When presenting a cookie banner for GDPR purposes, should ATT precede the cookie banner? It seems that showing a Cookie Banner and then showing the ATT permission prompt afterwards (if a user elects to allow cookies/tracking) would be more appropriate. Related question: Should the “Allow Tracking” toggle for an app in system settings serve as a master switch for any granular tracking that might be managed by a 3rd party Consent Management Platform? If ATT is intended to serve as a master switch for tracking consent, if the ATT prompt is presented before a cookie banner, should the banner even appear if a user declines tracking consent? I’m not finding any good resources that describe this flow in detail and I’m seeing implementations all over the place on this. Help! Thanks!!!

News link: https://developer.apple.com/news/?id=12m75xbj If your app offers Sign in with Apple, you’ll need to use the Sign in with Apple REST API to revoke user tokens when deleting an account. I'm not good English. I'm confused about the above sentence Do I have to use REST API unconditionally or can I just delete to the account data?

Hi. We are trying to get the access token before calling any API. The app can go in bad network areas but the token acquisition keeps happening for the network call. The devices are managed devices which means it has some policies installed. We are using MSAL lib for the authentication and we are investigating from that angle too but the below error seems to be coming from apple authentication which needs our attention. ========================================== LaunchServices: store (null) or url (null) was nil: Error Domain=NSOSStatusErrorDomain Code=-54 "process may not map database" UserInfo={NSDebugDescription=process may not map database, _LSLine=68, _LSFunction=_LSServer_GetServerStoreForConnectionWithCompletionHandler} Attempt to map database failed: permission was denied. This attempt will not be retried. Failed to initialize client context with error Error Domain=NSOSStatusErrorDomain Code=-54 "process may not map database" UserInfo={NSDebugDescription=process may not map database, _LSLine=68, _LSFunction=_LSServer_GetServerStoreForConnectionWithCompletionHandler} Failed to get application extension record: Error Domain=NSOSStatusErrorDomain Code=-54 "(null)" ASAuthorizationController credential request failed with error: Error Domain=com.apple.AuthenticationServices.AuthorizationError Code=1003 "(null)" ========================================== This happens mostly when we switches the network or keep the device in no or low network area. This comes sometimes when app goes in background too. Just trying to give as much as information I could. Any lead would be highly appreciated. Thank you

We have 2 developers: Developer A created a Bundle ID and configured Sign in with Apple, but didn't create a corresponding App. This Bundle ID is only used for login on our official website. Developer B created a Bundle ID, configured Sign in with Apple, and has a corresponding App. The issue we're encountering is that because these two Bundle IDs are under different teams, when using the same Apple ID to log into these two applications, different accounts are generated. (We've tested that when creating Service IDs under the same team, logging in with Bundle IDs under the same team generates the same account.) Since Developer A's Bundle ID doesn't have a created app, it cannot be transferred to Developer B. Therefore, we'd like to know if there's any way to make the accounts generated from logging in with the same Apple ID be identical across these two teams?

We currently have an app that uses Sign in with Apple (SIWA), and we are planning to discontinue the SIWA feature. Specifically, we intend to disable SIWA from the app's Capabilities in the Apple Developer Center. My question is, if we disable SIWA, can we continue to use the private email addresses of users who registered using SIWA? Or will disabling SIWA also invalidate the users' private email addresses? We are considering asking users to change to a different, valid email address in our app. However, if the private email addresses are invalidated, we will not be able to disable SIWA until all users have completed the email address change. If anyone has knowledge about these behaviors, please let us know.

Hello! Few month ago i did get hacked on my pc and then my android and iphone. Did get at notice that payments couldent draw. lucky I only had 240kr on lunar card that it did draw 200kr to a gift card. Did get mail from skrill that a account whas created with one of my Gmail’s. Tryed to log them out but window did keep close. Gmail did flag like crazy and wanted me to change pw. how the fuck when I lost control of my phone?!?!??! Just lock it god Damn. let’s make it short! I shared network to pc from my phone With usb. I don’t just think it whas a attacker program as Gmail did flag. I think I did get mirror linked on my android and maybe my iphone. Had a real struggle to reset my pc and phones before it worked. My iPhone drains battery like crazy and feels laggy sometimes. A non registered number whas added to two Gmail’s that they did try to change pw multiple times. did notice I Linux pc activity on my fb and some other stuff. My iphone do reboot still sometimes and every second reboot wifi/bluet can’t be activated and mobile share change pw as the original one did look. Next reboot all work and are the same again. Iam scared that iam still hacked or havent removed him from everything. How can I make sure that Iam still not mirror linked and that he or she can’t access anything? Sorry for the long text but iam scared as fuck.

