Hi Apple Developer Community,
I'm encountering a persistent issue with Passkey registration on certain iOS devices running iOS 17.5.1. Specifically, the registration process consistently fails with either ASAuthorizationError 1001 (ASAuthorizationErrorCanceled) or ASAuthorizationError 1004 (ASAuthorizationErrorNotHandled).
Details:
Devices: iPhone SE (2nd generation), iPhone 13 Pro
OS: iOS 17.5.1
Errors: ASAuthorizationError 1001, ASAuthorizationError 1004
I've followed Apple's guidelines for implementing Passkeys and verified that the devices meet the necessary requirements
PS:
During Apple's App Review process, the reviewer has encountered a consistent issue with Passkey registration failing with ASAuthorizationError 1001 or 1004. However, in our extensive internal testing with 75 users, we have not been able to replicate this issue
We are seeking assistance from the Apple Review team to investigate the cause of this issue, as it is currently blocking our app's approval
General
RSS for tagPrioritize user privacy and data security in your app. Discuss best practices for data handling, user consent, and security measures to protect user information.
Post
Replies
Boosts
Views
Activity
I'm using Apple Sign In in the JS app and I got a requirement to display some notes with links to privacy policy and terms of service inside the Apple modal, so users don't have to accept them after finishing authentication in the modal.
Is there a way to add something like that?
I have implemented Apple Sign In using this doc: https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_js/configuring_your_webpage_for_sign_in_with_apple
FMDB framework already contains the privacy file, which is part of SQLCipher.bundle file.
But still apple rejects, not sure why?
Can any one help me with this.
We are trying to support Passkey Management in our app with the latest iOS 17 Passkey Autofill.
During this process, we have a few doubts and queries:
First, we have configured the AutoFill extension for external passkey management
Next we used the 'prepareInterface(forPasskeyRegistration:' delegate for passkey generation
We are facing an issue on creating the attestationObject for ‘ASPasskeyRegistrationCredential’. Here, we’re not sure if we need to create the attestationObject [if so any documentation or help regarding this] or is there any API to get the attestationObject which we are missing.
override func prepareInterface(forPasskeyRegistration registrationRequest: ASCredentialRequest) {
let request = registrationRequest as! ASPasskeyCredentialRequest
let passkeyRegistration = ASPasskeyRegistrationCredential(relyingParty:
request.credentialIdentity.serviceIdentifier.identifier, clientDataHash: request.clientDataHash, credentialID: Data(UUID().uuidString.utf8), attestationObject: "????")
extensionContext.completeRegistrationRequest(using: passkeyRegistration)
}
Even we have tried passing the hardcoded attestationObject[we used the existing attestationObject received using icloud keychain] , still we got empty ‘ClientDataJSON’ on ‘authorizationController(controller:’ delegate.
Hello,I have a local WebSocket server running inside an iOS app on iOS 13+. I'm using Swift NIO Transport Services for the server.I'm using NWProtocolTLS.Options from Network framework to specify TLS options for my server.I am providing my server as an XCFramework and want to let users to be able to specify different parameters when launching the server.For specifiying the TLS supported version, everything is working fine by using :public func sec_protocol_options_set_max_tls_protocol_version(_ options: sec_protocol_options_t, _ version: tls_protocol_version_t)
public func sec_protocol_options_set_min_tls_protocol_version(_ options: sec_protocol_options_t, _ version: tls_protocol_version_t)But I also want to be able to specify some cipher suites. I saw that I can use :public func sec_protocol_options_append_tls_ciphersuite(_ options: sec_protocol_options_t, _ ciphersuite: tls_ciphersuite_t)But it seems that some cipher suites are enabled by default and I can't restrict the cipher suites just to the ones I want, I can just append others.NWProtocolTLS.Options class has an init() function which states "Initializes a default set of TLS connection options" on Apple documentation.So my question is, is there a way to know what TLS parameters this initialization does ? Especially the list of cipher suites enabled by default ? Because I can't find any information about it from my research. I used a tool to test handshake with my server to discover the cipher suites supported and enabled by default but I don't think it is a good way to be sure about this information.And is there a way to specify only cipher suites I want to be supported by my server by using NWProtocolTLS.Options ?Thank you in advance,Christophe
Our company was re-formed under a new name. Rather than rename the organization on the App Store, we were advised by support to create a new organization and then transfer the app to that organization, which we have done.
