We are interested in using a hardware-bound key in a launch daemon. In a previous post, Quinn explicitly told me this is not possible to use an SE keypair outside of the system context and my reading of the Apple documentation also supports that. That said, we have gotten the following key-creation and persistence flow to work, so we have some questions as to how this fits in with the above. (1) In a launch daemon (running thus as root), we do: let key = SecureEnclave.P256.Signing.PrivateKey() (2) We then use key.dataRepresentation to store a reference to the key in the system keychain as a kSecClassGenericPassword. (3) When we want to use the key, we fetch the data representation from system keychain and we "rehydrate" the key using: SecureEnclave.P256.Signing.PrivateKey(dataRepresentation: data) (4) We then use the output of the above to sign whatever we want. My questions: in the above flow, are we actually getting a hardware-bound key from the Secure Enclave or is this working because it's actually defaulting to a non-hardware-backed key? if it is an SE key, is it that the Apple documentation stating that you can only use the SE with the Data Protection Keychain in the user context is outdated (or wrong)? does the above work, but is not an approach sanctioned by Apple? Any feedback on this would be greatly appreciated.

I’m implementing a custom Authorization right with the following rule: <key>authenticate-user</key> <true/> <key>allow-root</key> <true/> <key>class</key> <string>user</string> <key>group</key> <string>admin</string> The currently logged-in user is a standard user, and I’ve created a hidden admin account, e.g. _hiddenadmin, which has UID≠0 but belongs to the admin group. From my Authorization Plug-in, I would like to programmatically satisfy this right using _hiddenadmin’s credentials, even though _hiddenadmin is not the logged-in user. My question: Is there a way to programmatically satisfy an authenticate-user right from an Authorization Plug-in using credentials of another (non-session) user?

Hello Apple Developer: I encountered some issues during development. I encrypted the secret key and stored it in the Keychain, but it failed when I tried to read it. I would like to ask if there is any problem with the code I wrote. Below is my code, including the storage and retrieval NSMutableDictionary *query = [[NSMutableDictionary alloc] initWithObjectsAndKeys:(id)kSecClassGenericPassword,(id)kSecClass, serviceID,(id)kSecAttrService, @YES,(id)kSecReturnData,nil]; CFTypeRef dataTypeRef = NULL; NSLog(@"SecItemCopyMatching"); OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)(query), &dataTypeRef); NSLog(@"SecItemCopyMatching end status = %d",status); if (status == errSecSuccess) { *privateData = CFBridgingRelease(dataTypeRef); return 0; }else{ return status; } NSMutableDictionary *attributespri = [[NSMutableDictionary alloc] initWithObjectsAndKeys: (id)kSecClassGenericPassword, (id)kSecClass, serviceID, (id)kSecAttrService, outData, (id)kSecValueData, nil]; CFTypeRef dataRef = NULL; OSStatus priStatus = SecItemAdd((__bridge CFDictionaryRef)attributespri, &dataRef); if (dataRef) CFRelease(dataRef); return priStatus == noErr;

Xcode 26.x + iOS 26.x MTE Compatibility Feedback Reporter：Third-party App Developer Date：2026 Environments：Xcode 26.2 / 26.4, iOS 26.2 / 26.4 SDK, iPhone 17 Pro, Third-party App (Swift/C++/Python/Boost) Core Issue MTE (Memory Tagging Extension) under Memory Integrity Enforcement generates extensive false positives for valid high-performance memory operations in third-party apps, causing crashes. No official configuration exists to bypass these false positives, severely impacting stability and development costs. Key Problems 1. Widespread False Positives (Valid Code Crashes) After enabling MTE (Soft/Hard Mode), legitimate industrial-standard operations crash: Swift/ C++ containers: Array.append, resize, std::vector reallocation Custom memory pools / Boost lockfree queues:no UAF/corruption Memory reallocation:Legitimate free-reuse patterns are judged as tag mismatches. 2. MTE Hard Mode Incompatibility iOS 26.4 opens MTE Hard Mode for third-party apps, but it immediately crashes apps using standard high-performance memory management. No whitelist/exception mechanism for third-party developers. 3. MTE Soft Mode Limitations Detects far fewer issues than actual memory corruption reports. Only generates 1 simulated report per process, hiding multiple potential issues. Impact Stability: Apps crash in production when MTE is enabled. Cost: Massive code changes required to abandon memory pools/lockfree structures for system malloc. Ecosystem: Popular libraries (Python, Boost) are incompatible. Recommendations Optimize MTE rules: Add system-level exceptions for valid container resizing and memory pool operations. Provide exemptions: Allow per-region/module MTE exceptions for high-performance modules. Support runtimes: Officially support common third-party runtimes (Python/Boost) or provide system-level exemptions. Improve debugging: Increase MTE Soft Mode coverage and allow multiple reports per process.

