During SmartCard pairing the PIN prompt enables the OK button only on user provides a PIN of 6 digits. Is there a way to submit the empty PIN in this flow, where the custom CTK is used here (the custom CTK would take care of the PIN from the custom ctk code). I was able to do an empty PIN submit once the I've paired the user successfully at login, unlock and other cli tools. Is there a way to do the same during the pairing? Once the user has successfully paired with the SmartCard authentication with PIN, I was able to see most of the authentication flows was prompting for the PIN authentication like login, unlock, CLI tools like ssh, su etc., perhaps at few apps where it is still prompted with the Password instead of PIN examples, when I tried to launch Keychain Access app or Add a user from users&groups system setting. Is this expected behaviour?

General: Forums subtopic: Privacy & Security > General Forums tag: App Sandbox App Sandbox documentation App Sandbox Design Guide documentation — This is no longer available from Apple. There’s still some info in there that isn’t covered by the current docs but, with the latest updates, it’s pretty minimal (r. 110052019). Still, if you’re curious, you can consult an old copy [1]. App Sandbox Temporary Exception Entitlements archived documentation — To better understand the role of temporary exception entitlements, see this post. Embedding a command-line tool in a sandboxed app documentation Discovering and diagnosing App Sandbox violations (replaces the Viewing Sandbox Violation Reports forums post) Resolving App Sandbox Inheritance Problems forums post The Case for Sandboxing a Directly Distributed App forums post Implementing Script Attachment in a Sandboxed App forums post Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" [1] For example, this one archived by the Wayback Machine.

Hi, Just follow the related post to implement this method in the app, but it gave me error, like: "An SSL error has occurred and a secure connection to the server cannot be made" the info plist configuration like below, NSPinnedDomains mysite.com NSIncludesSubdomains NSPinnedCAIdentities SPKI-SHA256-BASE64 r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E= The pub key is right for me, since it works when I use different pub key pinning through URLSession interface. So here, I dont know where to start the troubleshooting, any advice would be appreciated.

Hi I am currently developping the "Sign in with apple" feature. We set up everything according to the documentation : https://developer.apple.com/help/account/configure-app-capabilities/configure-private-email-relay-service When trying to send an email from one of the registered communication emails (that is SPF and DKIM Authentication compliant) the emails are still ending up in the spam box. If it can help the received email address (that is hidden) is a gmail. I can not catch what is missing/wrong on our side.

General: Forums topic: Privacy & Security Forums tag: Privacy Developer > Security — This also covers privacy topics. App privacy details on the App Store UIKit > Protecting the User’s Privacy documentation Bundle Resources > Privacy manifest files documentation TN3181 Debugging an invalid privacy manifest technote TN3182 Adding privacy tracking keys to your privacy manifest technote TN3183 Adding required reason API entries to your privacy manifest technote TN3184 Adding data collection details to your privacy manifest technote TN3179 Understanding local network privacy technote Handling ITMS-91061: Missing privacy manifest forums post Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"

When presenting a cookie banner for GDPR purposes, should ATT precede the cookie banner? It seems that showing a Cookie Banner and then showing the ATT permission prompt afterwards (if a user elects to allow cookies/tracking) would be more appropriate. Related question: Should the “Allow Tracking” toggle for an app in system settings serve as a master switch for any granular tracking that might be managed by a 3rd party Consent Management Platform? If ATT is intended to serve as a master switch for tracking consent, if the ATT prompt is presented before a cookie banner, should the banner even appear if a user declines tracking consent? I’m not finding any good resources that describe this flow in detail and I’m seeing implementations all over the place on this. Help! Thanks!!!

