I wrote a daemon that is launched from the following plist in /Library/LaunchDaemons: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>MachServices</key> <dict> <key>com.mycompany.daemon.xpc</key> <true/> </dict> <key>Label</key> <string>com.mycompany.daemon</string> <key>Program</key> <string>/Applications/MyApp.app/Contents/MacOS/MyDaemon</string> <key>AssociatedBundleIdentifiers</key> <string>com.mycompany.myapp</string> <key>SpawnConstraint</key> <dict> <key>team-identifier</key> <string>XXXXXXXXX</string> <key>signing-identifier</key> <string>com.mycompany.myapp</string> </dict> </dict> </plist> No I want to make sure the daemon can only be launched via xpc by MyApp and I embedded the following responsible process plist into the daemon: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>team-identifier</key> <string>XXXXXXXXX</string> <key>signing-identifier</key> <string>com.mycompany.myapp</string> </dict> </plist> But as soon as the plist is embedded, macOS refuses to launch the daemon because of a launch constraint violation. As I read in the documentation, the process opening and xpc connection is the responsible process. So what I am doing wrong? Thanks.

Hello, I am writing a macOS CLI application that holds cryptocurrency funds and uses Secure Enclave for security. I intend to create APIs so that other applications can create transactions from user's wallet in a secure way for the user. I am using P256 curve and authenticating a transaction involves making a signature for a hash of transaction data. Currently, this is how the authentication box looks like: However, this does not display any information about the transaction. If user is using my application, then I could display the information in the terminal. However, if some other CLI app wants to create transactions for the user, printing information in the terminal is insecure since a malicious app could override what is being printed. I see a rich authentication UI in apple apps. I wonder if there is a way to write UI for such applications. I would like to display some transaction information in the box instead of just "myapp needs to authenticate to continue". It would be great if there is a way to customize that text / add more text to it.

I've implemented Face ID in my app to authenticate after the user is authenticated, so they don't have to sign in again to log into their account. However, it asks me to enter my iPhone's passcode instead of scanning my face. Is there any way to fix this? Is there something I have to add?

I have an app (currently not released on App Store) which runs on both iOS and macOS. The app has widgets for both iOS and macOS which uses user preference (set in app) into account while showing data. Before upgrading to macOS 15 (until Sonoma) widgets were working fine and app was launching correctly, but after upgrading to macOS 15 Sequoia, every time I launch the app it give popup saying '“Kontest” would like to access data from other apps. Keeping app data separate makes it easier to manage your privacy and security.' and also widgets do not get user preferences and throw the same type of error on Console application when using logging. My App group for both iOS and macOS is 'group.com.xxxxxx.yyyyy'. I am calling it as 'UserDefaults(suiteName: Constants.userDefaultsGroupID)!.bool(forKey: "shouldFetchAllEventsFromCalendar")'. Can anyone tell, what am I doing wrong here?

I'm following the attestation object validation guide to check my attestation server validations, but having a different output of that it's expected in the documentation. Everything goes well until the step 2, where it's created the SHA256 hash of the one-time challenge, then this hash it's appended to the end of the authenticator data from the decoded attestation object. Here the generated client data hash is different from the one in the documentation, which also causes a different nonce value. Full implementation at Go Playground: https://go.dev/play/p/DpL_H3L8yWV // generate the SHA256 hash of the one-time challenge challengeHash := sha256.Sum256([]byte(serverChallenge)) // append the one-time challenge hash to the end of the authenticator data clientDataHash := append([]byte(att.AuthData), challengeHash[:]...) // create a SHA256 hash of the composite item to create nonce nonce := sha256.Sum256(clientDataHash) Then I noticed that if the one-time challenge value it's just appended to the end of the authenticator data, the value it's correctly according to the documentation. Full implementation at Go Playground: https://go.dev/play/p/qqN97SevJAB // append the one-time challenge byte array to the end of the authenticator data // this time not generating the SHA256 hash of the one-time challenge clientDataHash := append([]byte(att.AuthData), []byte(serverChallenge)...) // create a SHA256 hash of the composite item to create nonce nonce := sha256.Sum256(clientDataHash) My question is which of the implementations is correct, because if I didn't get it wrong it should be the first one and we would have an error in the documentation.

I want to introduce client certificate authentication for communication between the iPad and the server. Since it is not possible to install a client certificate on the iPad using a p12 file, I am considering another method. I would like to know how to install the client certificate and private key issued by the certificate authority on the iPad without converting it to a p12 file. What are the different ways to do this?

Ocbc sg digital app shown runtime tampering error and shutdown the app on its own under ios 18 beta . The security mechanisms really is over done . i hope the apple developers can have a sandbox app that holds n run apps that can only runs on previous iOS version. Or other better ways coping this .

