Does macos app support passkey? Can I also use passkey's functionality if it's an internal release, not an Apple App Store release?

When we develop 'Sign in with Apple' function on our app, we visited https://appleid.apple.com to verify the account. However, appleid.apple.com is mapped to an American IP, and it is not suitable for our app which is operated in China. I wonder whether there is a China Mainland IP available for the verification? Thanks very much.

We received a rejection today based on an invalid PrivacyInfo.xcprivacy file. It contained one extra space character was somehow added to a value field. Is there a tool that can check the validity of our PrivacyInfo.xcprivacy files?

I have implemented Sign in with Apple on website one weeks ago, and it work perfectly. However, recently we start to receive invalid_grant with no error description while token validation, however the same client secret works on IOS app without issue.... in ios app site , we used bundle id for client_id. in web site , we used service id for client_id; I try to create a new privateKey for web site and add redirect_uri params to /auth/token, but still error.... I tested it like this, i got authorization code using Service ID i tried authorization code with Service ID using browser : successfully got the code and requested access_token immately 2 and then, i tried validate the authorization grant code to obtain tokens curl like this curl -X POST https://appleid.apple.com/auth/token \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "client_id=my_service_id" \ -d "client_secret=my_client_secret" \ -d "code=sent_from_frontend" \ -d "grant_type=authorization_code" \ -d "redirect_uri=my_redirect_uri" then get fail and no error_description error_code is 400 invalid_grant is not invalid_client error, and client secret is not expired too My decoded token looks like the following : { "alg": "ES256", "typ": "JWT", "kid": "my_kid" } { "aud": "https://appleid.apple.com", "sub": "my_service_id", "iss": "team_id", "exp": 1744012650, "iat": 1728460650 }

Hello, I have a public key of type Curve25519.KeyAgreement.PublicKey that I create from the raw representation using: Curve25519.KeyAgreement.PublicKey(rawRepresentation: Data(base64Encoded: "08sYq4gExgX+UApEwLaASkE+TZjAxG1FPYaT+mj2irk=")!) I'm trying to convert that key to a curve, but I don't see an equivalent function in CryptoKit for the Javascript function pk_to_curve25519. Can someone please help? For completeness, I'm trying to implement the handshake protocol that's a part of secure scuttlebutt. https://ssbc.github.io/scuttlebutt-protocol-guide/

We run simple iOS Swift code triggered by a remote notification: UserDefaults.standard.set("key", forKey: "value") It runs fine when the app is active or inactive, but when the device is closed/locked and the code is triggered, we see a warning in Xcode: Couldn't write values for keys ( key ) in CFPrefsPlistSource<0x3018802d0> (Domain: com.example, User: kCFPreferencesCurrentUser, ByHost: No, Container: (null), Contents Need Refresh: No): Path not accessible Not updating lastKnownShmemState in CFPrefsPlistSource<0x3018802d0> (Domain: com.example, User: kCFPreferencesCurrentUser, ByHost: No, Container: (null), Contents Need Refresh: No): 767 -> 767 The issue is that there seems to be no way to catch that warning. The value is set, when it's re-read the value is correct. But the value is never written to disk, so after an app restart/update the value is gone, potentially has an old wrong value. This code runs without any interruption, it's just showing the warning on iOS 17.7.1 on iPad: UserDefaults.standard.set("key", forKey: "value") UserDefaults.standard.synchronize() print("value: \(UserDefaults.standard.string(forKey: "key"))") Should there not be a way to catch this, so the code can act accordingly to the circumstances? It would be good to know inside the code that the value is not persisted. I would expect that an exception is generated somewhere which can be caught. It seems .completeFileProtectionUntilFirstUserAuthentication enables files to be written to disk while the device is closed/locked, can something similar be used for UserDefaults.standard?

I'm trying to set up Apple OAuth on my website. Whenever I go to Certificates, Identifiers & Profiles, It gives me the error 'Unable to find team with the given Team ID'

Hello, I started looking to implement SSO with Apple on my website using this tutorial : https://developers.appcharge.com/docs/apple-sso-login However, when going to https://developer.apple.com/account/resources/identifiers/list to generate a new Key, i'm getting the error : "Unable to find a team with the given Team ID 'XXXXXXXX' to which you belong. Please contact Apple Developer Program Support". It was a breeze to implement Google SSO, but not for Apple. I can't find much help online, could you guide me ? Regards

