For Sign in With Apple I recieve an expected flow including an ask to share or hide my email along with a message like this
'Create an account for Apple {some_company} using your Apple ID “{email}”.'
However when i sign into an existing account i get the same flow, where on other apps i see a message like this ~ "Do you want to continue using {some_company} with your Apple ID “{email}”?
How can i configure this for my own app?
Note: it always logs me into the correct existing account, i'm just trying to make sure users go through the correct flow in the apple popup when their account already exists.
Prioritize user privacy and data security in your app. Discuss best practices for data handling, user consent, and security measures to protect user information.
Post
Replies
Boosts
Views
Activity
Feedback on Documentation Page for Message Filter App Extension
Documentation: Creating a Message Filter App Extension
Hello,
I am writing to provide feedback on the documentation for creating a message filter app extension. We followed the instructions on the page, particularly the section regarding setting up shared credentials. The instructions state:
"Then, you must set up shared credentials as described in Shared Web Credentials, substituting messagefilter for webcredentials throughout the steps. Lastly, you must specify the domains in your Info.plist file, which should look similar to the dictionary shown below."
However, when we tried to implement this, we encountered the following error while attempting to save credentials via the SecAddSharedWebCredential function from the message filter extension:
Error Domain=com.apple.security.xpc Code=3 "<connection: 0x12e0d4500> { name = com.apple.securityd, listener = false, pid = 0, euid = 4294967295, egid = 4294967295, asid = 4294967295 }: Connection invalid - failed at lookup with error 159 - Sandbox restriction" UserInfo={numberOfErrorsDeep=0, NSDescription=<connection: 0x12e0d4500> { name = com.apple.securityd, listener = false, pid = 0, euid = 4294967295, egid = 0, asid = 4294967295}: Connection invalid - failed at lookup with error 159 - Sandbox restriction}
The specific call we did:
func SecAddSharedWebCredential(
_ fqdn: CFString,
_ account: CFString,
_ password: CFString?,
_ completionHandler: @escaping (CFError?) -> Void
)
This error seems related to sandbox restrictions. The documentation does not provide enough information on how to properly set up the environment or what additional configurations might be needed to avoid such sandbox restrictions. More detailed guidance on configuring sandbox permissions and any additional steps required for setting up shared credentials in a message filter extension context would be highly beneficial.
Thank you for your attention to this matter. We look forward to any updates or clarifications you can provide to improve the implementation.
"ASCredentialProviderViewController" class was implemented in my password manager to autofill password for the app clients.
I've added passkey support recently but biometric/code authentication is not asked by the system when the user tries to sign in with a passkey thanks to "provideCredentialWithoutUserInteraction(for credentialRequest: ASCredentialRequest)".
For passwords:
extensionContext.completeRequest(withSelectedCredential: ASPasswordCredential(), completionHandler: nil)
-> Does trigger biometric/code authentication
For passkeys:
extensionContext.completeAssertionRequest(using: ASPasskeyAssertionCredential())
-> Does NOT trigger biometric/code authentication
=> Why authentication is managed by the system for password but not for passkeys ? And how to fix that?
Hello - I am trying to add a more descriptive Location Purpose String for submitting my app to the store. I previously had a placeholder, generic string for testing.
I have updated my info.plist file, but the old string is still appearing.
I have 1) deleted the app from simulator device and rebuilt 2) tried pushing the version to TestFlight 3) Deleted and replaced the values in the info.plist, none of which have resolved this issue. What am I missing here?
I'm having trouble opening files residing on a custom filesystem implemented as a kext via sandboxed apps.
Preview.app is one such example.
The app launches, but it won't display file contents.
In system log files I'm seeing entries related to com.apple.foundation.filecoordination:claims with no error messages to indicate a possible reason why file contents aren't being displayed.
Non-sandboxed apps, such as GoogleChrome.app do not exhibit such behaviour.
The kext is unsigned and running in an environment with SIP disabled and Security Mode reduced to Permissive.
What is required for a 3rd party filesystem kext to integrate with sandboxed apps?
Any pointers and/or assistance would be greatly appreciated.
I did implement "ASCredentialProviderViewController" class for my password manager in order to support passkey recently. Passkey registration and assertion works correctly but remote fullfilling is not working as expected.
Use case:
The user wants to sign in with passkey on some computer
A QRCode is displayed and the user scan the QRCode
Apple Authentication bottom sheet is opened and the client can pick my app as a provider
ISSUE HERE: my app doesn't receive the passkey request parameters and is not able to generate the assertion answer
I was hoping the following functions to be called but it's not the case:
prepareCredentialList(for serviceIdentifiers: [ASCredentialServiceIdentifier], requestParameters: ASPasskeyCredentialRequestParameters)
prepareInterfaceToProvideCredential(for credentialRequest: ASCredentialRequest)
provideCredentialWithoutUserInteraction(for credentialRequest: ASCredentialRequest)
=> Please, how can my app receive the passkey request parameters in order to generate the assertion answer in this situation?