Hello! I’m currently working on an app development project for a company. As part of our security measures, I’m researching best practices for determining how frequently the app should prompt users to enter their passwords. Do you have any references or guidelines that could help inform this decision?

Hello all - we have enabled our app users to create and sign in using their passkey. However - for some users, we get a NSLocalizedFailure reason exception that the app is not associated with the domain. We have ensured that the endpoint /.well-known/apple-app-site-association isnt blocking any requests. Like I said before, 90% of our users are able to successfully create and sign in with their passkey but we receive the above error for the remaining 10%. Any suggestions/guidance on how we can resolve this would be helpful and greatly appreciated. Thank you.

For Sign in With Apple I recieve an expected flow including an ask to share or hide my email along with a message like this 'Create an account for Apple {some_company} using your Apple ID “{email}”.' However when i sign into an existing account i get the same flow, where on other apps i see a message like this ~ "Do you want to continue using {some_company} with your Apple ID “{email}”? How can i configure this for my own app? Note: it always logs me into the correct existing account, i'm just trying to make sure users go through the correct flow in the apple popup when their account already exists.

Feedback on Documentation Page for Message Filter App Extension Documentation: Creating a Message Filter App Extension Hello, I am writing to provide feedback on the documentation for creating a message filter app extension. We followed the instructions on the page, particularly the section regarding setting up shared credentials. The instructions state: "Then, you must set up shared credentials as described in Shared Web Credentials, substituting messagefilter for webcredentials throughout the steps. Lastly, you must specify the domains in your Info.plist file, which should look similar to the dictionary shown below." However, when we tried to implement this, we encountered the following error while attempting to save credentials via the SecAddSharedWebCredential function from the message filter extension: Error Domain=com.apple.security.xpc Code=3 "<connection: 0x12e0d4500> { name = com.apple.securityd, listener = false, pid = 0, euid = 4294967295, egid = 4294967295, asid = 4294967295 }: Connection invalid - failed at lookup with error 159 - Sandbox restriction" UserInfo={numberOfErrorsDeep=0, NSDescription=<connection: 0x12e0d4500> { name = com.apple.securityd, listener = false, pid = 0, euid = 4294967295, egid = 0, asid = 4294967295}: Connection invalid - failed at lookup with error 159 - Sandbox restriction} The specific call we did: func SecAddSharedWebCredential( _ fqdn: CFString, _ account: CFString, _ password: CFString?, _ completionHandler: @escaping (CFError?) -> Void ) This error seems related to sandbox restrictions. The documentation does not provide enough information on how to properly set up the environment or what additional configurations might be needed to avoid such sandbox restrictions. More detailed guidance on configuring sandbox permissions and any additional steps required for setting up shared credentials in a message filter extension context would be highly beneficial. Thank you for your attention to this matter. We look forward to any updates or clarifications you can provide to improve the implementation.

"ASCredentialProviderViewController" class was implemented in my password manager to autofill password for the app clients. I've added passkey support recently but biometric/code authentication is not asked by the system when the user tries to sign in with a passkey thanks to "provideCredentialWithoutUserInteraction(for credentialRequest: ASCredentialRequest)". For passwords: extensionContext.completeRequest(withSelectedCredential: ASPasswordCredential(), completionHandler: nil) -> Does trigger biometric/code authentication For passkeys: extensionContext.completeAssertionRequest(using: ASPasskeyAssertionCredential()) -> Does NOT trigger biometric/code authentication => Why authentication is managed by the system for password but not for passkeys ? And how to fix that?

Hello - I am trying to add a more descriptive Location Purpose String for submitting my app to the store. I previously had a placeholder, generic string for testing. I have updated my info.plist file, but the old string is still appearing. I have 1) deleted the app from simulator device and rebuilt 2) tried pushing the version to TestFlight 3) Deleted and replaced the values in the info.plist, none of which have resolved this issue. What am I missing here?

I'm having trouble opening files residing on a custom filesystem implemented as a kext via sandboxed apps. Preview.app is one such example. The app launches, but it won't display file contents. In system log files I'm seeing entries related to com.apple.foundation.filecoordination:claims with no error messages to indicate a possible reason why file contents aren't being displayed. Non-sandboxed apps, such as GoogleChrome.app do not exhibit such behaviour. The kext is unsigned and running in an environment with SIP disabled and Security Mode reduced to Permissive. What is required for a 3rd party filesystem kext to integrate with sandboxed apps? Any pointers and/or assistance would be greatly appreciated.

