When an app is trying to access identities put in the keychain by cryptotokenkit extension, the user gets asked a permission pop-up which reads 'Token Access Request" would like access a token provided by: " with 2 options 'Don't allow' and 'OK' I accidently clicked "Don't allow" and now can't access identities put in crypto token kit. How can I reset the preference?

iOS18.1.1 macOS15.1.1 xcode16.1 Error Domain=com.apple.AuthenticationServices.AuthorizationError Code=1004 "Unable to verify webcredentials association of ********** with domain ******************. Please try again in a few seconds." Our domain must query with VPN, so I set webcredentials:qa.ejeokvv.com?mode=developer following: "If you use a private web server, which is unreachable from the public internet, while developing your app, enable the alternate mode feature to bypass the CDN and connect directly to your server. To do this, add a query string to your associated domains entitlement, as shown in the following example: :?mode= " but it still not working, even after I set mode=developer. Please help!!!!

Hi everyone, I am trying to use ASWebAuthenticationSession to authorize user using OAuth2. Service Webcredentials is set. /.well-known/apple-app-site-association file is set. When using API for iOS > 17.4 using new init with callback: .https(...) everything works as expected, however i cannot make .init(url: ,callbackURLScheme: ....) to work. How can i intercept callback using iOS <17.4? Do I really need to use universal links? callbackURL = https://mydomain.com/auth/callback

Hi all, I received the following email from Apple: ITMS-91061: Missing privacy manifest - Your app includes “Frameworks/share_plus.framework/share_plus”, which includes share_plus, an SDK that was identified in the documentation as a privacy-impacting third-party SDK. Starting February 12, 2025, if a new app includes a privacy-impacting SDK, or an app update adds a new privacy-impacting SDK, the SDK must include a privacy manifest file. Please contact the provider of the SDK that includes this file to get an updated SDK version with a privacy manifest. For more details about this policy, including a list of SDKs that are required to include signatures and manifests I use Share Plus version 7.2.2 which does not have privacy manifest file yet but I am currently unable to upgrade it to a newer version since it would then bring a restriction that I should start using Dart version 3 where I am not there yet considering my other dependencies! So I am wondering what options I have... Will Apple accept my app's new submission if I add this manifest file to my project itself rather than it is being presented in the third-party SDK? Or what else can I do, please?

Hi everyone, I’m working on building a passwordless login system on macOS using the NameAndPassword module. As part of the implementation, I’m verifying if the password provided by the user is correct before passing it to the macOS login window. Here’s the code snippet I’m using for authentication: // Create Authorization reference AuthorizationRef authorization = NULL; // Define Authorization items AuthorizationItem items[2]; items[0].name = kAuthorizationEnvironmentPassword; items[0].value = (void *)password; items[0].valueLength = (password != NULL) ? strlen(password) : 0; items[0].flags = 0; items[1].name = kAuthorizationEnvironmentUsername; items[1].value = (void *)userName; items[1].valueLength = (userName != NULL) ? strlen(userName) : 0; items[1].flags = 0; // Prepare AuthorizationRights and AuthorizationEnvironment AuthorizationRights rights = {2, items}; AuthorizationEnvironment environment = {2, items}; // Create the authorization reference [Logger debug:@"Authorization creation start"]; OSStatus createStatus = AuthorizationCreate(NULL, &amp;environment, kAuthorizationFlagDefaults, &amp;authorization); if (createStatus != errAuthorizationSuccess) { [Logger debug:@"Authorization creation failed"]; return false; } // Set authorization flags (disable interaction) AuthorizationFlags flags = kAuthorizationFlagDefaults | kAuthorizationFlagExtendRights; // Attempt to copy rights OSStatus status = AuthorizationCopyRights(authorization, &amp;rights, &amp;environment, flags, NULL); // Free the authorization reference if (authorization) { AuthorizationFree(authorization, kAuthorizationFlagDefaults); } // Log the result and return if (status == errAuthorizationSuccess) { [Logger debug:@"Authentication passed"]; return true; } else { [Logger debug:@"Authentication failed"]; return false; } } This implementation works perfectly when the password is correct. However, if the password is incorrect, it tries to re-call the macOS login window, which is already open. even i though i did not used the kAuthorizationFlagInteractionAllowed flag. This causes the process to get stuck and makes it impossible to proceed. I’ve tried logging the flow to debug where things go wrong, but I haven’t been able to figure out how to stop the system from re-calling the login window. Does anyone know how to prevent this looping behavior or gracefully handle an incorrect password in this scenario? I’d appreciate any advice or suggestions to resolve this issue. Thanks in advance for your help!

