General: Forums topic: Privacy & Security Apple Platform Security support document Developer > Security Security Audit Thoughts forums post Cryptography: Forums tags: Security, Apple CryptoKit Security framework documentation Apple CryptoKit framework documentation Common Crypto man pages — For the full list of pages, run: % man -k 3cc For more information about man pages, see Reading UNIX Manual Pages. On Cryptographic Key Formats forums post SecItem attributes for keys forums post CryptoCompatibility sample code Keychain: Forums tags: Security Security > Keychain Items documentation TN3137 On Mac keychain APIs and implementations SecItem Fundamentals forums post SecItem Pitfalls and Best Practices forums post Investigating hard-to-reproduce keychain problems forums post App ID Prefix Change and Keychain Access forums post Smart cards and other secure tokens: Forums tag: CryptoTokenKit CryptoTokenKit framework documentation Mac-specific resources: Forums tags: Security Foundation, Security Interface Security Foundation framework documentation Security Interface framework documentation BSD Privilege Escalation on macOS Related: Networking Resources — This covers high-level network security, including HTTPS and TLS. Network Extension Resources — This covers low-level network security, including VPN and content filters. Code Signing Resources Notarisation Resources Trusted Execution Resources — This includes Gatekeeper. App Sandbox Resources Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"

General: Forums topic: Privacy & Security Privacy Resources Security Resources Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hi, For some reason all implemented (and working before) App Attest code has stopped working. iOS is unable to get attestation returning "Operations could not be completed. (com.apple.devicecheck.error error 4.) (serverUnavailable)" On https://developer.apple.com/system-status/ I can see green dot but I suspect that infrastructure is not OK. This is happening with multiple of our apps in multiple geographical regions. Can anyone confirm these problems or know whether it is strictly connected to App Attest service availability?

I have an app (currently not released on App Store) which runs on both iOS and macOS. The app has widgets for both iOS and macOS which uses user preference (set in app) into account while showing data. Before upgrading to macOS 15 (until Sonoma) widgets were working fine and app was launching correctly, but after upgrading to macOS 15 Sequoia, every time I launch the app it give popup saying '“Kontest” would like to access data from other apps. Keeping app data separate makes it easier to manage your privacy and security.' and also widgets do not get user preferences and throw the same type of error on Console application when using logging. My App group for both iOS and macOS is 'group.com.xxxxxx.yyyyy'. I am calling it as 'UserDefaults(suiteName: Constants.userDefaultsGroupID)!.bool(forKey: "shouldFetchAllEventsFromCalendar")'. Can anyone tell, what am I doing wrong here?

Hello, These questions are in regard to transferring Sign in With Apple users as part of an app transfer to another developer team. We’ve already read and absorbed the following documents from Apple, but we still have questions that aren’t covered in these documents, due to the unique nature of our use case. Transferring Your Apps and Users to Another Team Bringing New Apps and Users Into Your Team Resolving Sign in with Apple Response Errors Background: We have a suite of three apps that we are tranferring to another developer team. Each app supports Sign In With Apple. Our accounts/users are shared among all three apps. We have all three apps currently grouped together for SIWA. We’re aware that we will need to un-group them before doing the SIWA user transfer. Questions: The API for generating and exchanging transferIDs for users (endpoint /auth/usermigrationinfo) requires a parameter client_id which is described in the docs as "The identifier (App ID or Services ID) for the transferring app." Since we are transferring a set of three apps which share users, we aren’t sure which AppID to use, or whether it matters? We’re assuming we only need to transfer the users once in total (not once-per-app), is this correct? Does it matter which of the three apps’ AppID we use for this? To give more specific context to this question, here’s a more detailed example: For simplicity’s sake, let’s say we have 10 user accounts total, and any of them could sign into any of our three apps. Users 1-7 have signed into all three apps previously User8 has only signed into AppA User9 has only signed into AppB User10 has only signed into AppC Ideally we want to transfer all 10 users all at once. Does it matter which AppID we use for client_id? For example, if we use AppA as the client_id, will we still be able to transfer all 10 users (including User9 and User10)? We’ve tested this on the sender team side, and we’re able to successfully create transferIDs for all 10 users using AppA as client_id. But we’re not sure if this will still work on the recipient side, that we’ll be able to exchange the transferID for all 10 users. . To add another wrinkle, there is a possibility that we won’t be able to transfer one of our three apps (due to one of Apple’s limitations for app transfer). In that case we’ll have to create a new app on the recipient team and shut down the old one on the sender team. But the other two apps in the suite would still be transferred normally. We’d still want all 10 users to be transferred, as the intention is still that all our users can sign into any of their existing accounts in any of the three apps. Would this scenario change the answer to question 1? For example, say we aren’t able to transfer AppC over to the new development team, but instead had to create a new app, AppCNew on the new development team. But we still are able to transfer AppA and AppB. Would we still be able to transfer all 10 users using AppA as the client_id? Including User10 who only ever signed in to AppC (which isn’t being transferred)? We'd really appreciate any answers or guidance that anyone can provide. Thank you, Adam