We are developing an app that uses Authentication Services to authenticate users. According to the documentation, this framework will open the default web browser if it supports auth session handling, and Safari otherwise. This is not entirely true, and users will be frustrated! macOS version: Sequoia 15.5; Safari version: 18.5. When: The default browser is not Safari, and supports auth session handling (Google Chrome and Microsoft Edge as examples); and - The Safari app is already running; The auth flow will: Present the confirmation dialog box with the default browser icon. Good! Open a Safari window, instead of the default browser's one. Bad! Respond with "User Cancelled" error to the app, after making the end user believe the auth was good. Very Bad!! If the app retries the auth session, the default browser window will open as expected, and it will work as expected. However, requiring users to authenticate twice is a very bad users experience... This issue does not reproduce, when either: Safari is not running at the moment of auth session start; The default browser does not support auth session handling; or - Safari is the default browser. Fellow developers, be warned! Apple engineers, feedback #18426939 is waiting for you. Cheers!

Hello, I am working on a script to update an application which bundle ID changed. Only the bundle ID was modified; all other aspects remain unchanged. This application requires access to "Screen & System Audio Recording" permissions, which are currently granted to the old bundle ID. The script performs the following steps: launchctl bootout gui/$(id -u) /Library/LaunchAgents/com.my_agent_1.plist pkgutil --forget com.my_agent_1 tccutil reset All com.my_agent_1 rm /Library/LaunchAgents/com.my_agent_1.plist rm -rf </path/to/com_my_agent_1> installer -dumplog -allowUntrusted -pkg </path/to/com_my_agent_2.pkg> -target / ... When running steps #1-6 without a restart between steps #5 and #6, the old bundle ID (com.my_agent_1) remains visible in TCC.db (verified via SQL queries). Looks like this is the reason why "com.my_agent_2" is not automatically added to the permission list (requiring manual add). Moreover, "tccutil reset All com.my_agent_1" does not work anymore, the error: tccutil: No such bundle identifier "com.my_agent_1": The operation couldn’t be completed. (OSStatus error -10814.) Is there any way to completely clear the "Privacy & Security" permissions without requiring a system restart? Thank you a lot for your help in advance!

My app has been rejected by App Store review because the sign in with Apple functionality is not working properly. I'm able to reproduce the issue on my end but I don't understand why it's happening. I have two other apps that implement the same OAuth flow in an identical manner, and those apps have no issues signing in with Apple. I've copied my OAuth flow to a fresh project to see if that would make a difference, and it gives me the exact same error. In the simulator I get "invalid_request, invalid web redirect URL", and on-device the FaceID authentication fails with a very non-specific "Sign Up Not Completed" error. I'm completely out of ideas here, so any guidance would be appreciated. Thanks!

We have a crash on DCDevice.current.isSupported We want to try to make a serial queue to generate tokens but the side effect would be the same token would be used on multiple server API requests that are made within a few ms of each other? Is this safe or will the Apple server immediately reject the same token being reused? Can you share how long tokens are safe to use for? Here is the code we want to try final actor DeviceTokenController: NSObject { static var shared: DeviceTokenController = .init() private var tokenGenerationTask: Task<Data?, Never>? var ephemeralDeviceToken: Data? { get async { // Re-using the token for short periods of time if let existingTask = tokenGenerationTask { return await existingTask.value } let task = Task<Data?, Never> { guard DCDevice.current.isSupported else { return nil } do { return try await DCDevice.current.generateToken() } catch { Log("Failed to generate ephemeral device token", error) return nil } } tokenGenerationTask = task let result = await task.value tokenGenerationTask = nil return result } } }

Has anyone launched a game for kids using Unity Analytics? I am not understanding if Unity Analytics is considered a "third party". And has anyone successfully shipped a game for kids with Unity Analytics? And if not, has anyone solved the issue Apple rejecting submission?