Our app implements Apple Authentication. We did not not migrate the users of the app (as instructed here: https://developer.apple.com/documentation/sign_in_with_apple/transferring_your_apps_and_users_to_another_team)
Is it possible to now migrate the users, after the app has been transferred? Our attempt to get an authorization token with scope "user.migration" results in HTTP error 400 with body: "invalid_client".
Whenever we call this API enpoint https://api.development.devicecheck.apple.com/v1/validate_device_token we received an 403. The issue started yesterday around 2:00 PM (Brasil - Brasília time).
I am trying to enable developer mode on my iPhone 12 mini, yet I cannot find the option in settings. I cannot use Xcode to enable it as I do not have a Mac device, so I was wondering if there is a way to enable it using windows.
I want to reset the permission state of location services to "notDetermined" (CLAuthorizationStatus) while developing.
But using the command below gives me this error:
$ tccutil reset CoreLocation
tccutil: Failed to reset CoreLocation
same goes for
$ tccutil reset [my bundleId]
tccutil: Failed to reset CoreLocation approval status for [my bunldeId
Anyone know the reason for this?
A call to the API SecKeyGeneratePair in SecureEnclave for iOS18 returns an OSStatus 0 but the SecKeyRef is not present.
Understand that this API is currently deprecated and there are plans to move to the new APIs, but I believe this API should still work in iOS18 as expected for now.
The API works as expected on iPadOS 18.
// Create SE key
let sacRef = SecAccessControlCreateWithFlags(kCFAllocatorDefault,
kSecAttrAccessibleAfterFirstUnlock,
.privateKeyUsage, nil)!
let privKeyAttr = [
kSecAttrAccessControl: sacRef,
kSecAttrIsPermanent: true,
] as NSDictionary
os_log("Priv key params: %{public}@", log: osLogger, privKeyAttr)
let keygenAttr = [
kSecAttrApplicationLabel: attrApplicationLabelSeKey,
kSecAttrTokenID: kSecAttrTokenIDSecureEnclave,
kSecPrivateKeyAttrs: privKeyAttr,
kSecAttrKeyType: kSecAttrKeyTypeEC,
kSecAttrKeySizeInBits: 256
] as NSDictionary
var error: Unmanaged<CFError>?
os_log("keygen params: %{public}@", log: osLogger, keygenAttr)
var keyRef: SecKey?
let status = SecKeyGeneratePair(keygenAttr,
&keyRef,
nil)
os_log("SecKeyGeneratePair osStatus: %{public}d, keyRef: %{public}@", log: osLogger, status, keyRef == nil ? "null" : "ref present")
We are implementing just-in-time account creation using Platform Single Sign-on. After creating the account, we are registering the user with PSSO and we want to ensure that the IDP account used for account creation matches the IDP account used in the user registration flow.
An easy way to do this appears to be using loginUsername on the ASAuthorizationProviderExtensionLoginManager object. loginUsername gets set during account creation and then we can check what the user is entering during registration.
The documentation, however, marks this attribute as deprecated. There is no indication of what could be used instead. Is there some other value we could look at? Does Apple have a plan to introduce a preferred API option?
Thanks!
Why is it that after hiding an app, it can still be seen in many places in the settings, such as:
Settings -> General -> iPhone Storage
Settings -> private and security -> Pemissions
Settings -> Search
Settings -> Siri -> Siri APp Access -> Apps
Additionally, in the App Store, the hidden app still shows as downloaded.
Moreover, global searching for the full name of the app in global search also reveals the app and allows it to be opened.
Why isn't the hiding more thorough? Is this a bug or intentionally designed this way?
It is clearly stated here that automatically created passwords are 20 characters long, contain 2 hyphens and exactly one uppercase letter and one digit.
I have only ever seen generated passwords where the arrangement is in 3 groups of 6 (separated by the hyphens).
From the description in the page referred to above, it could be that the generated password might look like:
nzomZhf-qnbqd-k8ibtt
i.e., a 7-5-6 pattern
This would comply with the definition (if that's what it is) on the aforementioned Support page.
Is it guaranteed that auto generated passwords will conform to the 3 groups of 6 pattern?
Is the method used to unlock an iOS device available to an app? We would like to require a step-up to MFA (in our app) if passcode was used and allow for single factor if Face ID was used.