I did implement "ASCredentialProviderViewController" class for my password manager in order to support passkey recently. Passkey registration and assertion works correctly but remote fullfilling is not working as expected. Use case: The user wants to sign in with passkey on some computer A QRCode is displayed and the user scan the QRCode Apple Authentication bottom sheet is opened and the client can pick my app as a provider ISSUE HERE: my app doesn't receive the passkey request parameters and is not able to generate the assertion answer I was hoping the following functions to be called but it's not the case: prepareCredentialList(for serviceIdentifiers: [ASCredentialServiceIdentifier], requestParameters: ASPasskeyCredentialRequestParameters) prepareInterfaceToProvideCredential(for credentialRequest: ASCredentialRequest) provideCredentialWithoutUserInteraction(for credentialRequest: ASCredentialRequest) => Please, how can my app receive the passkey request parameters in order to generate the assertion answer in this situation?

Below is the GitHub link for the FMDB.framework contains privacyinfo.xcprivacy file provided as per the apple documentation were used in our App https://github.com/ccgus/fmdb I have reviewed the feedback, but I need additional clarification to fully understand the issue. Could you please provide more specific details or examples regarding the following points: We are using FMDB framework version 2.7.11 in our app available at https://github.com/ccgus/fmdb/ The version 4.0.0 submitted had the privacy file packaged as part of SQLCipher.bundle which resides under the FMDB framework. This was rejection with the same reason mentioned above. As a result, as part of Version 5.0.0 we have copied the privacy from the said bundle and placed it directly under the FMDB framework folder. This is rejected as well with the same reason again. Is there a concern because of empty values for the privacy keys? The GitHub source at https://github.com/ccgus/fmdb/ with the said version 2.7.11 does not use any APIs of concern listed at https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api. As a result, the provider may not have provided the values for the keys.

I'm a new app developer and I've read through most relevant posts on this topic here and elsewhere. Many of the forum posts here are specific to Objective-C, or old enough to be considered outdated in the fast-moving world of computing. Many of the posts elsewhere are about protecting authentication secrets, which doesn't apply in my case, and a lot are by someone with a product to sell, which I've ignored. My app is 99.9% Swift and I'm not going to store any authentication secrets in the IPA. What I'd like to protect is the core mechanism of my product, which has to be included in the binary and is small (&lt; 10k lines). I want to make it so it's harder to steal the source code than it is to recreate my functionality from scratch, which is difficult even with the app in front of them. From what I gathered, Swift code compiled by Xcode is protected from reverse engineering / decompilation by the following: Symbolization of the app Native builds from Xcode destroys names of variable, functions, etc. Swift code is compiled in such a way that makes stealing harder than Objective-C This should make me feel better, but the threat-level is increasing with the availability of free, commercial-grade decompilers (e.g. Ghidra) and machine learning. The fact that iOS 18 supports a checkm8 (i.e. jailbreakable) device means that decrypting the IPA from memory is still trivial. Questions People talk about stealing authentication secrets via reverse-engineering, but is the same true for mechanisms (i.e. code)? How common is the issue of source-code stealing in iOS apps? Can machine learning be leveraged to make decompilation/reverse engineering easier? Will I get rejected by App Review for obfuscating a small portion of my code?

Hello, Is it correct that right now when any passkey-provider prepares the passkey registration ceremony response with attestation, iOS strips off the attestation before handing over response-assertion to the client. Does this stripping off of attestation have to do anything with the BS and BE flags that are populated by passkey-provider ? Meaning, is it correct statement that iOS removes the attestation blob from the response if the BE and BS flags are set to zero ??

Hi Apple Developer Community, I'm encountering a persistent issue with Passkey registration on certain iOS devices running iOS 17.5.1. Specifically, the registration process consistently fails with either ASAuthorizationError 1001 (ASAuthorizationErrorCanceled) or ASAuthorizationError 1004 (ASAuthorizationErrorNotHandled). Details: Devices: iPhone SE (2nd generation), iPhone 13 Pro OS: iOS 17.5.1 Errors: ASAuthorizationError 1001, ASAuthorizationError 1004 I've followed Apple's guidelines for implementing Passkeys and verified that the devices meet the necessary requirements PS: During Apple's App Review process, the reviewer has encountered a consistent issue with Passkey registration failing with ASAuthorizationError 1001 or 1004. However, in our extensive internal testing with 75 users, we have not been able to replicate this issue We are seeking assistance from the Apple Review team to investigate the cause of this issue, as it is currently blocking our app's approval

I'm using Apple Sign In in the JS app and I got a requirement to display some notes with links to privacy policy and terms of service inside the Apple modal, so users don't have to accept them after finishing authentication in the modal. Is there a way to add something like that? I have implemented Apple Sign In using this doc: https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_js/configuring_your_webpage_for_sign_in_with_apple