Below is the GitHub link for the FMDB.framework contains privacyinfo.xcprivacy file provided as per the apple documentation were used in our App
https://github.com/ccgus/fmdb
I have reviewed the feedback, but I need additional clarification to fully understand the issue. Could you please provide more specific details or examples regarding the following points:
We are using FMDB framework version 2.7.11 in our app available at https://github.com/ccgus/fmdb/
The version 4.0.0 submitted had the privacy file packaged as part of SQLCipher.bundle which resides under the FMDB framework. This was rejection with the same reason mentioned above.
As a result, as part of Version 5.0.0 we have copied the privacy from the said bundle and placed it directly under the FMDB framework folder. This is rejected as well with the same reason again.
Is there a concern because of empty values for the privacy keys? The GitHub source at https://github.com/ccgus/fmdb/ with the said version 2.7.11 does not use any APIs of concern listed at https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api. As a result, the provider may not have provided the values for the keys.
I'm a new app developer and I've read through most relevant posts on this topic here and elsewhere. Many of the forum posts here are specific to Objective-C, or old enough to be considered outdated in the fast-moving world of computing. Many of the posts elsewhere are about protecting authentication secrets, which doesn't apply in my case, and a lot are by someone with a product to sell, which I've ignored.
My app is 99.9% Swift and I'm not going to store any authentication secrets in the IPA. What I'd like to protect is the core mechanism of my product, which has to be included in the binary and is small (< 10k lines). I want to make it so it's harder to steal the source code than it is to recreate my functionality from scratch, which is difficult even with the app in front of them.
From what I gathered, Swift code compiled by Xcode is protected from reverse engineering / decompilation by the following:
Symbolization of the app
Native builds from Xcode destroys names of variable, functions, etc.
Swift code is compiled in such a way that makes stealing harder than Objective-C
This should make me feel better, but the threat-level is increasing with the availability of free, commercial-grade decompilers (e.g. Ghidra) and machine learning. The fact that iOS 18 supports a checkm8 (i.e. jailbreakable) device means that decrypting the IPA from memory is still trivial.
Questions
People talk about stealing authentication secrets via reverse-engineering, but is the same true for mechanisms (i.e. code)?
How common is the issue of source-code stealing in iOS apps?
Can machine learning be leveraged to make decompilation/reverse engineering easier?
Will I get rejected by App Review for obfuscating a small portion of my code?
Hello,
Is it correct that right now when any passkey-provider prepares the passkey registration ceremony response with attestation, iOS strips off the attestation before handing over response-assertion to the client.
Does this stripping off of attestation have to do anything with the BS and BE flags that are populated by passkey-provider ? Meaning, is it correct statement that iOS removes the attestation blob from the response if the BE and BS flags are set to zero ??
Hi Apple Developer Community,
I'm encountering a persistent issue with Passkey registration on certain iOS devices running iOS 17.5.1. Specifically, the registration process consistently fails with either ASAuthorizationError 1001 (ASAuthorizationErrorCanceled) or ASAuthorizationError 1004 (ASAuthorizationErrorNotHandled).
Details:
Devices: iPhone SE (2nd generation), iPhone 13 Pro
OS: iOS 17.5.1
Errors: ASAuthorizationError 1001, ASAuthorizationError 1004
I've followed Apple's guidelines for implementing Passkeys and verified that the devices meet the necessary requirements
PS:
During Apple's App Review process, the reviewer has encountered a consistent issue with Passkey registration failing with ASAuthorizationError 1001 or 1004. However, in our extensive internal testing with 75 users, we have not been able to replicate this issue
We are seeking assistance from the Apple Review team to investigate the cause of this issue, as it is currently blocking our app's approval
I'm using Apple Sign In in the JS app and I got a requirement to display some notes with links to privacy policy and terms of service inside the Apple modal, so users don't have to accept them after finishing authentication in the modal.
Is there a way to add something like that?
I have implemented Apple Sign In using this doc: https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_js/configuring_your_webpage_for_sign_in_with_apple
FMDB framework already contains the privacy file, which is part of SQLCipher.bundle file.
But still apple rejects, not sure why?
Can any one help me with this.
We are trying to support Passkey Management in our app with the latest iOS 17 Passkey Autofill.
During this process, we have a few doubts and queries:
First, we have configured the AutoFill extension for external passkey management
Next we used the 'prepareInterface(forPasskeyRegistration:' delegate for passkey generation
We are facing an issue on creating the attestationObject for ‘ASPasskeyRegistrationCredential’. Here, we’re not sure if we need to create the attestationObject [if so any documentation or help regarding this] or is there any API to get the attestationObject which we are missing.
override func prepareInterface(forPasskeyRegistration registrationRequest: ASCredentialRequest) {
let request = registrationRequest as! ASPasskeyCredentialRequest
let passkeyRegistration = ASPasskeyRegistrationCredential(relyingParty:
request.credentialIdentity.serviceIdentifier.identifier, clientDataHash: request.clientDataHash, credentialID: Data(UUID().uuidString.utf8), attestationObject: "????")
extensionContext.completeRegistrationRequest(using: passkeyRegistration)
}
Even we have tried passing the hardcoded attestationObject[we used the existing attestationObject received using icloud keychain] , still we got empty ‘ClientDataJSON’ on ‘authorizationController(controller:’ delegate.