Hi, Just follow the related post to implement this method in the app, but it gave me error, like: "An SSL error has occurred and a secure connection to the server cannot be made" the info plist configuration like below, NSPinnedDomains mysite.com NSIncludesSubdomains NSPinnedCAIdentities SPKI-SHA256-BASE64 r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E= The pub key is right for me, since it works when I use different pub key pinning through URLSession interface. So here, I dont know where to start the troubleshooting, any advice would be appreciated.

Developers of our e-shop are preparing to enable Apple Sign In for account login. Apple ID verification is conducted via the domain appleid.apple.com, and the responses should be coming back from the following two Apple IP addresses: IPv4 Address: 17.32.194.6 IPv4 Address: 17.32.194.37 Question is whether these addresses are correct and if they remain unchanged over time. Alternatively, it is existing an official list of IP addresses that may be used for Apple Sign In verification response? This is necessary to ensure precise network communication settings and protection by F5 security solution. Thanks a lot for answers.

Hello everyone. Hope this one finds you well) I have an issue with integrating a FIDO2 server with ASAuthorizationController. I have managed to register a user with passkey successfully, however when authenticating, the request for authentication response fails. The server can't validate signature field. I can see 2 possible causes for the issue: ASAuthorizationPlatformPublicKeyCredentialAssertion.rawAuthenticatorData contains invalid algorithm information (the server tries ES256, which ultimately fails with false response), or I have messed up Base64URL encoding for the signature property (which is unlikely, since all other fields also require Base64URL, and the server consumes them with no issues). So the question is, what encryption algorithm does ASAuthorizationController use? Maybe someone has other ideas regarding where to look into? Please help. Thanks)

hey everyone.!! In one of my macOS projects I am trying to fetch the files and folders available on "Desktop" and "Document" folder and trying to showing it on collection view inside the my project, but when I try to fetch the files and folder of desktop and document, I am not able to fetch it. But if i try it by setting the entitlements False, I am able to fetch it. If any have face the similar issue, or have an alternative it please suggest. NOTE:- I have tried implementing it using NSOpenPanel and it works, but it lowers the user experience.

Hi everyone, We are using the App Attest API to securely transition users to our new system. As part of this, we store the Key ID of the attestation key for each user to verify their identity later. However, we’ve noticed that some users are encountering the error “DCErrorInvalidKey 3” when calling generateAssertion. Importantly, the key was previously successfully attested, and generateAssertion has worked before for these users. Our questions: Could this error be caused by an app or iOS update? Is it problematic to link an attestation key's Key ID directly to a user, or are there scenarios where the key might change or become invalid? If there’s a way to mitigate this issue or recover affected users, what best practices would you recommend? Any help or shared experiences would be greatly appreciated! Thanks in advance.

I am a new developer working to publish an app that includes a location tracker but does not collect user location data. I lam developing my app using Thunkable. My initial submission was rejected because opening the app triggered the error message: "This app is missing "NUserTrackingDescription so tracking transparency will fail. Ensure that this key exists in app's info.plist" However when I add in the NUserTrackingDescription it triggers a process by which I have to notify users that their location data is being collected, which is not the case. I am looking for advice on how to re-submit my app with the correct privacy settings that do not trigger the error message received previously.

General: Forums topic: Privacy & Security Apple Platform Security support document Developer > Security Enabling enhanced security for your app documentation article Creating enhanced security helper extensions documentation article Security Audit Thoughts forums post Cryptography: Forums tags: Security, Apple CryptoKit Security framework documentation Apple CryptoKit framework documentation Common Crypto man pages — For the full list of pages, run: % man -k 3cc For more information about man pages, see Reading UNIX Manual Pages. On Cryptographic Key Formats forums post SecItem attributes for keys forums post CryptoCompatibility sample code Keychain: Forums tags: Security Security > Keychain Items documentation TN3137 On Mac keychain APIs and implementations SecItem Fundamentals forums post SecItem Pitfalls and Best Practices forums post Investigating hard-to-reproduce keychain problems forums post App ID Prefix Change and Keychain Access forums post Smart cards and other secure tokens: Forums tag: CryptoTokenKit CryptoTokenKit framework documentation Mac-specific resources: Forums tags: Security Foundation, Security Interface Security Foundation framework documentation Security Interface framework documentation BSD Privilege Escalation on macOS Related: Networking Resources — This covers high-level network security, including HTTPS and TLS. Network Extension Resources — This covers low-level network security, including VPN and content filters. Code Signing Resources Notarisation Resources Trusted Execution Resources — This includes Gatekeeper. App Sandbox Resources Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"

Can someone please guide me on the entire process of integrating ads in an IOS application using google's admob sdk? Not related to code but things related to Apple's privacy policy. Which options do need to select or specify in my app profile's privacy policy (identifier) section?

Hey there, I used our team's account to configure sign in with Apple, the mode is pop up, my clientId scope redirectUrl state are both correct. I got Failed to verify your identity. Try again., actually my account is valid because I can login to my mac and every apple website. I have tried many apple accounts and still got this error. That was so weird, I didn't find a solution online. Pls help me thanks.