Hi, We use the iOS Keychain in our mobile app to securely store and retrieve data, which is tightly coupled with the initialization of some app features within the application. This issue is encountered during app launch We retrieve during Splash Screen UI controller at viewDidApper() The logic we use to access the Keychain is as follows: NSDate *NSDate_CD; NSString *account = [NSString stringWithUTF8String:@"SOME_KEY_ACCOUNT"]; NSString *attrgen = [NSString stringWithUTF8String:@"SOME_KEY"]; NSMutableDictionary *query = [[NSMutableDictionary alloc] init]; [query setObject:(__bridge id)(kSecClassGenericPassword) forKey:(__bridge id<NSCopying>)(kSecClass)]; [query setObject:attrgen forKey:(__bridge id<NSCopying>)(kSecAttrGeneric)]; [query setObject:(__bridge id)(kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly) forKey:(__bridge id<NSCopying>)(kSecAttrAccessible)]; [query setObject: [NSBundle mainBundle].bundleIdentifier forKey:(__bridge id<NSCopying>)(kSecAttrService)]; [query setObject:account forKey:(__bridge id<NSCopying>)(kSecAttrAccount)]; [query setObject:@YES forKey:(__bridge id<NSCopying>)(kSecReturnAttributes)]; [query setObject:@YES forKey:(__bridge id<NSCopying>)(kSecReturnData)]; CFDictionaryRef valueAttributes = NULL; OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)query, (CFTypeRef *)&valueAttributes); NSDictionary *attributes = (__bridge_transfer NSDictionary *)valueAttributes; if(status==errSecSuccess) { NSDate_CD = [attributes objectForKey:(__bridge id)kSecAttrCreationDate]; } else { NSLog(@"Key chain query failed"); } However, some users have reported intermittent failures during app launch. Upon investigation, we discovered that these failures are caused by exceptions thrown by the iOS Keychain, which the app is currently not handling. Unfortunately, we do not log the exception or the Keychain error code in the app logs at the moment, but we plan to implement this logging feature in the near future. For now, we are trying to better understand the nature of these errors. Could you help clarify the following Keychain errors, which might be encountered from the code above? errSecServiceNotAvailable (-25307) errSecAllocate (-108) errSecNotAvailable (-25291) If these errors are encountered, are they typically persistent or are they temporary states that could resolve on their own? Your insights would be greatly appreciated. Thank you.

Hi everyone, I'm having a recurring issue with the "Sign in with Apple" integration in my web app, and I’m hoping someone here can help or share insights. Here’s the situation: I implemented "Sign in with Apple" following the official documentation, and it worked perfectly at first. After about two weeks, I started getting the "invalid_client" error when redirecting to the authentication page. I reviewed everything and discovered I hadn’t set up the email configuration properly in the Apple Developer Console. Once I fixed that, it worked fine again. Now, the same error ("invalid_client") has returned, and I’ve triple-checked every part of my configuration: The service ID, redirect URIs, and domain settings match exactly. The client_secret is generated correctly with all required fields (iss, iat, exp, aud, and sub) and signed with ES256. My server time is synchronized. Nothing has changed in my code or configuration since it last worked. This seems to be an issue on Apple’s end because everything was functioning perfectly before, and I’ve already resolved this once by updating settings in the Developer Console. Has anyone else faced this issue? Is there something I might be missing, or could this be a problem with Apple’s service? Any advice or guidance would be greatly appreciated!

Hey when I search for app that is hide. it shows the information in the app like a phone number I try everything I talk to two agents I’m not the only one who has this problem can you guy please fix up Siri suggested thank you

Hi, ASCredentialProvider had been almost identically implemented on both iOS and macOS so far, but the ProvidesTextToInsert feature was only added to iOS. It would have been a crucial point to make Credential Providers available in all textfields, without users having to rely on developers correctly setting roles for their Text Fields. It's right now impossible to paste credentials into Notes, or some other non-password text box both in web and desktop apps for example, in a seamless, OS-supported way without abusing Accessibility APIs which are understandably disallowed in Mac App Store apps. Or just pasting an SSH key, or anything. On macOS this has so many possibilities. It could even have a terminal command. It's even more interesting that "Passwords..." is an option in macOS's AutoFill context menu, just like on iOS, however Credential Providers did not gain this feature on macOS, only on iOS. Is this an upcoming feature, or should we find alternatives? Or should I file a feature request? If it's already in the works, it's pointless to file it.

In the FAQ about Local Network, a lot of topics are covered but, unless I missed something, I didn't see the topic of MDMs being covered. [Q] Could the FAQ be updated to cover whether it is possible to grant this Local Network permission through a configuration profile? The answer, based on google searches and different forums, seems to be a negative. It seems a bit strange considering that this feature has been available on iOS for at least 3 years. Anyway, even if it is not possible, it would be useful to add in the FAQ that this is not possible.

Is there a way to know the event of user unlocking on iOS Device in Application?

I am researching to apply Apple Sign In to my app. I see response data from Apple just include user name and email (phone number is not required also), but currently my app has only one login method that is by phone number. So I would like to ask:
 Can I request an phone number (by an customize popup) from the user after Signin Apple successfully? If not then which approach that can I apply? Many thanks!

