSUnderlyingError=0x281115920 {Error Domain=NSOSStatusErrorDomain Code=-67735 "Certificate 0 “...” has errors: Certificate is using a broken key size, Unable to build chain to root (possible missing intermediate);" UserInfo={NSLocalizedDescription=Certificate 0 “...”}
Also SecCertificateCopyKey is returning NULL.
According to the documentation it may not support the algorithm:
https://developer.apple.com/documentation/security/2963103-seccertificatecopykey
Could you please elaborate the error, point to some documentation and explain why it behaves differently on a real device?
Thank you in advance!
We're doing some disaster recovery management / risk management and a point-of-failure for our app is if we lose access to our bundle id.
From my understanding, secure keychain items are scoped to your bundle ID as well as iCloud files stored under the app with 'hidden' scope.
Losing our bundle ID is a scenario we want to eliminate completely from our threat/disaster modelling.
Is this a realistic concern we should have?
I have an Objective-C App that has worked perfectly until Monterey was released. The app is activated and displays a window when it’s hotkey is typed. The problem is that—starting in Monterey—if the cursor is in an html Password field of ANY website in ANY browser, the app’s window does not display. After many many hours of debugging, I have determined that the problem is that in this case, [NSApp activateIgnoringOtherApps:YES] never activates the app, and that [myWindow makeKeyAndOrderFront:nil] does nothing. In this case, if I display a window using [NSApp runModalForWindow:myWindow], the window does display, but is not key until it is clicked, at which point the app activates.
Note that everything works properly with the cursor in any browser field other than a Password field, or in any other app. It also works with the cursor anywhere in MacOS versions 10.12 through 11.
Is this is some kind of new security feature? Is this a bug or is there a workaround for this? I there a low-level non-Cocoa way to activate an app?
Here's the scenario:
I have two processes on my computer, named A and B.
Both processes are monitored by the ESF, and both processes monitor the same ESF events, such as ES_EVENT_TYPE_AUTH_EXEC and ES_EVENT_TYPE_AUTH_OPEN.
If processes A and B run at the same time, will event conflict occur?
In ESF event processing, is there any way to achieve full event listening and keep cpu usage low
Hello,
Let's imagine an application (Application A) which launch another application (Application B). These applications are bundle apps.
What happens if Application B tries to read a file in current user's Documents folder ?
TCC will check if the application is allowed to access to Documents folder. But will it check this right for application A or application B (or both ?)
I have tried to run an application from Terminal. My terminal is authorized to access to Documents folder. And i am surprised because TCC did not asked me to allow the application itself. It seems TCC is looking for parent process rights. Can you confirm ?
Thanks