Current Setup: Using Secure Enclave with userPresence access control Foreground keychain accessibility: whenPasscodeSetThisDeviceOnly Security Requirement: Our security group wants us to invalidate biometrics and require a username/password if a biometric item is added (potentially by a hostile 3rd party) Need to upgrade from userPresence to biometricCurrentSet to ensure re-authentication when biometric credentials change. Issue: After implementing biometricCurrentSet, authentication cancels after two failed biometric attempts instead of falling back to passcode. Current Detection Method: User completes initial biometric authentication Biometric changes occur (undetectable by app) App attempts Secure Enclave access Access denial triggers re-authentication requirement Cannot revoke refresh token after access is denied Security Concern: Current implementation allows new biometric enrollments to access existing authenticated sessions without re-verification. Question: What's the recommended approach to: Implement biometricCurrentSet while maintaining passcode fallback Properly handle refresh token invalidation when biometric credentials change Looking for guidance on best practices for implementing these security requirements while maintaining good UX.

Hi all. So, I built the platform SSO extension on a demo server I created and everything ran smoothly. I get the tokens at the end of the process. Now, I want to use the tokens when I trigger my SSO extension in my domain from Safari. I trigger my domain, get into the beginAuthorization method, get the request.loginManager?.ssoTokens and then want to return them to Safari by calling the request.complete method. But, no matter what complete method I call (complete(httpResponse: HTTPURLResponse, httpBody: Data?) or complete(httpAuthorizationHeaders: [String : String]) where I insert the Bearer token into the Authorization header, it will not drill down to Safari or my server. The headers I try to send back are not moving from the extension to Safari. Some knows why its happening? Thank you for any help or suggestion.

Hi, I’m currently implementing App Attest attestation validation on the development server. However, I’m receiving a 403 Forbidden response when I POST a CBOR-encoded payload to the following endpoint: curl -X POST -H "Content-Type: application/cbor" --data-binary @payload.cbor 'https://data-development.appattest.apple.com' Here’s how I’m generating the CBOR payload in Java: Map&lt;String, Object&gt; payload = new HashMap&lt;&gt;(); payload.put("attestation", attestationBytes); // byte[] from DCAppAttestService payload.put("clientDataHash", clientDataHash); // SHA-256 hash of the challenge (byte[]) payload.put("keyId", keyIdBytes); // Base64-decoded keyId (byte[]) payload.put("appId", TEAM_ID + "." + BUNDLE_ID); // e.g., "ABCDE12345.com.example.app" ObjectMapper cborMapper = new ObjectMapper(new CBORFactory()); byte[] cborBody = cborMapper.writeValueAsBytes(payload); I’m unsure whether the endpoint is rejecting the payload format or if the endpoint itself is incorrect for this stage. I’d appreciate clarification on the following: 1. Is https://data-development.appattest.apple.com the correct endpoint for key attestation in a development environment? 2. Should this endpoint accept CBOR-encoded payloads, or is it only for JSON-based assertion validation? 3. Is there a current official Apple documentation that lists: • the correct URLs for key attestation and assertion validation (production and development), • or any server-side example code (e.g., Java, Python) for handling attestation/validation on the backend? So far, I couldn’t find an official document that explicitly describes the expected HTTP endpoints for these operations. If there’s a newer guide or updated API reference, I’d appreciate a link. Thanks in advance for your help.

hey everyone.!! In one of my macOS projects I am trying to fetch the files and folders available on "Desktop" and "Document" folder and trying to showing it on collection view inside the my project, but when I try to fetch the files and folder of desktop and document, I am not able to fetch it. But if i try it by setting the entitlements False, I am able to fetch it. If any have face the similar issue, or have an alternative it please suggest. NOTE:- I have tried implementing it using NSOpenPanel and it works, but it lowers the user experience.

