Hey,
I am experiencing this bug where I ask the device activity report for data within a date range, in daily segments. the device report receives the truncated date range: some date 23:00 -> some other date 23:00. however the async data list returns date ranges of the sort: 22:00 -> 22:00 (of the next day). and sometimes it returns 22:00 -> 23:00 (of the same day), but then the data contained in that range is still relative to tne entire day since the total screen time is greater than an hour.
I think that the way date intervals are treated by the device activity report extension contains bugs and is not consistent.
Is anyone experiencing similar bugs?
Prioritize user privacy and data security in your app. Discuss best practices for data handling, user consent, and security measures to protect user information.
Post
Replies
Boosts
Views
Activity
The Endpoint Security provides the ES_EVENT_TYPE_AUTH_OPEN event, I can specify that the process intercepts the open specified file es_respond_flags_result(client, msg, 0x0, true);.
However, WeChat (the chat app) intercepts the specified file the first time it is sent, and the second time it can be sent successfully, and the peer end can receive the file.
I can confirm that es_respond_flags_result(client, msg, 0x0, true); is called. So, which auth event should I use? Thx!
We recently shipped option to sign up/in using passkeys. Everything was working as expected and we didn't have any issues with passing app store review process.
Recently, when submitting new build with not passkey related updates, we got rejected due to the error, which apple reviewer faced during passkey creation. From our logs we can see that issue is about Associated Domains and webcredentials configuration:
The operation couldn’t be completed. Application with identifier X is not associated with domain Y.
The thing is that it is configured properly. AASA file is returned properly both from our server and from apple's CDN. Feature is 100% working on all our testing devices and we never got this error reported from any user. The only issue about that is received from reviewer device, which is iPad Air 5th generation on iOS 17.1.1 I was trying to reproduce the error in many ways, but I wasn't able to.
Is it possible that the error is faced only by apple reviewers due to some specific environment setup they use? Or maybe TestFlight installs manage AASA files checking in some different way? I found something about that in one thread on apple developer forum: https://developer.apple.com/forums/thread/108339 but not sure if it can be related.
Any help/guidance will be very appreciated, thanks!
It appears that for a successful registration of a passkey to a relying party using passkey autofill provider, the BE BS bits/flags in the attestation response need to be set to true. Please refer FLAGS byte of authData field part of attestationObject mentioned here - https://www.w3.org/TR/webauthn-2/#sctn-attestation.
If those flags are set to false, the RP rejects saying - "The operation either timed out or was not allowed. See: https://www.w3.org/TR/webauthn-2/#sctn-privacy-considerations-client."
What are the implications of having those flags set to true? Does it make the generated passkey syncable across devices using same apple id? If yes, is there at all anyway possible by which a generated passkey can be made device bound, basically can be generated and used only on a single iPhone/iOS device?
Also, is there a plan to ever make those flags to be set to false in a future iOS release?
Also, what does it mean in the credential provider popup where it says - "Available where is installed." in the below screenshot?
How do i get rid of the screen recording or mic usage privacy icon from the menubar its very annoying and its there alot even though its not even being used by anything it is an empty dropdown
Image
Hi everyone,
I'm looking into adding unique biometric authentication (fingerprints only) to a mobile app I'm developing. Is it possible to assign and recognize individual biometric data for a unique scan for the app? I'm interested in the technical feasibility, any notable security concerns, and would appreciate any insights or experiences you might have on this topic.
Imagine logging into your phone or laptop using your thumbprint, and then, with the same device, accessing a specific app solely with your pinky finger's biometric data. This dual-layer security approach leverages different fingerprints for device and app access, enhancing user-specific authentication
Thanks in advance for your help!
I just raised the iOS version to 17, but the login with face id doesn't appear in the react native webview. The login with face id doesn't appear, and the website loads.
If the user is on iOS 16 in the same app, the login with face id appears. Is there something I'm missing?
Hello everyone! I'm currently working on implementing a Secure Enclave to encrypt data from the Login Screen with my application. I've followed the guidelines outlined in the developer documentation, which you can find here: Secure Enclave Documentation.
Despite following the documentation, I'm encountering issues with creating a key pair to encrypt data. I would appreciate any suggestions for necessary changes or additional permissions that might be required to address these challenges.
Thanks!
Hello Apple Developer Community,
I am reaching out to seek some assistance with an issue I've encountered related to user privacy settings in my app. Despite configuring the PrivacyInfo.xcprivacy file to disallow tracking and including specific domains within the Privacy Tracking Domains, I am observing that URLs containing these restricted domains are still being displayed within a webView in my app.
Here are some specifics of the issue:
The behavior occurs in both the iOS 17.1.1 simulator and on physical devices.
I've double-checked the setup to ensure it aligns with the official documentation and expected privacy restrictions.
I'm hopeful that someone in the community or from the Apple team can shed light on the matter. Why might the specified domains not be blocked as per the privacy settings? Any insights or guidance on resolving this would be greatly appreciated as it's crucial for maintaining the privacy standards of our app.
Thank you for your time and help.
Best regards,
Hello!
