Our product uses the “Sign in with Apple” feature, and now we need to transfer it to Apple. After reading the documentation, I still have questions and would like to get answers.
Q1:Transfer App: After the receiving team receives the App, is the unique identifier obtained by the client App program login the original one? Or is it newly generated? If it is newly generated, from what point in time will it be newly generated?
Q2:Transfer App: Is there any validity period for the transfer identifier? About how long? What will happen after the transfer identifier is expired?
Q3:When does the transfer identifier (transfer identifier) start to be generated, when the transfer request is initiated or when the transfer is completed, and when I get the transfer identifier, can I directly exchange it for the receiving team's unique identifier?
Looking forward to a reply, thanks!
General
RSS for tagPrioritize user privacy and data security in your app. Discuss best practices for data handling, user consent, and security measures to protect user information.
Post
Replies
Boosts
Views
Activity
Hello,
It seems that an App Store version App uses a default sandbox configuration. However, my app contains multiple binaries, and I would like to apply additional sandbox restrictions to a specific binary.
Is it possible to set different sandbox rules for different binaries within the same app?
Thank you for your help!
Hello everyone,
I’m encountering an issue with Sign in with Apple in my watchOS app and would appreciate any guidance.
Background:
Initially, I did not have the Sign in with Apple capability enabled on my watchOS app.
I have since enabled the capability and grouped it with my iOS app.
For new user accounts created after this change, everything works perfectly:
The credentialState check returns .authorized on both iOS and watchOS.
However, for existing user accounts (created before enabling the capability on watchOS):
The credentialState check returns not authorized on watchOS.
The check still returns .authorized on iOS for these accounts.
Error Details:
When calling ASAuthorizationAppleIDProvider.credentialState(forUserID:) on watchOS for existing accounts, I receive the following error:
Error Domain=AKAuthenticationError Code=-7074 "(null)"
My Suspicions:
I believe the issue arises because the existing Sign in with Apple tokens are only associated with the iOS app’s bundle identifier and not with the watchOS app’s bundle identifier. Since the capability wasn’t enabled on the watchOS app when these accounts were created, their tokens aren’t valid for the watchOS app.
Questions:
Is this the correct explanation for why the credentialState check fails on watchOS for existing accounts, resulting in the AKAuthenticationError Code=-7074 error?
Can I update or migrate the existing accounts so that their Sign in with Apple tokens are valid for the watchOS app as well? If so, how can this be achieved?
Are there any best practices for handling this situation without requiring users to re-authenticate or removing the credentialState check from the watchOS app?
Goal:
I want to maintain the credentialState check on the watchOS app because it works correctly for new accounts and is important for security. I’m looking for a solution that allows existing users to continue using the app on their Apple Watch without interruption or additional sign-in steps.
Any help or suggestions would be greatly appreciated!
Thank you!
When we develop 'Sign in with Apple' function on our app, we visited https://appleid.apple.com to verify the account. However, appleid.apple.com is mapped to an American IP, and it is not suitable for our app which is operated in China. I wonder whether there is a China Mainland IP available for the verification? Thanks very much.
I have a sdk which reads and writes data to keychain everything works fine on local machine. But on testflight it can not read the data it previously wrote. every time app starts it tries to read but fails.
I have other apps they works fine with the same sdk and same code on testflight and local. There is keychain access groups in entitlement file. the reason is not entitlement file. Any ideas?
We noticed a change in the page Adding a privacy manifest to your app or third-party SDK that adds a deadline of November 12 past which invalid manifests will not be allowed in store submissions.
Does this mean we can no longer use old versions of third-party SDKs which lack a manifest? (The ones that were allowed because we had already shipped with them.)
I've encountered an issue with the keychain on macOS 15.0.1.
When an admin account changes the password for a non-admin local account, the system should prompt to unlock the login keychain at the next login, giving the user an opportunity to update the keychain password. However, when I attempted to change a local account password using an admin account through system configuration on macOS 15.0.1, the system did not show such a prompt. Instead, it directly created a new login keychain. In the keychain directory, I could see that the old keychain had been renamed to login_rename_X.keychain-db. Additionally, this operation caused the Touch ID and passwords saved in the keychain to be cleared.
Does anyone know how to handle this issue so that the local account is prompted to update the keychain password during login?
I generate a keys using :
let attributes: NSDictionary = [
kSecAttrLabel: label,
kSecUseKeychain: getSystemKeychain()!,
kSecAttrKeyType: kSecAttrKeyTypeEC,
kSecAttrKeyType: kSecAttrKeyTypeECSECPrimeRandom,
kSecAttrKeySizeInBits: 256,
kSecPrivateKeyAttrs: [
kSecAttrIsPermanent: true,
kSecAttrApplicationTag: tag,
] as [CFString : Any]
]
var error: Unmanaged<CFError>?
