I have a unique need here and hope there is someone out there that might be of help. There is a backend server that will send an x509 certificate and private key (as strings) after the mobile apps on-boarding process. Additionally, the app includes an AWS SDK that is used to talk to their IoT system. This SDK requires PKCS12 certificate format to pass authentication. (I believe the common method is to have bundled the cert into the app which is not an option for me here sadly) I suspect it may be possible to use some openSSL iOS framework to do this conversion at runtime but have not personally tried it yet as my go-to is usually trying things first with Apples APIs. So my question becomes is there a way to meet this requirement using any of the security APIs or other APIs that apple has like swift-nio-ssl? Thank you very much for your time. Best, Michael

Apple revealed the ContactsAccessButton in the WWDC24 session 10121: Meet the Contact Access Button. After watching the video, reading through the documentation as well as the sample code , I can only find a SwiftUI ContactsAccessButton. However, our code base is written largely in UIKit, and our team prefers to do complex work and customization with lists via UITableView as opposed to SwiftUI List. So we would greatly prefer to use a UIKit ContactAccessButton. Is there not a UIKit equivalent to ContactsAccessButton? If there is, where can we find it?

It seems there was a new security feature added to macOS 15 - and now it asks every time after reboot if user wishes to continue and allow access the app to record screen and audio, while capture is blocked. Which renders remote access apps useless, a specially for headless computers like my Mac mini.

We are currently using "Sign in with Apple for the web": https://developer.apple.com/help/account/configure-app-capabilities/configure-sign-in-with-apple-for-the-web/ but we do not publish apps on the App Store. Because of corporate re-structuring, we need to migrate to a new Apple Developer / App Store Connect account. So we are looking to migrate "Sign in with Apple" users to the new account. Apple does provide guides on how to do it: https://developer.apple.com/documentation/technotes/tn3159-migrating-sign-in-with-apple-users-for-an-app-transfer but unfortunately, it only works if "Sign in with Apple" is used with an app published on the App Store (it requires app transfer). Who should we handle this case? Please help.

Anyone found a fix?

Great post https://security.apple.com/blog/private-cloud-compute/ and I'd love to get on the action to help as a security researcher. There is a call to action, but it seems to be postponed until "after PCC becomes available in beta". Who at Apple should I keep in touch with and what is the best way to communite with that team. Thanks, François Proulx Software Supply Chain Security Research Lead at BoostSecurity.io

How do I add a privacy policy URL to an app?

In the 'notes' app, users are allowed to set custom passwords to restrict other people who may know your device password from accessing it. However, in the 'lock and hide app', there is no support for custom passwords to prevent people who may know your device password from accessing your privacy. For example, your wife. Why is it necessary to allow certain places in the settings, such as permission settings and privacy reports, to still be able to view hidden apps after hiding them, instead of completely hiding them?

I have a bunch of certificate related things, along with a bunch of secure notes stored in the keychain. These, like previously in System Preferences, don’t show up in the new Passwords app (as tested in iOS). So before I risk losing all that information by installing Sequoia, I wonder if the KeychainAccess.app is still around, allowing me to access these items. In case Apple is listening: do NOT remove that app, until all the critical functionality is also in Passwords, or some other app….

The release notes state the following: To protect users’ privacy, app group containers (in ~/Library/Group Containers) are now protected by System Integrity Protection. This is similar to the protection added to app data containers in macOS Sonoma. An app that’s properly entitled for an app group continues to have access to the app group container. Specifically, the app must use FileManager to get the app group container path and meet one of the following requirements: the app is deployed through Mac App Store; the app group identifier is prefixed with the app’s Team ID; or the app group identifier is authorised by a provisioning profile embedded within the app. If the app doesn’t meet these requirements, the system might present the user a prompt to authorize the app’s use of the app group container. If granted, that consent applies only for the duration of that app instance. This restriction also applies to app extensions, although in that case the system won’t prompt the user for consent but will instead just deny the access. (114586798) We have a helper app which is not sandboxed (due to it requiring Accessibility access/permissions) that accesses our group container. I've tested our helper app with the current beta of macOS Sequoia 15 (24A5264n) and it still works correctly, however I'm not clear if these restrictions are actually enforced in the current beta. I've tried testing for this by accessing the group container via Terminal (with Full Disk Access disabled for Terminal), but did not get any alert mentioned in the notes (or been otherwise restricted). Are these restrictions currently enforced?

While I am super happy to finally see an app outside Settings to manage passwords, it seems that some entries do not allow editing/adding of a website, eg. But some do: Anyone know why?

On Xcode 15.4, LAContext.biometryType had an @available attribute of visionOS 1.0. However, in Xcode 16, the @available attribute for biometryType was changed to a visionOS 2.0 minimum requirement, preventing the app from building if the minimum deployment target is earlier than visionOS 2.0. This was the attribute on Xcode 15.4: This is the attribute on Xcode 16: Feedback ID: FB13824190