I am a new developer and am attempting to use Apple's Device Activity API. However, I am struggling with the View of the Device Activity Report. For one, the view stretches to fill all available space instead of simply being the size of its content. Secondly, the background color seems fixed and I can't figure out how to remove it. The Screen Time API demo video shows this Device Activity API used with a clear background, so I know it is possible, I just can't figure out how to do it as it seems to be built into the Device Activity Report itself. Does anyone have any ideas? I'll attach a photo to show you what I mean. The black box is the Device Activity Report that I am trying to edit. Thank you for your help!
Hi!
Is there any way to automate passkey testcases for safari?
Does safari provide any emulated authenticator? The way we have virtual authenticator in chrome in developer tools.
If no, can you please suggest a way to automate passkey testing using safari?
Thank you!
Hi everyone, I'm working on the verification of the PassKey signature for the integration of PassKey into our product.
I've implemented the verification of P256 signature and it's correctly verifying the passkey signature.
However, I want to know if Apple's Passkey signature is doing a malleability check
(if the signature's S value is <= N / 2).
If this is the case for Apple's passkey, I'm planning to also include this in the service for the signature verification to ensure a higher security level from the Passkey.
Can anyone please help to answer this question? I checked documentation and many articles but this wasn't stated in the documents.
Thank you for your answer in advance.
I would like to develop a macOS application in Swift. This application will consist of 2 programs: a main program to be run by the user (standard account) and another one that will run with root privileges. The second program will only be invoked to perform privileged tasks. Running the main program under root permanently would be too risky.
XPC will be used to trigger calls from the main program to the privileged program.
How can I secure the privileged program to ensure that the calling program is indeed my main program and not another unauthorized program?
I have implemented an app to monitor computer events according to ESF framework, but a crash will appear, and the crash content is
Time Awake Since Boot: 800000 seconds
Time Since Wake: 2594 seconds
System Integrity Protection: enabled
Crashed Thread: 0
Exception Type: EXC_CRASH (SIGKILL)
Exception Codes: 0x0000000000000000, 0x0000000000000000
Exception Note: EXC_CORPSE_NOTIFY
Termination Reason: Namespace ENDPOINTSECURITY, Code 2
I can't find it. Why is this happening.
Can you tell me under what circumstances such a crash would occur.
Hi, I am preparing privacy info manifest for my application.
I am using stat to read not timestamp data from file. I wonder how in this case should I specify this info in the API usage?
Should it be specified at all(since stat() is listed only in File Timestamp API)?
Or maybe you can add stat to Disk space APIs and add one more reason there?
Here is similar thread about this and nothing emerged so creating this to increase visibility of the problem:
https://developer.apple.com/forums/thread/734750
Best regards,
Konrad
Buongiorno, che tipo di accesso sicuro e che testimonia l'autenticità di un utente,
è possibile usare ?
E' possibile far inviare dall'utente che si vuol registrare, una foto di un suo documento di identità ed anche con la face authentication ?
E' possibile usare lo SPID ?
Grazie molto.
Firenze Web Division.
Hello,
I've come across information regarding macOS endpoint protection software: It seems Apple no longer allows them to create kernel extensions.
It seems that endpoint software should now function with MACF by implementing hooks from userland.
Does this mean the Endpoint Security Framework will soon become deprecated?
I'm currently searching for a sample source code for MACF hooks, but I haven't found anything in the Apple developer documentation.
Thanks
Hello,
I have created a Swift app which has Apple Sign In integrated with it. We now want to add Apple Sign In to a web app but can't seem to find enough documentation on how to do this. We have followed the instructions at https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_js/configuring_your_webpage_for_sign_in_with_apple and have ended up with a script like so:
<head>
<meta name="appleid-signin-client-id" content="colourworker.SPAD">
<meta name="appleid-signin-scope" content="name email">
<meta name="appleid-signin-redirect-uri" content="https://colourworker.com/apps/photofolia/applesignedin.html">
<meta name="appleid-signin-state" content="init">
<meta name="appleid-signin-nonce" content="NONCE">
<meta name="appleid-signin-use-popup" content="true">
</head>
<body>
<h1>Sign in with Apple</h1>
<div id="appleid-signin" data-color="black" data-border="true" data-type="sign in"></div>
<script type="text/javascript" src="https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js"></script>
</head>
</html>
But have we populated the client-id, state, and NONCE correctly? When clicking on the Sign In with Apple button we get the error in this screenshot:
I look forward to hearing from someone.
Kind regards,
Miguel
As the new requirement for Privacy manifests is coming this Spring 2024 (https://developer.apple.com/news/?id=r1henawx), Apple released a list of SDK's that need to comply with this requirement and provide a privacy manifest file: https://developer.apple.com/support/third-party-SDK-requirements/
I have some questions:
Do i need to declare a privacy manifest file for the SDKs if i'm updating an old app that already includes one of these SDKs? Apple states "when you submit an app update that adds one of the listed SDKs as part of the update" which in my understanding applies only when an app adds an SDK for the first time in an app update.
What happens with SDK's that are not in this list? Should every single SDK an app uses to include the privacy manifest file?
I am creating a Privacy manifest file and have a question about adding to NSPrivacyTrackingDomains. For example, if I am using Firebase for two purposes, analytics and crashes, if I specify the Firebase domain as NSPrivacyTrackingDomains and the user rejects the tracking, will the crash information etc. also stop being sent?