Hello, These questions are in regard to transferring Sign in With Apple users as part of an app transfer to another developer team. We’ve already read and absorbed the following documents from Apple, but we still have questions that aren’t covered in these documents, due to the unique nature of our use case. Transferring Your Apps and Users to Another Team Bringing New Apps and Users Into Your Team Resolving Sign in with Apple Response Errors Background: We have a suite of three apps that we are tranferring to another developer team. Each app supports Sign In With Apple. Our accounts/users are shared among all three apps. We have all three apps currently grouped together for SIWA. We’re aware that we will need to un-group them before doing the SIWA user transfer. Questions: The API for generating and exchanging transferIDs for users (endpoint /auth/usermigrationinfo) requires a parameter client_id which is described in the docs as "The identifier (App ID or Services ID) for the transferring app." Since we are transferring a set of three apps which share users, we aren’t sure which AppID to use, or whether it matters? We’re assuming we only need to transfer the users once in total (not once-per-app), is this correct? Does it matter which of the three apps’ AppID we use for this? To give more specific context to this question, here’s a more detailed example: For simplicity’s sake, let’s say we have 10 user accounts total, and any of them could sign into any of our three apps. Users 1-7 have signed into all three apps previously User8 has only signed into AppA User9 has only signed into AppB User10 has only signed into AppC Ideally we want to transfer all 10 users all at once. Does it matter which AppID we use for client_id? For example, if we use AppA as the client_id, will we still be able to transfer all 10 users (including User9 and User10)? We’ve tested this on the sender team side, and we’re able to successfully create transferIDs for all 10 users using AppA as client_id. But we’re not sure if this will still work on the recipient side, that we’ll be able to exchange the transferID for all 10 users. . To add another wrinkle, there is a possibility that we won’t be able to transfer one of our three apps (due to one of Apple’s limitations for app transfer). In that case we’ll have to create a new app on the recipient team and shut down the old one on the sender team. But the other two apps in the suite would still be transferred normally. We’d still want all 10 users to be transferred, as the intention is still that all our users can sign into any of their existing accounts in any of the three apps. Would this scenario change the answer to question 1? For example, say we aren’t able to transfer AppC over to the new development team, but instead had to create a new app, AppCNew on the new development team. But we still are able to transfer AppA and AppB. Would we still be able to transfer all 10 users using AppA as the client_id? Including User10 who only ever signed in to AppC (which isn’t being transferred)? We'd really appreciate any answers or guidance that anyone can provide. Thank you, Adam

Hi, I am working on a banking app and as per compliance, we have to detect whether the sim is present in the device when using the App or not, also it has to be the same sim which is used when registering with the App/Bank. Currently I dont find any way to detect this. The CTCarrier is depricated and all methods I check returns dummy value and not useful

Hi We use login using apple id feature in our website. However when it comes to apple id, it is possible for user to hide the original email and show a relay email. We have found that this relay email doesn't work Hence looking for a possible solution to acquire the real email from the user. Is there a possibility in doing that? any help would be greatly appreciated. Best Regards Hasintha

I am a new developer working to publish an app that includes a location tracker but does not collect user location data. I lam developing my app using Thunkable. My initial submission was rejected because opening the app triggered the error message: "This app is missing "NUserTrackingDescription so tracking transparency will fail. Ensure that this key exists in app's info.plist" However when I add in the NUserTrackingDescription it triggers a process by which I have to notify users that their location data is being collected, which is not the case. I am looking for advice on how to re-submit my app with the correct privacy settings that do not trigger the error message received previously.

Hello, first time poster here. I'm struggling to find any info/documentation on why bluetooth game controllers DON'T require bluetooth entitlement when app sandboxing is enabled but do require USB. any pointers would be much appriciated Chris

When we enable 3rd party authentication plugin using SFAuthorization window, and during unlock the screen, we have observed the widgets are not showing the content. Attaching the screenshot for reference. We are noticing this behavior from macOS 14.7.1 and macOS 15

I'm experiencing the same situation as this post from several months ago, which never received an answer to their follow up question. https://forums.developer.apple.com/forums/thread/759255 The documentation for adding a message filter extension says "you must set up shared credentials as described in Shared Web Credentials" (https://developer.apple.com/documentation/sms_and_call_reporting/sms_and_mms_message_filtering/creating_a_message_filter_app_extension) However credentials are not forwarded to the server and calling SecAddSharedWebCredential from within the extension isn't possible. So I don't understand why the documentation states Shared Web Credentials must be set up. After setting them up, then what is expected to happen with them, or what are you supposed to do with them next. The documentation just says to set them up, it doesn't say how/if they are used or how to use them in the specific context of a message filter extension

Greetings! I want to add my pre-compiled binary of v2ray to my application so I can activate it in background as a proxy and run stuff through it. I've codesigned it via: codesign -s - -i production.myproject.v2ray -o runtime --entitlements v2ray.entitlements -f v2ray Contents of entitlements file: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.files.downloads.read-write</key> <true/> <key>com.apple.security.files.user-selected.read-write</key> <true/> <key>com.apple.security.network.client</key> <true/> <key>com.apple.security.network.server</key> <true/> </dict> </plist> Originally I ran it like this without sandboxing from my main target app: guard let v2rayPath = Bundle.main.path(forResource: "v2ray", ofType: nil) else { throw NSError(domain: "ProxyController", code: 1, userInfo: [NSLocalizedDescriptionKey: "V2Ray binary not found in bundle"]) } let task = Process() task.executableURL = URL(fileURLWithPath: v2rayPath) task.arguments = ["-config", configURL.path] // Redirect output for debugging let pipe = Pipe() task.standardOutput = pipe task.standardError = pipe``` And it ran flawlessly. Now it refuses to start. Any help, pointers or examples of such usage will be greatly appreciated