I have an application developed in QT in C++ and using Objective-C++ (.mm) as the native language for compiling IOs. In this application I need to access the configuration profiles installed on the iPhone (e.g. -> .pfx digital certificate) as I do successfully on MacOS using the keychain certificate. I am using the following code to try to search for the certificate in my .mm file: NSDictionary *query = @{ (id)kSecClass: (id)kSecClassCertificate, (id)kSecMatchLimit: (id)kSecMatchLimitAll, (id)kSecReturnRef: @YES, }; CFTypeRef result = NULL; OSStatus status = SecItemCopyMatching((CFDictionaryRef)query, &result); if (status == errSecSuccess) { NSArray *response = (__bridge_transfer NSArray *)result; for (id r in response) { qDebug() << "ok"; } } else { qDebug() << "error certificate: " << status; } Running this code always returns: error certificate: -25300 (errSecItemNotFound). Even with configuration profiles installed on the iPhone, they are listed in the tab VPN Management and Device -> Configuration Profiles. I would like to clarify some points such as: Is it possible to access the certificates installed on the IOs, list them and use them in digital signatures as I have already done successfully on MacOS (using the <Security/Security.h> lib in C++)? If it is possible, what would the code be like to list the installed configuration profiles and use their private key to sign the hash of a document? Is there any further configuration needed in the project architecture? For example: In XCode, I went to target -> Capability -> I added the Keychain sharing capability.

Hello, I have some questions. I need to use Signin in with apple with private email relay service When last week. Suddenly Apple Login didn't work on Web and I check my Service IDS on apple developer page, i got this message Depending on your product, you may need to configure multiple components for Sign in with Apple – From registering domains for Web Authentication to providing email sources to communicate with your users through the Private Email Relay service. I register my domain and email on Configure Sign in with Apple for Email Communication I use AWS Route53 and AWS SES(Simple Email Service) This is my DNS record of DKIM, SPF, MX ● DKIM record : sig1._domainkey.metapocket.io value : sig1.dkim.example.com.at.icloudmailadmin.com. ● SPF value : "v=spf1 include:icloud.com ~all" ● MX value &gt; 10 mx02.mail.icloud.com 10 mx01.mail.icloud.com Some wrong on my configuration of DNS ? I register on 5days ago, but status if failed now And how long does take of verification? My web service is error now

With the ScreenTime API Apple talks a lot about their focus on privacy and the data not leaving the device. Does that mean there would be a problem with an app where the users ScreenTime data is shared to a custom backend? Could this potentially cause an app to be rejected from the AppStore?

Is there a Description key for an app to explain why it's requesting Accessibility permissions?

Hello all, I'm looking for clarification on the functionality of Full Disk Access (FDA) in macOS. To illustrate my case, consider the following simple example program: #include <stdio.h> #include <string.h> #include <errno.h> int main(void) { const char *filePath = "/Library/Preferences/com.apple.TimeMachine.plist"; // Try to open the file FILE *file = fopen(filePath, "r"); if (file == NULL) { // If there is an error opening the file, print the error and exit printf("Error opening file %s: %s\n", filePath, strerror(errno)); return 1; } fclose(file); // If we reached here, the file was successfully opened printf("File %s opened successfully\n", filePath); return 0; } When this program is built and executed in Terminal.app with Terminal having FDA, the file opens successfully. Conversely, when FDA is revoked from Terminal and granted to the program, an error occurs due to insufficient privileges. Interestingly, building and executing the program within Xcode, without Xcode having FDA, but granting FDA to the resulting binary (either debug or release), allows the file to open successfully. Which is what I would expect for the above case as well. Running the same binary (with FDA enabled), which runs successfully within Xcode, in Terminal yields an error message. So, I have the following questions based on these observations: Why does the program access the file successfully when run from within Xcode, despite Xcode lacking FDA? Why does the program fail to access the file when run from Terminal without FDA, even though the program itself has FDA? What is the precise relationship between a parent process and its child process concerning FDA? These tests were conducted on macOS 14.5 with Xcode 15.4. Thanks in advance!

I am trying to auth with a non-apple auth provider for a multi-platform service. I'm expecting to be able to use this to fetch the OAuth code after the user logs in to their auth provider. myRedirectHost = 'https' OR 'https://my.domain.com' where I also know the redirect path and query params and will extract them. ASWebAuthenticationSession(url: url, callbackURLScheme: myRedirectHost, completionHandler: handleAuthSessionResult) This works for iOS 17.4+ with that nice enum, but what about the rest of the users?

I'm experiencing an issue with microphone recording in my app when launched from a Shortcut. The app works correctly when launched directly, but launching it through the Shortcut results in the "Session activation failed" error (code 561015905). Here's what I've done so far: My app has microphone permission granted. The startRecording function sets the audio session category to .playAndRecord. I've implemented error handling within startRecording to catch the error code. The Shortcut workflow includes an action to launch the app (no explicit microphone permission request within the Shortcut). xcode version - 15.2 iphone ios version - 17.4.1

I am trying to access the CMAltimeter class, and I keep getting the error Domain=CMErrorDomain Code=105. I know that indicates my app does not have permissions for motion and fitness. All the documentation I can find mentions the need to add NSMotionUsageDescription to Info.plist. However, I have done that, and it does not help. I am using Xcode 15. It seems that whenever I go to look up how to get permissions to something, the information on the web seems to be outdated, and Apple seems to move stuff around. I have found I can add the entry to Info.plist by using the Info.plist editor and selecting "Privacy - Motion Usage Description", but that does not help. I also notice that when I info tab on my build target, there is a "Privacy - Motion Usage Description" there also. If I add the entry there, it takes out out of my Info.plist, and makes an entry in the project's project.pbxproj file named INFOPLIST_KEY_NSMotionUsageDescription. Regardless of which of those I use, I still do not the 105 error. I'm sure I'm missing something more, but I can't find it anywhere. There was mention of a "Health and Fitness" in the signing capabilities, but I could not find anything listed there in Xcode 15