$ tccutil reset All
This command resets the other permissions (i.e. camera, microphone) but doesn't reset the Local Network permission.
OS: macOS 15.0
We develop an SDK that requires sharing a device-specific identifier with our web API, in order to guarantee that certain artifacts are only used on the correct device. For the device-specific identifier, we use UIDevice.currentDevice.identifierForVendor which should not be restricted under ATT.
In production, many developers are getting back to us with complaints of web requests being blocked:
nw_endpoint_handler_path_change [C1 [our url]:443 waiting parent-flow (satisfied (Path is satisfied), interface: en0[802.11], ipv4, dns, uses wifi)] blocked tracker
Connection 1: received failure notification
Connection 1: failed to connect 1:50, reason -1
Connection 1: encountered error(1:50)
Task <FA03088C-DDFC-437E-A06F-E05CC930E3E0>.<1> HTTP load failed, 0/0 bytes (error code: -1009 [1:50])
Task <FA03088C-DDFC-437E-A06F-E05CC930E3E0>.<1> finished with error [-1009] Error Domain=NSURLErrorDomain Code=-1009 "The Internet connection appears to be offline." UserInfo={_kCFStreamErrorCodeKey=50, NSUnderlyingError=0x3031118f0 {Error Domain=kCFErrorDomainCFNetwork Code=-1009 "(null)" UserInfo={_NSURLErrorBlockedTrackerFailureKey=true, _kCFStreamErrorDomainKey=1, _kCFStreamErrorCodeKey=50, _NSURLErrorNWPathKey=satisfied (Path is satisfied), interface: en0[802.11], ipv4, dns, uses wifi}}, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <FA03088C-DDFC-437E-A06F-E05CC930E3E0>.<1>, _NSURLErrorRelatedURLSessionTaskErrorKey=(
"LocalDataTask <FA03088C-DDFC-437E-A06F-E05CC930E3E0>.<1>"
), NSLocalizedDescription=The Internet connection appears to be offline., NSErrorFailingURLStringKey=..., NSErrorFailingURLKey=..., _kCFStreamErrorDomainKey=1}
Interestingly, I've made a few observations:
The blacklist seems to be persistent, across devices.
The blacklist stays in place regardless of whether we send no identifiable data in the web request (in fact, an empty ping request to our URL still gets blocked)
The only way to get past the block is to use ATT, and request from the user that we track them across websites. This is false, because we don't track any user data whatsoever; and iOS disables ATT by default (in the settings app, users have to opt-in).
Our iOS SDK already has an xcprivacy manifest mentioning the fact that we use a device-specific identifier, and that we send it to our web API URL. Still, we get blocked.
How can we fix this? We can standup a proxy URL but I'd imagine it's only a matter of time before that also gets blocked. Apple has not provided any guidance on the specifics of how domains get blocked, and how they can be unblocked.
I saw this sentence in the documentation at https://developer.apple.com/documentation/bundleresources/information_property_list/nsrequirescertificatetransparency: 'Don’t use this key. The current system enforces this behavior, and new certificates can’t meet the requirement on older systems.'
I understand that new systems will enable CT (Certificate Transparency) verification by default. However, I created a new demo to verify this on an iOS 13 device, and CT verification was not actually enabled.
I’ve been trying to solve this for some time And wondering if anyone else has come across this.
using att framework and receiving user consent to use IDFA. is It possible to know when a user has entered another app on the same device ?
flow:
user consents to att framework in App 1 on iPhone
user opens app 2 on iphone
will app 1 know that user has opened App 2?
Hi,
My app features its own lock screen secured by Face ID or Touch ID. With the introduction of the locked app feature in iOS 18, I want to ensure that users do not experience duplicate lock screens. Could you please advise on how to detect if the locked app feature is enabled in iOS 18, so I can disable my app's internal lock screen when necessary?
Thank you!
Hi,
Are there any samples that IdP vendors can use to add support for Platform SSO in their solutions?
I found this link: https://developer.apple.com/documentation/authenticationservices/platform_single_sign-on_sso/creating_extensions_that_support_platform_sso, which explains how to implement the extension on a device. However, I am having trouble understanding what needs to be implemented on the IdP itself from this documentation.
Does anyone have any links or resources that can help?
Thank you,
Bala