I'd like to know: Let's say there's a backgrounded app which has microphone access, such as Signal or SoundHound or Shazam. It's established that these apps are allowed to record audio in the user's environment even after being backgrounded, seemingly for as long as they want and even upload that sound data. But can they ALSO continue recording even while another app that is in the foreground is using the microphone, such as the Phone app or Signal?

I was referred to here, #102484182418 I'm trying to setup apple login on my community site but I'm having a hard time getting it to work. I keep getting "invalid_request​ Invalid client id or web redirect url." The last tech said she thanks its setup right but we could not get it to work. Here are my steps https://xenforo.com/docs/xf2/connected-account-apple/ I just someone to look at my Certificates, Identifiers &amp; Profiles and make sure I have them setup right.

I am building a MAC app using crypto token. I have previously done this successfully for iPhone. In iPhone we found if something crashed on the token session while performing a sign (meaning the function wasn't able to return a value) the token or the keychain freezes and stopped returning keychain items at the query for keychain items it will return status 0. The only way to solve this was to reboot the iphone. In Mac something similar is happening, a crash at internet connection level made the extension get stuck and now event after restarting the mac it does not allow connection this query let query: [String:Any] = [kSecAttrAccessGroup as String: kSecAttrAccessGroupToken, kSecAttrKeyClass as String : kSecAttrKeyClassPrivate,kSecClass as String : kSecClassIdentity, kSecReturnAttributes as String : kCFBooleanTrue as Any, kSecReturnRef as String: kCFBooleanTrue as Any, kSecMatchLimit as String: kSecMatchLimitAll, kSecReturnPersistentRef as String: kCFBooleanTrue as Any] let status = SecItemCopyMatching(query as CFDictionary, &item) print("Status: (status.description)") This generates: Unable to connect to com.intereidas.dniMac.mac.TKExt:DniMac even after retries. Status: 0 Found items: 0 This does not get fixed after mac restart, how can we make the token extension work again?

We are developing a captive portal for a community Wi-Fi service that will be deployed to thousands of locations around the world. The service is a paid service that sells Wi-Fi connectivity by data volume rather than time. We want to enable our customers to Sign in with Apple without giving them full internet access until they have made a purchase. This requires us to whitelist domains and URLs to make this work. Where can I find a complete list of domains that are required for Sign in with Apple to function correctly? It’s not possible for us to whitelist *.apple.com because that results in significant (free) background network traffic during the sign in process. So far we have whitelisted: account.apple.com appleid.apple.com appleid.apple-cdn.com idmsa.apple.com gsa.apple.com mzstatic.com Our customers are still having issues with Sign in with Apple while interacting with our captive portal in the iOS pseudo browser. How can we debug this because we cannot use the Safari developer tools with the pseudo browser. Are there any logs when doing this on a Mac that we can check in the Console? If we kick the user out to Safari then they are able to complete the Sign in with Apple process, but that is not the user experience we want.

The token is legitimate, however I keep getting bad requests (400). The payload may not be accurate. No document with the appropriate payload structure is visible to me. Receipt.bin was tried, but the file content could not be verified. Referring this URL: https://developer.apple.com/documentation/devicecheck/assessing-fraud-risk Here is my server side Java code: private static String sendAttestationWithPayload(String jwt, String keyId, String attestationData, String clientData) throws Exception { // Create JSON payload JSONObject payload = new JSONObject(); payload.put("keyId", keyId); payload.put("attestationData", attestationData); payload.put("clientData", clientData); HttpClient client = HttpClient.newHttpClient(); HttpRequest request = HttpRequest.newBuilder() .uri(URI.create(APPLE_ATTESTATION_URL)) .header("Authorization", "Bearer " + jwt) .header("Content-Type", "application/json") .POST(HttpRequest.BodyPublishers.ofString(payload.toString())) .build(); HttpResponse<String> response = client.send(request, HttpResponse.BodyHandlers.ofString()); handleResponse(response); return response.body(); }

Hello! I need to implement requestTrackingAuthorization into my app but I'm not exactly sure how, the engine I use handles all of the Xcode stuff for me so I'm not very experienced in that sector nor do I have an Xcode project for this app, any help?

It’s been established that generally speaking background apps cannot record audio while the foreground app is already reading audio data from the microphone, but are there exceptions? For instance, is there an exception for certain Apple apps? If so, and there’s a special exception that most programmers don’t know about but some Apple’s engineers do and perhaps some hackers do as well, wouldn’t the mechanism that allows that eventually be exploited?