Thanks all for reading my post. A bit of context: We just finished an app transfer to our developer account. We successfully signed and generated the new release. We are already able to roll it out in testflight were we found an issue. We store valuable data in the Keychain like Authentication tokens, once the new app is installed over the old one we are experiencing a loss of all data as the keychain become "untrusted". This is worst case scenario for us because all users will immediately lose the access to the app and hence the whole system. Questions: Is there a way to solve this issue, something like migration of the Keychain data? We came to know the standard migration path: Release a version that copies items from the old access groups to a new group based on com.apple.security.application-groups (App Groups). Wait for most users to update and run the migration. Then perform the App ID prefix change. Is this still the best method? Any improvements or new tools available since the 2022 DTS post? The problem with this is that the app is already on our account and that might need to rollback the transfer. Right? How long should we realistically wait for user migration before making the prefix change? Is there a way to measure migration completion? Thank you in advance!

Hi, I am developing an app that checks if biometric authentication capabilities (Face ID and Touch ID) are available on a device. I have a few questions: Do I need to include a privacy string in my app to use the LAContext's canEvaluatePolicy function? This function checks if biometric authentication is available on the device, but does not actually trigger the authentication. From my testing, it seems like a privacy declaration is only required when using LAContext's evaluatePolicy function, which would trigger the biometric authentication. Can you confirm if this is the expected behavior across all iOS versions and iPhone models? When exactly does the biometric authentication permission pop-up appear for users - is it when calling canEvaluatePolicy or evaluatePolicy? I want to ensure my users have a seamless experience. Please let me know if you have any insights on these questions. I want to make sure I'm handling the biometric authentication functionality correctly in my app. Thank you!

I am working on implementing mTLS authentication in my iOS app (Apple Inhouse & intune MAM managed app). The SCEP client certificate is deployed on the device via Intune MDM. When I try accessing the protected endpoint via SFSafariViewController/ASWebAuthenticationSession, the certificate picker appears and the request succeeds. However, from within my app (using URLSessionDelegate), the certificate is not found (errSecItemNotFound). The didReceive challenge method is called, but my SCEP certificate is not found in the app. The certificate is visible under Settings > Device Management > SCEP Certificate. How can I make my iOS app access and use the SCEP certificate (installed via Intune MDM) for mTLS requests? Do I need a special entitlement, keychain access group, or configuration in Intune or Developer account to allow my app to use the certificate? Here is the sample code I am using: final class KeychainCertificateDelegate: NSObject, URLSessionDelegate { func urlSession(_ session: URLSession, didReceive challenge: URLAuthenticationChallenge, completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void) { guard challenge.protectionSpace.authenticationMethod == NSURLAuthenticationMethodClientCertificate else { completionHandler(.performDefaultHandling, nil) return } // Get the DNs the server will accept guard let expectedDNs = challenge.protectionSpace.distinguishedNames else { completionHandler(.cancelAuthenticationChallenge, nil) return } var identityRefs: CFTypeRef? = nil let err = SecItemCopyMatching([ kSecClass: kSecClassIdentity, kSecMatchLimit: kSecMatchLimitAll, kSecMatchIssuers: expectedDNs, kSecReturnRef: true, ] as NSDictionary, &identityRefs) if err != errSecSuccess { completionHandler(.cancelAuthenticationChallenge, nil) return } guard let identities = identityRefs as? [SecIdentity], let identity = identities.first else { print("Identity list is empty") completionHandler(.cancelAuthenticationChallenge, nil) return } let credential = URLCredential(identity: identity, certificates: nil, persistence: .forSession) completionHandler(.useCredential, credential) } } func perform_mTLSRequest() { guard let url = URL(string: "https://sample.com/api/endpoint") else { return } var request = URLRequest(url: url) request.httpMethod = "POST" request.setValue("application/json", forHTTPHeaderField: "Accept") request.setValue("Bearer \(bearerToken)", forHTTPHeaderField: "Authorization") let delegate = KeychainCertificateDelegate() let session = URLSession(configuration: .ephemeral, delegate: delegate, delegateQueue: nil) let task = session.dataTask(with: request) { data, response, error in guard let httpResponse = response as? HTTPURLResponse, (200...299).contains(httpResponse.statusCode) else { print("Bad response") return } if let data = data { print(String(data: data, encoding: .utf8)!) } } task.resume() }