According to https://developer.apple.com/documentation/security/app_sandbox/discovering_and_diagnosing_app_sandbox_violations it is possible to view detailed violation reports for non-system services. Is it possible to do something similar for system services? I have encountered an issue where several (all?) of my Macbooks get into a sandbox violation situation (I assume). Below is in excerpt from logs focusing just on the sandbox violation. The errors are surrounded by XPC failures and errors. error 23:23:21.382263+0100 kernel Sandbox: Family(1316) deny(1) mach-lookup com.apple.contactsd.persistence error 23:23:24.385962+0100 kernel Sandbox: Family(1316) deny(1) mach-lookup com.apple.contactsd.persistence error 23:23:27.389910+0100 kernel Sandbox: Family(1316) deny(1) mach-lookup com.apple.contactsd.persistence error 23:23:36.408940+0100 kernel Sandbox: Family(1316) deny(1) mach-lookup com.apple.contactsd.persistence error 23:23:45.419593+0100 kernel Sandbox: Family(1316) deny(1) mach-lookup com.apple.contactsd.persistence error 23:23:54.432109+0100 kernel Sandbox: Family(1316) deny(1) mach-lookup com.apple.contactsd.persistence The above is just an except, and it seems that Family, imagent and searchpartyuseragent are trying to access com.apple.contactsd.persistance once per second or so and failing (there are also some attempts to reach com.apple.timed.xpc, but an insignificant amount in comparison to com.apple.contactsd.persistance). This in turn causes Diagnostics Reporter to start, and then end hastily almost every ten seconds. fault 23:23:05.903908+0100 Diagnostics Reporter Invalid launch. fault 23:23:16.038017+0100 Diagnostics Reporter Invalid launch. fault 23:23:26.136348+0100 Diagnostics Reporter Invalid launch. fault 23:23:36.274543+0100 Diagnostics Reporter Invalid launch. fault 23:23:46.414546+0100 Diagnostics Reporter Invalid launch. I have no idea how I did this, but I seemed to have messed up sandbox access rights to contacts for some system services?