// Generate a new private key
guard let privateKey = SecKeyCreateRandomKey(attributes, &error) else {
logger.error("failed to create a keypair \(String(describing: error))")
return (nil, nil)
}
I keep getting this error :
failed to create a keypair Optional(Swift.Unmanaged<__C.CFErrorRef>(_value: Error Domain=NSOSStatusErrorDomain Code=-2070 "internal error" (internalComponentErr) UserInfo={numberOfErrorsDeep=0, NSDescription=internal error}))
The above code works absolutely fine on macOS Sonoma and older OS. This looks like a regression in the Apple API SecKeyCreateRandomKey(). What is a good workaround for this ?
Hello,
I have been testing my app with iOS 18 beta and noticing an issue with the triggering of Local Network privacy prompt.
My app uses this permission to make a request to a local network address. Prior to iOS upgrade to 18 beta, the privacy prompt used to get triggered upon making the request and only after tapping on 'Allow', the subsequent requests used to succeed. If the user turned off the toggle for 'Local Network' in the app settings, then this functionality used to break as expected.
Issues observed with 18 beta:
The privacy prompt is not getting triggered upon making the request to local network and the request is succeeding. The app already seems to have this access granted but I do not see the permission toggle in the app settings.
Upon device restart, the prompt got triggered but even on disallowing the access (tapping Don't Allow), the app is able to make requests to the local network. The permission toggle appears in the app settings, but its state does not impact the app's functionality.
Has something changes in this flow? Can someone please help with what might be causing this behaviour?
Hey,
There are two apps, App A and App B.
Both apps do not have Sign in with Apple configured currently, so there are no Sign in with Apple users to transfer. I want to configure this for both apps.
App A is on developer team A.
App B is on developer team B.
They are not on the same developer accounts.
It is my understanding that both accounts need to be on the same developer team/account to get the same unique identifiers (e.g. sub id and private relay email address) for privacy reasons.
Desired Behavior:
When a single user logs into either app A or app B with the newly exposed Sign in with Apple functionality, I need apple to return me the same unique identifiers (e.g. sub and email), so that I can uniquely identify the same user across app A and app B.
How can I do this without ANY customer impact.
I have existing macOS application(pkg distribution) and now I need to release App Store version
I need to move all files from "Documents/My App" to app container
however container migration doesn't work in some cases
I've tested TestFlight build:
migration works fine if Mac uses Local Documents folder
migration doesn't work if Mac uses iCloud Documents and Desktop folders
Is there some way to fix this?
container-migration.plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Move</key>
<array>
<string>${Documents}/My App</string>
</array>
</dict>
</plist>
After upgrading to 15.1, SSIDs can no longer be scanned. In my main application, there is a wifiAccess.app in the LaunchService folder that is killed by embbed. This app is the root process that is placed under launchDaemon and loaded by launchd
CLLocationManager *locationManager = [[CLLocationManager alloc] init];
if (@available(macOS 10.15, *)) {
[locationManager requestAlwaysAuthorization];
} else {
// erlier version do not need localtion permission
}
NSError *error;
NSData *ssidStrData = [ssid dataUsingEncoding:NSUTF8StringEncoding];
CWInterface *interface = [[CWWiFiClient sharedWiFiClient] interface];
NSSet<CWNetwork *> *networks = [interface scanForNetworksWithSSID:ssidStrData error:nil];
However, the obtained networks do not have ssid.
{(<CWNetwork: 0x600000368680> [ssid=(null), bssid=(null), security=WPA2 Enterprise, rssi=-49, channel=<CWChannel: 0x600000370bd0> [channelNumber=44(5GHz), channelWidth={20MHz}], ibss=0],
<CWNetwork: 0x600000370b30> [ssid=(null), bssid=(null), security=WPA2 Enterprise, rssi=-73, channel=<CWChannel: 0x600000370b00> [channelNumber=6(2GHz), channelWidth={20MHz}], ibss=0],
<CWNetwork: 0x600000370be0> [ssid=(null), bssid=(null), security=WPA2 Enterprise, rssi=-44, channel=<CWChannel: 0x600000370c60> [channelNumber=165(5GHz), channelWidth={20MHz}], ibss=0]
},
the main program has granted the location permission, but the location authorization has not responded in this wifiaccess process. And
(lldb) po [locationManager authorizationStatus]
kCLAuthorizationStatusNotDetermined.
The output authorization is always unauthorized, but only the authorization option of the main application can be seen in the system Settings location permissions setting, wifiaccess.app is not present on the list
We recently transferred our app from one developer account to a new one, internally. We're trying to transfer our sign in with apple users, but have hit a snag on the first step.
I'm following the instructions here to "Obtain the user access token": https://developer.apple.com/documentation/sign_in_with_apple/transferring_your_apps_and_users_to_another_team
This is my request as created in postman:
curl --location 'https://appleid.apple.com/auth/token/'
--form 'grant_type="client_credentials"'
--form 'scope="user.migration"'
--form 'client_id="com.XXXXX"'
--form 'client_secret="XXXXX"'
No matter what I try, I always receive invalid_client.