We are working with an iOS app where we have enabled the “Generate Debug Symbols” setting to true in Xcode. As a result, the .dSYM files are generated and utilized in Firebase Crashlytics for crash reporting. However, we received a note in our Vulnerability Assessment report indicating a potential security concern. The report mentions that the .ipa file could be reverse-engineered due to the presence of debug symbols, and that such symbols should not be included in a released app. We could not find any security-related information about this flag, “Generate Debug Symbols,” in Apple’s documentation. Could you please clarify if enabling the “Generate Debug Symbols” flag in Xcode for a production app creates any security vulnerabilities, such as the one described in the report? The report mentions the following vulnerability: TEST-0219: Testing for Debugging Symbols The concern raised is that debugging symbols, while useful for crash symbolication, may be leveraged to reverse-engineer the app and should not be present in a production release. Your prompt confirmation on this matter would be greatly appreciated. Thank you in advance for your assistance.

I am currently working on ways my application which would monitor the dlopen() and dlsym() calls made on macOS. In the current list of events endpoint security framework provides, I don't see a relevant event which would give me this information. Are there any alternate ways we can get these events on macOS?

Hello, I am currently working on implementing credential registration for biometric authentication using WebAuthn in an iOS app. I am using ASAuthorizationPlatformPublicKeyCredentialProvider to create a credential registration request based on the data retrieved from the WebAuthn options endpoint. At the moment, I am only using user.id, user.name, and challenge from the options response, and I am unsure how to utilize the other fields effectively. I would greatly appreciate advice on how to use the following fields: **Fields I would like to use: ** rp (Relying Party) I am retrieving id and name, but I am not sure how best to pass and utilize these fields. Is there an explicit way to use them? authenticatorSelection How can I set requireResidentKey and userVerification in ASAuthorizationPlatformPublicKeyCredentialRegistrationRequest? Also, what are the specific benefits of using these fields? timeout Is there a way to reflect the timeout value in the credential registration request, and what would be the best way to handle this information in iOS? attestation The attestation field can contain values such as none or direct. How should I reflect this in the credential registration request for iOS? I would appreciate a sample implementation or guidance on the benefits of setting this field. extensions If I want to customize the authentication flow using the extensions field, how can I appropriately reflect this in iOS? For instance, how can I utilize extensions like credProps? pubKeyCredParams Regarding pubKeyCredParams, which is a list of supported public key algorithms, I am unsure how to use it to select an appropriate algorithm in iOS. How should I incorporate this information into the request? excludeCredentials I understand that setting excludeCredentials can prevent duplicate registration, but I am not sure how to use past credential information to set it effectively. Any advice on this would be appreciated. **Current Code ** Currently, I have implemented the following code, but I am struggling to understand how to add and configure the fields mentioned above. let publicKeyCredentialProvider = ASAuthorizationPlatformPublicKeyCredentialProvider( relyingPartyIdentifier: "www.example.com" ) let registrationRequest = publicKeyCredentialProvider.createCredentialRegistrationRequest( challenge: challenge, name: userId, userID: userIdData ) let authController = ASAuthorizationController(authorizationRequests: [registrationRequest]) authController.delegate = self authController.presentationContextProvider = self authController.performRequests() In addition to the above code, I would be grateful if anyone could advise on how to configure fields like rp, authenticatorSelection, attestation, extensions, and pubKeyCredParams as well. Furthermore, I would appreciate any insights into the benefits of setting each of these fields in iOS, and any security considerations to be aware of. If anyone has experience with this, your guidance would be extremely helpful. Thank you very much in advance!

Hello there, we have implemented the Apple sign in our site, everything is working good except from two edge cases when the JWT returned by Apple sign in does not contain the user email, these cases are: When users choose Hide My Email when creating their account and later manually change their settings and turning off the email forwarding (Tested). For Apple at Work & School users. i.e. younger students may not have an email address. According to Apple docs, email could be empty for Sign in with Apple at Work & School users (Not tested). The problem is that we use the email to confirm the user authentication, but when the email is not present in the JWT, our system won't be able to find the registered user. We're currently working on a workaround for this, but we would like to confirm that these edge cases are known by apple and also ask some questions: Is it correct to say that: Turning off the email forwarding will cause that Apple's identity token (JWT) does not include the user's email address? Apple at Work & School users: is there a way to identify that someone is using this type of account? Is there any other known edge case when the email could be empty in the JWT? Thanks in advance!

Hi everyone, I'm looking for a way to configure Passkey on iOS so that authentication is only possible using FaceID or TouchID. Specifically, I want to disable the use of passcodes and QR codes for authentication. Additionally, is there a method to detect if the authentication was done using a passcode or QR code? Thanks for your help!