What Starting from macOS Sequoia 15.1, a terminal app (KiTTY) installed via Nix fails to launch apparently due to new hardening mechanism in CoreServices introduced in 24B83 Seems this is triggered not every time. If I create new volume and copy the same path with KiTTY on it, it worked on the first occasion but I failed to make it work reproducibly. @Eskimo I would kindly appreciate if you could highlight more about Secure Launch and related spawn constraints. Anyway, this is blocker issue for me so I'm rolling back to 15.0.1 ❯ open /nix/var/nix/profiles/default/Applications/kitty.app _LSOpenURLsWithCompletionHandler() failed with error -54. Logs ❯ log stream | grep kitty ... 2024-10-30 09:38:56.005739+0100 0x9383 Error 0x45fac 584 0 CoreServicesUIAgent: (LaunchServices) [com.apple.launchservices:open] LAUNCH: Launch requires secure launch with spawn constraints, but none are present or valid, so returning permErr for <FSNode 0x600001e656c0> { isDir = ?, path = '/nix/store/wiindrplkcj1mn22x6nbl8clpnz7adpm-kitty-0.36.4/Applications/kitty.app' } 2024-10-30 09:38:56.005837+0100 0x9383 Error 0x45fac 584 0 CoreServicesUIAgent: (LaunchServices) [com.apple.launchservices:open] LAUNCH: Launch failure with -54/permErr <FSNode 0x600001e778e0> { isDir = y, path = '/nix/store/wiindrplkcj1mn22x6nbl8clpnz7adpm-kitty-0.36.4/Applications/kitty.app' } 2024-10-30 09:38:56.006106+0100 0x9383 Default 0x45fac 584 0 CoreServicesUIAgent: (libxpc.dylib) [com.apple.xpc:connection] [0x600002148d20] activating connection: mach=true listener=false peer=false name=com.apple.coreservices.quarantine-resolver 2024-10-30 09:38:56.006440+0100 0x9383 Error 0x45fac 584 0 CoreServicesUIAgent: (LaunchServices) [com.apple.launchservices:default] LAUNCH: Launch failed in CSUI with error Error Domain=NSOSStatusErrorDomain Code=-54 "permErr: permissions error (on file open)" UserInfo={_LSLine=4224, _LSFunction=_LSOpenStuffCallLocal} 2024-10-30 09:38:56.007039+0100 0x9381 Default 0x45fac 584 0 CoreServicesUIAgent: (libxpc.dylib) [com.apple.xpc:connection] [0x14f00fca0] activating connection: mach=false listener=false peer=true name=com.apple.coreservices.quarantine-resolver.peer[584].0x14f00fca0 2024-10-30 09:38:56.007602+0100 0x9381 Error 0x45fac 584 0 CoreServicesUIAgent: [com.apple.launchservices:uiagent] handle LS launch error: status=-54 {\n Action = odoc;\n AppPath = "/nix/store/wiindrplkcj1mn22x6nbl8clpnz7adpm-kitty-0.36.4/Applications/kitty.app";\n Documents = (\n "kitty.app"\n );\n ErrorCode = "-54";\n FullPaths = (\n "/nix/store/h33cy9y53p6dnyzx41a1dfxsr0df8i4c-system/Applications/kitty.app"\n );\n} Environment ❯ uname -a Darwin airstation.local 24.1.0 Darwin Kernel Version 24.1.0: Thu Oct 10 21:05:14 PDT 2024; root:xnu-11215.41.3~2/RELEASE_ARM64_T8103 arm64 ~ ❯ sw_vers ProductName: macOS ProductVersion: 15.1 BuildVersion: 24B83 ❯ arch arm64

Please help me clarify the current situation regarding the necessity of a privacy manifest file in 3rd party SDKs. It would be nice to have a reply from someone working at Apple, to have a reliable answer. A quick summery of the events from last year https://developer.apple.com/support/third-party-SDK-requirements/ : "Starting in spring 2024, you must include the privacy manifest for any SDK listed below when you submit new apps in App Store Connect that include those SDKs, or when you submit an app update that adds one of the listed SDKs as part of the update." Last autumn, we started receiving warning emails from Apple after initiating app reviews, even when our apps did not have a newly added SDK: ITMS-91061: Missing privacy manifest - Starting November 12, 2024, if a new app includes a privacy-impacting SDK, or an app update adds a new privacy-impacting SDK, the SDK must include a privacy manifest file. Please contact the provider of the SDK that includes this file to get an updated SDK version with a privacy manifest. According to this warning message, app updates which do not contain any new SDKs are still not affected. Since then, at one point in time the deadline changed, as now we have February 12, 2025 in the privacy manifest documentation: https://developer.apple.com/documentation/bundleresources/adding-a-privacy-manifest-to-your-app-or-third-party-sdk However, this page does not contain any mention of the circumstances, it only states in general that apps you submit for review in App Store Connect must contain a valid privacy manifest file for a certain number of commonly used third-party SDKs. My questions Does the February deadline apply to every app update, even if they do not contain any newly added SDKs? Or does it still affect only the app updates "that adds one of the listed SDKs as part of the update." ? If the former, the 3rd party requirements page should be updated in my opinion. And if the latter, why does the documentation not contain this important piece of information? We have a basic product which then gets customised for the clients so we upload several different apps based on the same code with the same dependencies. How is it possible that during autumn, Apple sent ITMS-91061: Missing privacy manifest warnings for some of our apps, but did not send it for others? Does Apple not validate all the apps but only some of them randomly? Also, the warning still states that it should be relevant if "an app update adds a new privacy-impacting SDK", but that was not the case for us, we did not add anything newly to our apps - why did we even get these warnings then? Just in general: when the deadlines change, is there any channel where Apple communicates these, besides the warning emails? I did not see any posts on the Apple Developer site's News page about this February date, I just found it by accident. I don't even remember seeing a notice about the original November deadline, we just started receiving the email warnings without expecting them. Thank you in advance for anyone sharing an answer.