Hello,I have a local WebSocket server running inside an iOS app on iOS 13+. I'm using Swift NIO Transport Services for the server.I'm using NWProtocolTLS.Options from Network framework to specify TLS options for my server.I am providing my server as an XCFramework and want to let users to be able to specify different parameters when launching the server.For specifiying the TLS supported version, everything is working fine by using :public func sec_protocol_options_set_max_tls_protocol_version(_ options: sec_protocol_options_t, _ version: tls_protocol_version_t)
public func sec_protocol_options_set_min_tls_protocol_version(_ options: sec_protocol_options_t, _ version: tls_protocol_version_t)But I also want to be able to specify some cipher suites. I saw that I can use :public func sec_protocol_options_append_tls_ciphersuite(_ options: sec_protocol_options_t, _ ciphersuite: tls_ciphersuite_t)But it seems that some cipher suites are enabled by default and I can't restrict the cipher suites just to the ones I want, I can just append others.NWProtocolTLS.Options class has an init() function which states "Initializes a default set of TLS connection options" on Apple documentation.So my question is, is there a way to know what TLS parameters this initialization does ? Especially the list of cipher suites enabled by default ? Because I can't find any information about it from my research. I used a tool to test handshake with my server to discover the cipher suites supported and enabled by default but I don't think it is a good way to be sure about this information.And is there a way to specify only cipher suites I want to be supported by my server by using NWProtocolTLS.Options ?Thank you in advance,Christophe
Our company was re-formed under a new name. Rather than rename the organization on the App Store, we were advised by support to create a new organization and then transfer the app to that organization, which we have done.
Our app implements Apple Authentication. We did not not migrate the users of the app (as instructed here: https://developer.apple.com/documentation/sign_in_with_apple/transferring_your_apps_and_users_to_another_team)
Is it possible to now migrate the users, after the app has been transferred? Our attempt to get an authorization token with scope "user.migration" results in HTTP error 400 with body: "invalid_client".
Whenever we call this API enpoint https://api.development.devicecheck.apple.com/v1/validate_device_token we received an 403. The issue started yesterday around 2:00 PM (Brasil - Brasília time).
I am trying to enable developer mode on my iPhone 12 mini, yet I cannot find the option in settings. I cannot use Xcode to enable it as I do not have a Mac device, so I was wondering if there is a way to enable it using windows.
I want to reset the permission state of location services to "notDetermined" (CLAuthorizationStatus) while developing.
But using the command below gives me this error:
$ tccutil reset CoreLocation
tccutil: Failed to reset CoreLocation
same goes for
$ tccutil reset [my bundleId]
tccutil: Failed to reset CoreLocation approval status for [my bunldeId
Anyone know the reason for this?
A call to the API SecKeyGeneratePair in SecureEnclave for iOS18 returns an OSStatus 0 but the SecKeyRef is not present.
Understand that this API is currently deprecated and there are plans to move to the new APIs, but I believe this API should still work in iOS18 as expected for now.
The API works as expected on iPadOS 18.
// Create SE key
let sacRef = SecAccessControlCreateWithFlags(kCFAllocatorDefault,
kSecAttrAccessibleAfterFirstUnlock,
.privateKeyUsage, nil)!
let privKeyAttr = [
kSecAttrAccessControl: sacRef,
kSecAttrIsPermanent: true,
] as NSDictionary
os_log("Priv key params: %{public}@", log: osLogger, privKeyAttr)
let keygenAttr = [
kSecAttrApplicationLabel: attrApplicationLabelSeKey,
kSecAttrTokenID: kSecAttrTokenIDSecureEnclave,
kSecPrivateKeyAttrs: privKeyAttr,
kSecAttrKeyType: kSecAttrKeyTypeEC,
kSecAttrKeySizeInBits: 256
] as NSDictionary
var error: Unmanaged<CFError>?
os_log("keygen params: %{public}@", log: osLogger, keygenAttr)
var keyRef: SecKey?
let status = SecKeyGeneratePair(keygenAttr,
&keyRef,
nil)
os_log("SecKeyGeneratePair osStatus: %{public}d, keyRef: %{public}@", log: osLogger, status, keyRef == nil ? "null" : "ref present")
We are implementing just-in-time account creation using Platform Single Sign-on. After creating the account, we are registering the user with PSSO and we want to ensure that the IDP account used for account creation matches the IDP account used in the user registration flow.
An easy way to do this appears to be using loginUsername on the ASAuthorizationProviderExtensionLoginManager object. loginUsername gets set during account creation and then we can check what the user is entering during registration.
The documentation, however, marks this attribute as deprecated. There is no indication of what could be used instead. Is there some other value we could look at? Does Apple have a plan to introduce a preferred API option?
Thanks!