We are using the CryptoTokenKit framework, specifically the classes TKSmartCardSlotManager, TKSmartCardSlot, and TKSmartCard, to communicate with smart cards through external USB readers on iOS and iPadOS. In most cases, we are able to detect readers via TKSmartCardSlotManager, and send APDU commands using transmitRequest method, with the following code (where self->_slot and self->_card are previously created TkSmartCardSlot and TkSmartCard, respectively): #import <CryptoTokenKit/CryptoTokenKit.h> - (NSData *)sendCardCommand:(NSData *)command { if (!self->_card || !self->_card.valid || self->_slot.state != TKSmartCardSlotStateValidCard) return nil; NSMutableData *res = [[NSMutableData alloc] init]; NSError *sessionError = nil; [self->_card inSessionWithError:&sessionError executeBlock:^BOOL(NSError **error) { dispatch_semaphore_t semaphore = dispatch_semaphore_create(0); try { [self->_card transmitRequest:command reply:^(NSData * _Nullable response, NSError* _Nullable apduError) { if (apduError != nil) self->_error = apduError; else [res appendData: response]; dispatch_semaphore_signal(semaphore); }]; } catch (NSException *exception) { dispatch_semaphore_signal(semaphore); } dispatch_semaphore_wait(semaphore, DISPATCH_TIME_FOREVER); if (res.length == 0) return NO; return YES; }]; return res; } However, with certain other USB smart card readers, we occasionally encounter APDU communication failures when calling transmitRequest (for instance, with a HID Global OMNIKEY 5422), which returns the following error: "Domain: CryptoTokenKit Code: -2". Once a failure occurs and transmitRequest starts returning this error, all subsequent calls to transmitRequest fail with the same error. This persists even when: A different smart card is inserted The same card is reinserted A different USB reader (previously working correctly) is connected The TKSmartCard object is recreated via makeSmartCard The slot state changes (observed via KVO) All internal objects (TKSmartCard, TKSmartCardSlot) are reset in the application At this point, the system appears to be stuck in a non-recoverable state which affects all readers and cards, including those that were previously functioning correctly. The only way to recover from this state is terminating and restarting the application which is running the code. After restarting the app, everything works normally again. We have created a bug report: FB22339746. The issue has been reproduced on iOS 26.4 and 18.5. Also on iPadOS 18.1. Anyone has already faced a similar issue? Could it be related to some internal state of TKSmartCardSlotManager?

I am developing a Flutter iOS application and encountering a crash when using biometric authentication (Face ID) via the local_auth plugin. ■ Environment Flutter: 3.x local_auth: 2.2.0 (also tested with 2.1.6) iOS: real device (Face ID is working normally for device unlock) Firebase Authentication (email/password) Xcode build ■ Issue When calling biometric authentication, the app crashes immediately. Code: final didAuthenticate = await auth.authenticate( localizedReason: 'Authenticate to login', options: const AuthenticationOptions( biometricOnly: false, useErrorDialogs: false, ), ); ■ Error Thread 1: signal SIGABRT Crash occurs in libsystem_kernel.dylib (__pthread_kill) Happens immediately when authenticate() is called No exception is caught in Dart (native crash) ■ Verified NSFaceIDUsageDescription is correctly included in Info.plist Confirmed it exists in the built Runner.app Info.plist localizedReason is non-empty and in English Flutter clean / pod install executed App reinstalled on device Face ID works normally outside the app ■ Question Under what conditions does LAContext.evaluatePolicy trigger SIGABRT instead of returning an error? Are there known issues with presenting biometric authentication UI in certain UI states (e.g., view controller hierarchy, scene lifecycle)? Could this be related to UIScene / rootViewController issues? What is the correct timing and context to call biometric authentication safely in iOS apps? I suspect this is related to native iOS behavior rather than Flutter logic. Any guidance would be appreciated.

Hi, A user logs in to the file vault, and DisableFDEAutoLogin is false. The file vault login succeeds, but the login to the selected user fails. The user gets the login screen again. If the user puts an invalid password to try and login again, the loginwindow:FDESupport plugin will change the user's password to the invalid one.