I've uploaded example JWTs in FB15648650.
I have implemented Sign in with Apple on website one weeks ago, and it work perfectly.
However, recently we start to receive invalid_grant with no error description while token validation, however the same client secret works on IOS app without issue....
in ios app site , we used bundle id for client_id.
in web site , we used service id for client_id;
I try to create a new privateKey for web site and add redirect_uri params to /auth/token, but still error....
I tested it like this,
i got authorization code using Service ID
i tried authorization code with Service ID using browser :
successfully got the code
and requested access_token immately
2 and then, i tried validate the authorization grant code to obtain tokens
curl like this
curl -X POST https://appleid.apple.com/auth/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "client_id=my_service_id" \
-d "client_secret=my_client_secret" \
-d "code=sent_from_frontend" \
-d "grant_type=authorization_code" \
-d "redirect_uri=my_redirect_uri"
then get fail and no error_description error_code is 400
invalid_grant
is not invalid_client error, and client secret is not expired too
My decoded token looks like the following :
{
"alg": "ES256",
"typ": "JWT",
"kid": "my_kid"
}
{
"aud": "https://appleid.apple.com",
"sub": "my_service_id",
"iss": "team_id",
"exp": 1744012650,
"iat": 1728460650
}
We noticed that the APNs Profile we downloaded on https://developer.apple.com/bug-reporting/profiles-and-logs/ is mentioning "Facetime and Call Activity Logging".
Is it expected ?
Hi, I have implemented Sign in with Apple on Android four months ago, and it work perfectly.
We are using React Native with expo, using expo-auth-session and firebase function to get code back to start the token validation process.
However, recently we start to receive invalid_grant with no error description while token validation, however the same client secret works on firestore without issue, which confuses us.
According to https://developer.apple.com/documentation/technotes/tn3107-resolving-sign-in-with-apple-response-errors, the common reasons that I receive invalid_grant are:
The client_id does not match the client for which the code was issued.
The code has expired or has been previously consumed by the validation server.
Is there any way I could differentiate whether is client_secret wrong or the code was used or any other reasons?
Hello,
Following a company split we are planning to transfer one of our apps, which has Sign in With Apple enabled, to another team. We want to provide a smooth migration experience for the users by minimizing downtime and avoiding the duplication of accounts in our database.
In our backend we generate a client secret using the transferring team’s ID. We then use this client secret with the “https://appleid.apple.com/auth/token” endpoint which returns the identity token.
With the above in mind, I have the following questions:
If we don’t update the team ID immediately after the transfer in our backend, will the identity token returned by the endpoint above contain the transferring team user ID in the sub field or, will it contain the recipient team user ID?
Is there any possibility that we will ever receive an identity token containing a transferring team user ID in the sub field after we accept the transfer?
Thanks,
Bruno
So I’m (extremely) new to developing for iOS, and I’m looking to implement the “Sign in With Apple“ feature for an application that interacts with a server I’ve built. Following the guide I’m able to get a user’s email and name. When I send that information to my server to create a user account, do I need to do anything else (like validating that the email is actually associated with an Apple account or that the user actually owns it, etc)? I looked at the Sign in With Apple from the web article and it doesn’t seem like it’s relevant to my use case. Is it standard practice to just trust the client in the iOS world?
Hello there, we have implemented the Apple sign in our site, everything is working good except from two edge cases when the JWT returned by Apple sign in does not contain the user email, these cases are:
When users choose Hide My Email when creating their account and later manually change their settings and turning off the email forwarding (Tested).
For Apple at Work & School users. i.e. younger students may not have an email address. According to Apple docs, email could be empty for Sign in with Apple at Work & School users (Not tested).
The problem is that we use the email to confirm the user authentication, but when the email is not present in the JWT, our system won't be able to find the registered user.
We're currently working on a workaround for this, but we would like to confirm that these edge cases are known by apple and also ask some questions:
Is it correct to say that: Turning off the email forwarding will cause that Apple's identity token (JWT) does not include the user's email address?
Apple at Work & School users: is there a way to identify that someone is using this type of account?
Is there any other known edge case when the email could be empty in the JWT?
Thanks in advance!
Trying to flesh out an idea for an application which would rely on Endpoint Security Framework and Network Extension Framework, where intend the application to:
Forward certain ESF events to a backend (on a separate server)
Forward certain Unified logs to a backend (on a separate server)
Forwarding various DNS queries and responses (on a separate server)
Retrieve configuration from the backend to set Network Extension Filters
Are there any limitations and/or reasons not to bundle all this functionality into a single system extension?
I know of other applications where system extension is very thin and main application (daemon) communicates over xpc with the system extension, would this be considered best practice?