Hey everyone,
I'm working on a password manager app for iOS and I'm trying to implement the new iOS 18 feature that lets users enable autofill directly from within the app. I know this exists because I've seen it in action in another app. They've clearly figured it out, but I'm struggling to find any documentation or info about the specific API.
Has anyone else had any luck finding this? Any help would be greatly appreciated!
Thanks in advance!
Prioritize user privacy and data security in your app. Discuss best practices for data handling, user consent, and security measures to protect user information.
Post
Replies
Boosts
Views
Activity
Hello. I want to do the following and need your help.
I want to import a certificate (pkcs#12) into my macOS keychain with a setting that prohibits exporting the certificate.
I want to import the certificate (pkcs#12) into my login keychain or system keychain.
I was able to achieve [1] with the help of the following threads, but have the following problems.
https://developer.apple.com/forums/thread/677314?answerId=824644022#824644022
how to import into login keychain or system keychain
How to achieve this without using the deprecated API
To import into the login keychain, I could use the “SecKeychainCopyDefault” function instead of the “SecKeychainCopySearchList” function,
However, both of these functions were deprecated APIs.
https://developer.apple.com/documentation/security/seckeychaincopysearchlist(_:)
https://developer.apple.com/documentation/security/seckeychaincopydefault(_:)
I checked the following URL and it seems that using the SecItem API is correct, but I could not figure out how to use it.
https://developer.apple.com/documentation/technotes/tn3137-on-mac-keychains
Is there any way to import them into the login keychain or system keychain without using these deprecated APIs?
My app has been rejected by App Store review because the sign in with Apple functionality is not working properly. I'm able to reproduce the issue on my end but I don't understand why it's happening.
I have two other apps that implement the same OAuth flow in an identical manner, and those apps have no issues signing in with Apple.
I've copied my OAuth flow to a fresh project to see if that would make a difference, and it gives me the exact same error. In the simulator I get "invalid_request, invalid web redirect URL", and on-device the FaceID authentication fails with a very non-specific "Sign Up Not Completed" error.
I'm completely out of ideas here, so any guidance would be appreciated. Thanks!
Hello everyone,
In my application, i have implemented authentication using ASWebauthenticationSession. However, when redirecting the user to a WKWebView, no cookies are shared, causing the session to be lost and requiring the user to log in again.
Is there a way to share cookies between the two? If not, what would be the best approach to set up authentication that ensures SSO when switching to a WebView ?
Thank you very much for your help !
I am currently unable to enable passkey in my app so I am having to tell my users to skip the prompts for using passkey. We have noticed that after a few times of this the OS will stop asking the user to register their passkey. The question is, how long does this last before the OS asks you to use passkey again? Is it permanent until you re-install the app? Just looking for a time frame if anyone knows.
I am using Auth0 as a login manager for our app. The way Auth0 handles login is that their SDK will create a web view where the login is actually handled. Once the login is finished the session will end and the app will gain control. We are not set up for passkeys in their system and can't set up quickly to do that. Unfortunately with the new iOS "passkey is the primary login" way iOS is set up now, users are asked to use passkey when it's not supported on the backend. I don't have direct control of the login screens. Is there any way, at the app level, to tell the app to not use passkeys so that it quits showing up as an option for the users? I can't find any documentation on doing this. How can I stop passkey in my app entirely?
I am writing a MacOS app that uses the Apple crypto libraries to create, save, and use an RSA key pair. I am not using a Secure Enclave so that the private key can later the retrieved through the keychain. The problem I am running into is that on my and multiple other systems the creation and retrieval works fine. On a different system -- running MacOS 15.3 just like the working systems -- the SecKeyCreateRandomKey function appears to work fine and I get a key reference back, but on subsequent runs SecItemCopyMatching results in errSecItemNotFound. Why would it appear to save properly on some systems and not others?
var error: Unmanaged<CFError>?
let access = SecAccessControlCreateWithFlags(kCFAllocatorDefault,
kSecAttrAccessibleWhenUnlockedThisDeviceOnly,
.biometryAny,
&error)!
let tag = TAG.data(using: .utf8)! // com.example.myapp.rsakey
let attributes: [String: Any] = [
kSecAttrKeyType as String: KEY_TYPE, // set to kSecAttrKeyTypeRSA
kSecAttrKeySizeInBits as String: 3072,
kSecPrivateKeyAttrs as String: [
kSecAttrIsPermanent as String: true,
kSecAttrApplicationTag as String: tag,
kSecAttrAccessControl as String: access,
],
]
guard let newKey = SecKeyCreateRandomKey(attributes as CFDictionary, &error) else {
throw error!.takeRetainedValue() as Error
}
return newKey
This runs fine on both systems, getting a valid key reference that I can use. But then if I immediately try to pull the key, it works on my system but not the other.
let query = [ kSecClass as String: kSecClassKey,
kSecAttrApplicationTag as String: tag,
kSecReturnRef as String: true, ]
var item: CFTypeRef?
let status = SecItemCopyMatching(query as CFDictionary, &item)
let msg = SecCopyErrorMessageString(status, nil)
if status == errSecItemNotFound {
print("key not found")
}
guard status == errSecSuccess else { print("other retrieval error") }
return item as! SecKey
I've also tried a separate query using the secCall function from here (https://developer.apple.com/forums/thread/710961) that gets ALL kSecClassKey items before and after the "create the key" function and it'll report the same amount of keys before and after on the bugged system. On the other machines where it works, it'll show one more key as expected.