Hello, I’m working on a security agent plugin for Mac. The plugin provides a mechanism with custom UI via SFAuthorizationPluginView and a privileged mechanism with the business logic. The plugin needs to support unlocking the device, so I changed the authorize right to invoke my agent: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>class</key> <string>evaluate-mechanisms</string> <key>created</key> <real>731355374.33196402</real> <key>mechanisms</key> <array> <string>FooBar:loginUI</string> <string>builtin:reset-password,privileged</string> <string>FooBar:authenticate,privileged</string> <string>builtin:authenticate,privileged</string> </array> <key>modified</key> <real>795624943.31730103</real> <key>shared</key> <true/> <key>tries</key> <integer>10000</integer> <key>version</key> <integer>1</integer> </dict> </plist> I also changed the system.login.screensaver right to use authorize-session-owner: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>class</key> <string>rule</string> <key>comment</key> <string>The owner or any administrator can unlock the screensaver, set rule to "authenticate-session-owner-or-admin" to enable SecurityAgent.</string> <key>created</key> <real>731355374.33196402</real> <key>modified</key> <real>795624943.32567298</real> <key>rule</key> <array> <string>authenticate-session-owner</string> </array> <key>version</key> <integer>1</integer> </dict> </plist> I also set screenUnlockMode to 2, as was suggested in this thread: macOS Sonoma Lock Screen with SFAutorizationPluginView is not hiding the macOS desktop. In the Display Authorization plugin at screensaver unlock thread, Quinn said that authorization plugins are not able to use Touch ID. However, on a MacBook with at touch bar, when I lock the screen, close the lid, and then open it, the touch bar invites me to unlock with Touch ID. If I choose to do so, the screen unlocks and I can interact with the computer, but the plugin UI stays on screen and never goes away, and after about 30 seconds the screen locks back. I can reliably reproduce it on a MacBook Pro with M1 chip running Tahoe 26.1. Is this a known macOS bug? What can I do about it? Ideally, I would like to be able to integrate Touch ID into my plugin, but since that seems to be impossible, the next best thing would be to reliably turn it off completely. Thanks in advance.

Hi Forum, We’re building a security-focused SDK for iOS that includes SIM Binding and SIM Swap detection to help prevent fraud and unauthorised device access, particularly in the context of banking and fintech apps. We understand that iOS limits access to SIM-level data, and that previously available APIs (such as those in CoreTelephony, now deprecated from iOS 16 onwards) provide only limited support for these use cases. We have a few questions and would appreciate any guidance from the community or Apple engineers: Q1. Are there any best practices or Apple-recommended approaches for binding a SIM to a device or user account? Q2. Is there a reliable way to detect a SIM swap when the app is not running (e.g., via system callback, entitlement, or background mechanism)? Q3. Are fields like GID1, GID2, or ICCID accessible through any public APIs or entitlements (such as com.apple.coretelephony.IdentityAccess)? If so, what is the process to request access? Q4. For dual SIM and eSIM scenarios, is there a documented approach to identify which SIM is active or whether a SIM slot has changed? Q5. In a banking or regulated environment, is it possible for an app vendor (e.g., a bank) to acquire certain entitlements from Apple and securely expose that information to a security SDK like ours? What would be the compliant or recommended way to structure such a partnership? Thanks in advance for any insights!

Hi team, is there a native way to detect if a change has been made to biometrics using FaceID or TouchID? Thanks in advance.

For testing purposes we have code that calls SecTrustEvaluateAsyncWithError() with a trust object containing a hardcoded leaf certificate and the corresponding intermediate certificate required to form a valid chain. Because the leaf certificate has since expired we pass a date in the past via SecTrustSetVerifyDate() at wich the certificate was still valid, but trust evaluation fails: Error Domain=NSOSStatusErrorDomain Code=-67825 "“<redacted>” certificate is not standards compliant" UserInfo={NSLocalizedDescription=“<redacted>” certificate is not standards compliant, NSUnderlyingError=0x600000c282a0 {Error Domain=NSOSStatusErrorDomain Code=-67825 "Certificate 0 “<redacted>” has errors: Certificate Transparency validation required for this use;" UserInfo={NSLocalizedDescription=Certificate 0 “<redacted>” has errors: Certificate Transparency validation required for this use;}}} I know that App Transport Security enforces Certificate Transparency by default, but is there a way around that here?