Hi. We are trying to get the access token before calling any API. The app can go in bad network areas but the token acquisition keeps happening for the network call. The devices are managed devices which means it has some policies installed. We are using MSAL lib for the authentication and we are investigating from that angle too but the below error seems to be coming from apple authentication which needs our attention. ========================================== LaunchServices: store (null) or url (null) was nil: Error Domain=NSOSStatusErrorDomain Code=-54 "process may not map database" UserInfo={NSDebugDescription=process may not map database, _LSLine=68, _LSFunction=_LSServer_GetServerStoreForConnectionWithCompletionHandler} Attempt to map database failed: permission was denied. This attempt will not be retried. Failed to initialize client context with error Error Domain=NSOSStatusErrorDomain Code=-54 "process may not map database" UserInfo={NSDebugDescription=process may not map database, _LSLine=68, _LSFunction=_LSServer_GetServerStoreForConnectionWithCompletionHandler} Failed to get application extension record: Error Domain=NSOSStatusErrorDomain Code=-54 "(null)" ASAuthorizationController credential request failed with error: Error Domain=com.apple.AuthenticationServices.AuthorizationError Code=1003 "(null)" ========================================== This happens mostly when we switches the network or keep the device in no or low network area. This comes sometimes when app goes in background too. Just trying to give as much as information I could. Any lead would be highly appreciated. Thank you

My organization routes all device traffic through a network security device that performs TLS intercept (SSL inspection). As might be expected, this breaks passkey Cross-Device Authentication (CDA) functionality, since the thumbprints don't match end-to-end between the authenticator (iPhone) and the client (laptop). As soon as I disable the VPN tunnel through our security device, the passkey login works as expected. The security team is willing to exclude the relay servers from SSL inspection, but we are unable to find a list of the relevant endpoints. Is there a list of Apple relay servers that are used for passkey tunnelling? We can review the network logs to find the traffic, but I'd prefer an authoritative list. For full context: we are using device-bound passkeys via Microsoft Authenticator to login to Entra but, as I understand it, the passkey is still handled via Apple's standard passkey infrastructure and APIs. Thanks!

Hi everyone, We are using the App Attest API to securely transition users to our new system. As part of this, we store the Key ID of the attestation key for each user to verify their identity later. However, we’ve noticed that some users are encountering the error “DCErrorInvalidKey 3” when calling generateAssertion. Importantly, the key was previously successfully attested, and generateAssertion has worked before for these users. Our questions: Could this error be caused by an app or iOS update? Is it problematic to link an attestation key's Key ID directly to a user, or are there scenarios where the key might change or become invalid? If there’s a way to mitigate this issue or recover affected users, what best practices would you recommend? Any help or shared experiences would be greatly appreciated! Thanks in advance.

I am developing apps using NWJS framework, which access devices on the local network. I am doing this on Sequoia on Macos (Desktop). I have developed other apps using NWJS before, but on earlier versions of Macos. My issue is, I am unable to give my app permission to app to access devices on local network on one of the apps. Some background: Other apps which I have used which access devices on the local network, on first-time launching, have given a prompt asking me if I want to allow or deny access to local device for the app. However, on first-time launching (and many others after that), It simply says the device cannot be reached, and I never get a prompt asking me if I want to allow or deny access to local device for my app. In its barebones proof-of-concept stage of my app, I have an iframe who's src attribute is the IP address of a device known on the network with that address. I have tried the protocol https://192.168.1.99 and http://192.168.1.99 in the src attribute. This protocol works in another app I have built where upon first-time launch, I was able to get a prompt and give it the needed permission. If I check in System Settings > Privacy and Security > Network, the app doesn't appear where I can toggle a setting. I also am unable to explicitly add my app to the list. ** This worked for one app, but not another: In researching this issue, it was recommended that I add the following keys in info.plist: com.apple.developer.networking.multicast - boolean true NSLocalNetworkUsageDescription - string description NSNearbyInteractionUsageDescription - string description This worked for one of my apps, but not another, which has a nearly identical structure. In fact, other than CFBundleIdentifier, CFBundleDisplayName and CFBundleName, info.plist is identical. Why did this work one time, and how can I get my app to prompt for permission for local network access?

Hi, I know it's been discussed before, but I'm testing the Sign in with Apple feature, and I only get the user info on the first try. Now, I know that you're supposed to go to the account settings, and look for the list of accounts that you used your Apple account to sign in with, and it used to work a few months back. But for the last few weeks I haven't been able to get the user info, even after deleting the entry from my Sign In With Apple app list. Has there been a recent change to Apple security policy that prevents such a move from working ? Or am I doing something wrong ? Thank you