In the Signing & Capabilities section of the project config, I have Keychain Sharing set up with a group like com.example.myapp where my key uses a tag like com.example.myapp.rsakey. The entitlements file has an associated entry for Keychain Access Groups with value $(AppIdentifierPrefix)com.example.myapp.
Current Setup:
Using Secure Enclave with userPresence access control
Foreground keychain accessibility: whenPasscodeSetThisDeviceOnly
Security Requirement:
Our security group wants us to invalidate biometrics and require a username/password if a biometric item is added (potentially by a hostile 3rd party)
Need to upgrade from userPresence to biometricCurrentSet to ensure re-authentication when biometric credentials change.
Issue:
After implementing biometricCurrentSet, authentication cancels after two failed biometric attempts instead of falling back to passcode.
Current Detection Method:
User completes initial biometric authentication
Biometric changes occur (undetectable by app)
App attempts Secure Enclave access
Access denial triggers re-authentication requirement
Cannot revoke refresh token after access is denied
Security Concern:
Current implementation allows new biometric enrollments to access existing authenticated sessions without re-verification.
Question:
What's the recommended approach to:
Implement biometricCurrentSet while maintaining passcode fallback
Properly handle refresh token invalidation when biometric credentials change
Looking for guidance on best practices for implementing these security requirements while maintaining good UX.
Hi,
We are trying to open an application "xyz.app"
It worked fine until 15.1.1 versions. But facing issues with 15.2 and 15.3
The application is working fine when we navigate to xyz.app/Contents/MacOS/ and run applet in this directory.
But the error ""Not authorized to send Apple events to Finder"" occurs when we are trying to open the app directly.
Could someone please help me understand what might be causing this issue and how to resolve it?
Our application uses Screen capture KIT API for screen recording.
But from Sequoia OS, we are getting additional permission dialog which states " is requesting to bypass the system private window picker and directly access your screen and audio".
It seems we need to add our app under "System settings -> Privacy & Security -> Remote Desktop" setting to avoid getting above additional dialogue in every few days.
Some places mention use of .plist file that if mention in this file, the app will request for this permission. But did not seem to work or we do not understand that properly yet.
Hi,
I am working on Authorisation Plugin for Mac OS X and able to get going for most of the parts and taking inspiration from Jamf Authorisation Plugin repo https://github.com/jamf/NoMADLogin-AD.
I have seen in project they are implementing logic for following.
Connecting to Wifi
Power management (Sleep, Restart, Power Off)
Question: I was wondering these things need to be implemented or is there a way some components from Mac OS X could be integrated calling some API and I don't have to implement them and I see say a top bar where these items are viable as we see in default login screen.
I have developed my own login screen and I do see it is all blank everything I have to implement from scratch.
Trying luck here if any API is out there to reduce work, else no option but to implement all logic.
I'll really appreciate if someone just could help me know such API's are present or not. In case there are will save lot of effort.
Thanks,
Hi,
We are using the following API from sys/random.h to generate entropy in our module.
int getentropy(void* buffer, size_t size);
Could you confirm if this API internally uses a non-physical entropy source and adhere to SP800-90B as the following document says:
https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/entropy/E181_PublicUse.pdf
I must be missing something. How can an iphone that is in lockdown mode, using ONLY data, no Bluetooth connected and only one singular iPhone have seven UNLISTED items on the local network in privacy and settings?
转让app成功了之后,由于开发者账号更改,团队ID改变,导致获取不到原有的keychain中缓存的用户数据,所以在用户进行登录时,无法登录到原有的老账号,而是被识别成了一个新的用户。这种情况怎么解决。
I have been able to save and remove ASPasskeyCredentialIdentities in the ASCredentialIdentityStore. But after saving a ASPasskeyCredentialIdentity, when I retrieve the current identities stored, it always returns an empty list. I check to make sure the store is enabled. I am using this method which is available starting with iOS 17.4:
extension ASCredentialIdentityStore {
public func credentialIdentities(forService serviceIdentifier: ASCredentialServiceIdentifier? = nil, credentialIdentityTypes: ASCredentialIdentityStore.IdentityTypes = []) async -> [any ASCredentialIdentity]
}
I have called it like this:
store.credentialIdentities(forService: nil, credentialIdentityTypes: .passkey)
And this:
store.credentialIdentities()
Has anyone got this to work?
I have a macOS package (.pkg) that checks for installed Java versions on the machine during the preinstall phase using a preinstall script. If the required Java version is not found, the script displays a message using osascript as shown below.