I am using the CryptoTokenKit API in order to communicate with smart cards through NFC, with TKSmartCardSlotNFCSession. I call the createNFCSlotWithMessage method from TKSmartCardSlotManager, which displays successfuly the NFC dialog. However, when I put any smart card next to the phone, the NFC dialog shuts down instantly. I notice the following log in the system console: -[_NFReaderSession(Entitlement) validateAID:allowsPrefixMatch:]:317 Non-permissible identifier: A000000308000010000100 When I add the A000000308000010000100 AID mentioned in the error message to the Info.plist of my application, the NFC dialog does not shut down anymore and I am able to communicate with the smart card (using TKSmartCard). This behavior has been reproduced on an iPhone 16e, iOS 26.4. This AID does not correspond to anything in the smart card. It seems to be related to PIV, but this behavior also occurs with cards that are not PIV (PKCS#15...). Also, with an implementation using CoreNFC API instead of CryptoTokenKit API, this AID is not needed to be able to communicate with the card, so it seems CryptoTokenKit-specific. I did not find anything related to this in the documentation, have I missed something here ? Is this a special AID that is required all the time to work with NFC through CryptoTokenKit ?

I downloaded a P12 file (containing a private key) from the company server, and retrieved the private key from this P12 file using a password : private func loadPrivateKeyFromPKCS12(path: String, password: String) throws -> SecKey? { let p12Data: Data do { p12Data = try Data(contentsOf: fileURL) } catch let readError { ... } let options: [CFString: Any] = [ kSecImportExportPassphrase: password as CFString ] var items: CFArray? let status = SecPKCS12Import(p12Data as CFData, options as CFDictionary, &items) guard status == errSecSuccess else { throw exception } var privateKey: SecKey? let idd = identity as! SecIdentity let _ = SecIdentityCopyPrivateKey(idd, &privateKey) return privateKey } However, when I use this private key to call SecKeyCreateSignature for data signing, a dialog box always pops up to ask user to input the Mac admin password. What confuses me is that this private key is clearly stored in the local P12 file, and there should be no access to the keychain involved in this process. Why does the system still require the user's login password for signing? Is it possible to perform silent signing (without the system dialog popping up) in this scenario?

I can see the user’s real daily Screen Time perfectly inside a DeviceActivityReport extension on a physical device. It’s right there. But the moment I try to use that exact total inside my main app (for today’s log and a leaderboard), it dosnt work. I’ve tried, App Groups, Shared UserDefaults, Writing to a shared container file, CFPreferences Nothing makes it across. The report displays fine, but the containing app never receives the total. If this is sandboxed by design, I’d love confirmation. Thanks a lot

The header documentation for the (deprecated) LAContext.evaluatedPolicyDomainState property contains the following: @warning Please note that the value returned by this property can change exceptionally between major OS versions even if the state of biometry has not changed. I noticed that the documentation for the new LAContext.domainState property does not contain a similar warning. I also found this related thread from 2016/17. Is the domainState property not susceptible to changes between major OS versions? Or is this generally not an issue anymore?

Hi , I did The MFA(2FA) of Email OTP For MacOS Login Screen using, Authorization Plugin, Using This git hub project. It is working For Login Screen , Im trying to Add The Same plugin for LockScreen but it is not working at lock Screen , Below is the reffrense theard For The issue , https://developer.apple.com/forums/thread/127614, please Share The Code that should Present the NSwindow at Screen Saver (Lock Screen) MacOS .

Hello everyone, We recently transferred our iOS app from one Apple Developer account to another, and after the transfer, we encountered a serious issue where all previously stored Keychain data and the local database became inaccessible. As a result, all users are automatically logged out and lose access to their locally stored data (such as chat history) once they update to the new version signed with the new Team ID. We understand that Keychain items are tied to the App ID prefix (Team ID), which changes during an app transfer. However, we’re looking for possible workarounds or best practices to avoid user data loss. Questions: Is there any reliable method to maintain or migrate access to old Keychain data after an app transfer? Would reverting the app back to the original developer account and releasing an update from there (to persist or migrate data) before transferring it again be a viable solution? Has anyone faced a similar issue and found a practical way to handle data persistence during an app transfer? Any guidance, technical suggestions, or shared experiences would be highly appreciated. This issue is causing major impact for our users, so we’re hoping to find a safe and supported approach. Thank you, Mohammed Hassan