I have these two pods: Frameworks/GTMSessionFetcher.framework/GTMSessionFetcher Frameworks/GoogleToolboxForMac.framework/GoogleToolboxForMac they are showing this error: ITMS-91061: Missing privacy manifest I've tried manually making privacy files, I've tried updating the SDK's too. I cant update them because firebase depends on GTM Session at a lower version and if I update, MLKit depends on toolbox (even though its deprecating) If I upgrade then the whole project explodes. What do I do. I need help. this is all I get and it doesn't help: https://developer.apple.com/support/third-party-SDK-requirements

Hi, I have implemented Sign in with Apple on Android four months ago, and it work perfectly. We are using React Native with expo, using expo-auth-session and firebase function to get code back to start the token validation process. However, recently we start to receive invalid_grant with no error description while token validation, however the same client secret works on firestore without issue, which confuses us. According to https://developer.apple.com/documentation/technotes/tn3107-resolving-sign-in-with-apple-response-errors, the common reasons that I receive invalid_grant are: The client_id does not match the client for which the code was issued. The code has expired or has been previously consumed by the validation server. Is there any way I could differentiate whether is client_secret wrong or the code was used or any other reasons?

Hello, I have been testing my app with iOS 18 beta and noticing an issue with the triggering of Local Network privacy prompt. My app uses this permission to make a request to a local network address. Prior to iOS upgrade to 18 beta, the privacy prompt used to get triggered upon making the request and only after tapping on 'Allow', the subsequent requests used to succeed. If the user turned off the toggle for 'Local Network' in the app settings, then this functionality used to break as expected. Issues observed with 18 beta: The privacy prompt is not getting triggered upon making the request to local network and the request is succeeding. The app already seems to have this access granted but I do not see the permission toggle in the app settings. Upon device restart, the prompt got triggered but even on disallowing the access (tapping Don't Allow), the app is able to make requests to the local network. The permission toggle appears in the app settings, but its state does not impact the app's functionality. Has something changes in this flow? Can someone please help with what might be causing this behaviour?

Hello all - we have enabled our app users to create and sign in using their passkey. However - for some users, we get a NSLocalizedFailure reason exception that the app is not associated with the domain. We have ensured that the endpoint /.well-known/apple-app-site-association isnt blocking any requests. Like I said before, 90% of our users are able to successfully create and sign in with their passkey but we receive the above error for the remaining 10%. Any suggestions/guidance on how we can resolve this would be helpful and greatly appreciated. Thank you.

Hello. I am trying to give an update to my app but it again and again gets rejected due to the ATT Prompt. Before this late week I gave the update and it got live without any issue. Now I done some minor changes in the App. Apple Response. The app uses the AppTrackingTransparency framework, but we are unable to locate the App Tracking Transparency permission request when reviewed on iPadOS 18.2. Next Steps Explain where we can find the App Tracking Transparency permission request in the app. The request should appear before any data is collected that could be used to track the user. If App Tracking Transparency is implemented but the permission request is not appearing on devices running the latest operating system, review the available documentation and confirm App Tracking Transparency has been correctly implemented. If your app does not track users, update your app privacy information in App Store Connect to not declare tracking. You must have the Account Holder or Admin role to update app privacy information. My Response: Hello Apple Team Thank you for your feedback. We have tested the app on iPadOS 18.2, also on iPhone 18.1 and the App Tracking Transparency dialogue is appearing as expected on the main home screen when the user enters the app. To help demonstrate this, we’ve attached a video showing the ATT prompt in action. If there is still an issue with the dialogue or if it needs to be placed in a different position, we kindly request your guidance on what needs to be adjusted. Please let us know the details so we can address it promptly. Thank you for your support "I uploaded a video with images showcasing the ATT prompt but now again they rejected the update with the exact same reply. Which I am thinking it may be a bot reply. Now what to do how to solve it?