/usr/bin/osascript -e 'tell application "Finder"' -e 'activate' -e 'display dialog "Java Development Kit (JDK) 11 is required" buttons{"OK"} with title "Myprod Warning"' -e 'end tell'
So far, no issues have been observed with the installation of my package on all versions of macOS. However, on macOS 15.2, the installation is failing with a "Not authorized to send Apple events to Finder" error.
Could someone please help me understand what might be causing this issue and how to resolve it?
During SmartCard pairing the PIN prompt enables the OK button only on user provides a PIN of 6 digits. Is there a way to submit the empty PIN in this flow, where the custom CTK is used here (the custom CTK would take care of the PIN from the custom ctk code). I was able to do an empty PIN submit once the I've paired the user successfully at login, unlock and other cli tools. Is there a way to do the same during the pairing?
Once the user has successfully paired with the SmartCard authentication with PIN, I was able to see most of the authentication flows was prompting for the PIN authentication like login, unlock, CLI tools like ssh, su etc., perhaps at few apps where it is still prompted with the Password instead of PIN examples, when I tried to launch Keychain Access app or Add a user from users&groups system setting.
Is this expected behaviour?
I was basically saving items into the Keychain with the following query dictionary:
let query: [String: Any] = [
kSecClass as String: kSecClassGenericPassword,
kSecAttrAccount as String: key,
kSecValueData as String: value,
kSecAttrAccessible as String: kSecAttrAccessibleAfterFirstUnlock
]
Where key is a String value and value is a Data that used to be a String.
I was getting the following error:
code: -25299
description: The specified item already exists in the keychain
After a lot of digging in I saw that I needed to add kSecAttrService to the dictionary and after that it all started working. The service value is a String value.
let query: [String: Any] = [
kSecClass as String: kSecClassGenericPassword,
kSecAttrService as String: service,
kSecAttrAccount as String: key,
kSecValueData as String: value,
kSecAttrAccessible as String: kSecAttrAccessibleAfterFirstUnlock
]
These were the articles that suggested adding the kSecAttrService parameter:
https://stackoverflow.com/a/11672200
https://stackoverflow.com/a/58233542
But in the same code base I found that other developers were saving using a dictionary similar to the one I first provided and it works:
var query: [String : Any] = [
kSecClass as String : kSecClassGenericPassword as String,
kSecAttrAccount as String : key,
kSecValueData as String : data
]
I don't know how to explain why my first implementation didn't work even though it was similar to what was already in the code base but the second approach worked well.
Regardless of the query dictionary, this is how I'm saving things:
static func save(value: Data, key: String, service: String) -> KeyChainOperationStatus {
logInfo("Save Value - started, key: \(key), service: \(service)")
let query: [String: Any] = [
kSecClass as String: kSecClassGenericPassword,
kSecAttrService as String: service,
kSecAttrAccount as String: key,
kSecValueData as String: value,
kSecAttrAccessible as String: kSecAttrAccessibleAfterFirstUnlock
]
// Remove any existing key
let cleanUpStatus = SecItemDelete(query as CFDictionary)
let cleanUpStatusDescription = SecCopyErrorMessageString(cleanUpStatus, nil)?.asString ?? "__cleanup_status_unavailable"
logInfo("Save Value - cleanup status: \(cleanUpStatus), description: \(cleanUpStatusDescription)")
guard cleanUpStatus == errSecSuccess || cleanUpStatus == errSecItemNotFound else {
logError("Save Value - Failed cleaning up KeyChain")
return .cleanupFailed(code: cleanUpStatus)
}
// Add the new key
let saveStatus = SecItemAdd(query as CFDictionary, nil)
let saveStatusDescription = SecCopyErrorMessageString(saveStatus, nil)?.asString ?? "__save_status_unavailable"
logInfo("Save Value - save status [\(saveStatus)] : \(saveStatusDescription)")
guard saveStatus == errSecSuccess else {
logError("Save Value - Failed saving new value into KeyChain")
return .savingFailed(code: saveStatus)
}
return .successs
}
I have something with a new individual on my team I've never seen before. They checked out our code repository from git and now anytime they try to open a .json file that is legitimately just a text file, GateKeeper tells them it cannot verify the integrity of this file and offers to have them throw this file away. I've seen this with binaries, and that makes sense. I removed the com.apple.quarantine extended attribute from all executable files in our source tree, but I've never seen GateKeeper prompt on text files. I could remove the extended attribute from all files in our source tree, but I fear the next time he pulls from git he'll get new ones flagged. Is there someway around this? I've never personally seen GateKeeper blocking text files.
Hi,
I know it's been discussed before, but I'm testing the Sign in with Apple feature, and I only get the user info on the first try.
Now, I know that you're supposed to go to the account settings, and look for the list of accounts that you used your Apple account to sign in with, and it used to work a few months back. But for the last few weeks I haven't been able to get the user info, even after deleting the entry from my Sign In With Apple app list.
Has there been a recent change to Apple security policy that prevents such a move from working ? Or am I doing something wrong ?
Thank you