General: Forums subtopic: Privacy & Security > General Forums tag: App Sandbox App Sandbox documentation App Sandbox Design Guide documentation — This is no longer available from Apple. There’s still some info in there that isn’t covered by the current docs but, with the latest updates, it’s pretty minimal (r. 110052019). Still, if you’re curious, you can consult an old copy [1]. App Sandbox Temporary Exception Entitlements archived documentation — To better understand the role of temporary exception entitlements, see this post. Embedding a command-line tool in a sandboxed app documentation Discovering and diagnosing App Sandbox violations (replaces the Viewing Sandbox Violation Reports forums post) Resolving App Sandbox Inheritance Problems forums post The Case for Sandboxing a Directly Distributed App forums post Implementing Script Attachment in a Sandboxed App forums post Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" [1] For example, this one archived by the Wayback Machine.

I am experiencing an issue with Apple Sign-In on Vision Pro. When I build and run the app from Xcode, everything works fine—after signing in, the app returns to the foreground as expected. However, when I launch the app directly on Vision Pro (not from Xcode), after completing the sign-in process, the app does not reopen from the background automatically. Instead, it closes, and I have to manually tap the app icon to reopen it. Has anyone else encountered this issue? Is there a way to ensure the app properly resumes after sign-in without requiring manual intervention?

E aí pessoal, tudo certo? Estou desenvolvendo um app com React Native no front-end e Node.js no back-end, usando o Firebase como banco de dados (e possivelmente para autenticação também, dependendo da solução). Preciso implementar o "Sign in with Apple" e estou com algumas dúvidas em como integrar tudo isso. A ideia é: o usuário clica no botão "Entrar com a Apple" no app (React Native), o backend (Node.js) processa a autenticação com a Apple e, em seguida, armazena as informações necessárias (nome, email, etc.) no Firebase. Se alguém já trabalhou com essa combinação (React Native, Node.js, Firebase e Sign in with Apple) e puder compartilhar alguma experiência, dicas, exemplos de código ou até mesmo um boilerplate, seria de grande ajuda!

Feedback report id: FB16605524 I'm trying to send emails to private relay service addresses using AWS SES and emails are not received. My emails are sent from dev@mydomain.fr and I've set a custom FROM domain of mail.mydomain.fr. I've added both domains and the dev@mydomain.fr adress to the "Certificates, Identifies & Profiles" section. I've set up DKIM and SPF for both. Attached a redacted version of email headers. email_headers_redacted.txt

Please help me clarify the current situation regarding the necessity of a privacy manifest file in 3rd party SDKs. It would be nice to have a reply from someone working at Apple, to have a reliable answer. A quick summery of the events from last year https://developer.apple.com/support/third-party-SDK-requirements/ : "Starting in spring 2024, you must include the privacy manifest for any SDK listed below when you submit new apps in App Store Connect that include those SDKs, or when you submit an app update that adds one of the listed SDKs as part of the update." Last autumn, we started receiving warning emails from Apple after initiating app reviews, even when our apps did not have a newly added SDK: ITMS-91061: Missing privacy manifest - Starting November 12, 2024, if a new app includes a privacy-impacting SDK, or an app update adds a new privacy-impacting SDK, the SDK must include a privacy manifest file. Please contact the provider of the SDK that includes this file to get an updated SDK version with a privacy manifest. According to this warning message, app updates which do not contain any new SDKs are still not affected. Since then, at one point in time the deadline changed, as now we have February 12, 2025 in the privacy manifest documentation: https://developer.apple.com/documentation/bundleresources/adding-a-privacy-manifest-to-your-app-or-third-party-sdk However, this page does not contain any mention of the circumstances, it only states in general that apps you submit for review in App Store Connect must contain a valid privacy manifest file for a certain number of commonly used third-party SDKs. My questions Does the February deadline apply to every app update, even if they do not contain any newly added SDKs? Or does it still affect only the app updates "that adds one of the listed SDKs as part of the update." ? If the former, the 3rd party requirements page should be updated in my opinion. And if the latter, why does the documentation not contain this important piece of information? We have a basic product which then gets customised for the clients so we upload several different apps based on the same code with the same dependencies. How is it possible that during autumn, Apple sent ITMS-91061: Missing privacy manifest warnings for some of our apps, but did not send it for others? Does Apple not validate all the apps but only some of them randomly? Also, the warning still states that it should be relevant if "an app update adds a new privacy-impacting SDK", but that was not the case for us, we did not add anything newly to our apps - why did we even get these warnings then? Just in general: when the deadlines change, is there any channel where Apple communicates these, besides the warning emails? I did not see any posts on the Apple Developer site's News page about this February date, I just found it by accident. I don't even remember seeing a notice about the original November deadline, we just started receiving the email warnings without expecting them. Thank you in advance for anyone sharing an answer.