Hi everyone, We are using the App Attest API to securely transition users to our new system. As part of this, we store the Key ID of the attestation key for each user to verify their identity later. However, we’ve noticed that some users are encountering the error “DCErrorInvalidKey 3” when calling generateAssertion. Importantly, the key was previously successfully attested, and generateAssertion has worked before for these users. Our questions: Could this error be caused by an app or iOS update? Is it problematic to link an attestation key's Key ID directly to a user, or are there scenarios where the key might change or become invalid? If there’s a way to mitigate this issue or recover affected users, what best practices would you recommend? Any help or shared experiences would be greatly appreciated! Thanks in advance.

Please excuse my lack of understanding of what are probably fundamental concepts in iOS/iPadOS development but I have searched far and wide for documentation and haven't had much luck so far. I am not sure that what I want to do is even possible with an iPad iPadOS app. Goals: Develop a Swift iPadOS app that can digitally sign a file using a PIV SmartCard/Token (Personal Identity Verification Card): Insert a PIV SmartCard/Token (such as a Yubikey 5Ci) into the lightning port of an iPadOS device iPad (NOT MacOS) Interface with the SmartCard/Token to access the user's PIV certificate/signature and "use it" to sign a file Question 1: How to get the PIV Certificate from SmartCard/Token/Yubikey into iPadOS keychain?   * Do we need to get the PIV certificate into the iOS keychain? Is there another way to interact with a SmartCard directly?   * This should prompt the user for their PIN? Question 2: How to get our Swift app to hook into the event that the SmartCard/Token is inserted into the device and then interface with the user's certificate?   * When is the user prompted to enter their PIN for SmartCard/Token/Yubikey?   * Do we need to use CyrptoTokenKit to interface with a smartcard inserted into the lightning port of an iOS device?

Hi all. So, I built the platform SSO extension on a demo server I created and everything ran smoothly. I get the tokens at the end of the process. Now, I want to use the tokens when I trigger my SSO extension in my domain from Safari. I trigger my domain, get into the beginAuthorization method, get the request.loginManager?.ssoTokens and then want to return them to Safari by calling the request.complete method. But, no matter what complete method I call (complete(httpResponse: HTTPURLResponse, httpBody: Data?) or complete(httpAuthorizationHeaders: [String : String]) where I insert the Bearer token into the Authorization header, it will not drill down to Safari or my server. The headers I try to send back are not moving from the extension to Safari. Some knows why its happening? Thank you for any help or suggestion.

Hello everyone, We have an iOS XCFramework that we distribute to our clients, and we're exploring ways to enhance its security. Specifically, we’d like to isolate the most sensitive code by running it in a separate process, making it harder to tamper with. During our research, we considered using XPC for iOS but found its functionality to be quite limited. We also explored App Extensions, but unfortunately, they cannot be integrated into an XCFramework. This leads us to the question: Is it possible to spawn a new process to run in parallel with the main one in iOS? If so, could you provide guidance or suggest alternative approaches to achieve this within the constraints of iOS development? Thank you in advance for your insights and advice! Best regards, Stoyan

Hi Apple Team and Community, We've encountered a sudden and widespread failure with the App Attest service starting today across multiple production apps and regions. The previously working implementation is now consistently returning the following error on iOS: The operation couldn’t be completed. (com.apple.devicecheck.error error 4.) (serverUnavailable) Despite the green status on Apple’s System Status page, this appears to be a backend issue—possibly infrastructure or DNS-related. Notably: The issue affects multiple apps. It is reproducible across different geographies. No code changes were made recently to the attestation logic. We previously reported a similar concern in this thread: App Attest Attestation Failing, but this new occurrence seems unrelated to any client-side cause. Update: An Apple engineer in this thread(https://developer.apple.com/forums/thread/782987) confirmed that the issue was due to a temporary DNS problem and has now been resolved. Can anyone else confirm seeing this today? Any insights from Apple would be appreciated to ensure continued stability. Thanks!

Hi! We are developing an authentication plugin for macOS that integrates with the system's authentication flow. The plugin is designed to prompt the user for approval via a push notification in our app before allowing access. The plugin is added as the first mechanism in the authenticate rule, followed by the default builtin:authenticate as a fallback. When the system requests authentication (e.g., during screen unlock), our plugin successfully displays the custom UI and sends a push notification to the user's device. However, I've encountered the following issue: If the user does not approve the push notification within ~30 seconds, the system resets the screen lock (expected behavior). If the user approves the push notification within approximately 30 seconds but doesn’t start entering their password before the timeout expires, the system still resets the screen lock before they can enter their password, effectively canceling the session. What I've Tried: Attempted to imitate mouse movement after the push button was clicked to keep the session active. Created a display sleep prevention assertion using IOKit to prevent the screen from turning off. Used the caffeinate command to keep the display and system awake. Tried setting the result as allow for the authorization request and passing an empty password to prevent the display from turning off. I also checked the system logs when this issue occurred and found the following messages: ___loginwindow: -[LWScreenLock (Private) askForPasswordSecAgent] | localUser = >timeout loginwindow: -[LWScreenLock handleUnlockResult:] _block_invoke | ERROR: Unexpected _lockRequestedBy of:7 sleeping screen loginwindow: SleepDisplay | enter powerd: Process (loginwindow) is requesting display idle___ These messages suggest that the loginwindow process encounters a timeout condition, followed by the display entering sleep mode. Despite my attempts to prevent this behavior, the screen lock still resets prematurely. Questions: Is there a documented (or undocumented) system timeout for the entire authentication flow during screen unlock that I cannot override? Are there any strategies for pausing or extending the authentication timeout to allow for complex authentication flows like push notifications? Any guidance or insights would be greatly appreciated. Thank you!

Hi Apple Developer Team, I am encountering an issue with the “Sign in with Apple” feature. While implementing this functionality in my dotnet application, I noticed that the user’s first name and last name are not being returned, even though I have explicitly requested the name scope. However, the email and other requested information are returned successfully. Here are the details of my implementation: 1. Scope Requested: name, email 2. Response Received: Email and other data are present, but fullName is missing or null. 3. Expected Behavior: I expected to receive the user’s first and last name as per the fullName scope. I have verified the implementation and ensured that the correct scopes are being passed in the request. Could you please help clarify the following? 1. Are there specific conditions under which Apple may not return the user’s fullName despite the scope being requested? 2. Is there a recommended approach or fallback mechanism to handle this scenario? 3. Could this behavior be related to a limitation or change in the API, or might it be an issue on my end? I also came to know that for initial sign in the user details will be displayed in the signin-apple payload as Form data but how do I fetch those form-data from the signin-apple request, please suggest I would greatly appreciate any guidance or solutions to resolve this issue. Thank you for your support!

I'm trying to create an "Extensible Enterprise SSO" extension as described in the Introducing Extensible Enterprise SSO tech talk. My SSO extension works fine, but I want to be able to access the camera (via AVFoundation) from within the SSO extension. According to this thread (which I can't seem to be able to reply to) - it should be possible to access the camera from within an SSO extension, however this doesn't work for me. When I try to access the camera, I get the permission dialog, but after accepting, the camera preview is empty and no camera frames are produced. I don't get any errors/warnings in the logs, but it immediately fires AVCaptureSession.wasInterruptedNotification notification with AVCaptureSessionInterruptionReasonKey = 1 which corresponds to videoDeviceNotAvailableInBackground. However, the SSO extension view controller is clearly not in the background, so is this a bug - or are there special rules for requesting camera permission in an SSO extension? The same camera access works fine in the host app, just not inside the extension. Interestingly, accessing the camera in a WKWebView using various webcam test pages, doesn't work either. All of these tests have been on iPadOS 18.

My app has been rejected by App Store review because the sign in with Apple functionality is not working properly. I'm able to reproduce the issue on my end but I don't understand why it's happening. I have two other apps that implement the same OAuth flow in an identical manner, and those apps have no issues signing in with Apple. I've copied my OAuth flow to a fresh project to see if that would make a difference, and it gives me the exact same error. In the simulator I get "invalid_request, invalid web redirect URL", and on-device the FaceID authentication fails with a very non-specific "Sign Up Not Completed" error. I'm completely out of ideas here, so any guidance would be appreciated. Thanks!