We send out a transactional emails and have made all the important configurations (mail tester score 9.5 to 10 out of 10 points; DKIM, DMARC, SPF, etc.). However, Icloud.com marks our emails as SPAM and gives an X-ICL SCORE of 4.333034030041. Apparently a value >4 is classified as SPAM for iCloud. How do I find out what exactly is driving the value up to 4 so I can improve that?

I'm trying to access Subject Alternative Name of SSL Certificate to check it matches with expected domain or not. SecCertificateCopyValues is only available for macOS systems but I need this information on iOS. How can i observe SANs of Certificate?

Hello, is Apple CryptoKit support planned for the first release of VisionOS? Thank you

On Sonoma beta 7, if system.login.screensaver is updated to use “authenticate-session-owner-or-admin”, and then Lock Screen is not hiding the macOS Desktop. Step1. Update system.login.screensaver authorizationdb rule to use “authenticate-session-owner-or-admin”( to get old SFAutorizationPluginView at Lock Screen ). Step 2. Once the rule is in place after logout and login, now click on Apple icon and select “Lock Screen”. Even after selecting Lock Screen, complete macOS Desktop is visible with no control for the user to unlock the screen. To gain access we have to restart the MAC.

Looks like a security flow in ASCredentialProviderViewController Register a new Passkey on foo.example.com Now iOS 17 (RC) will suggest and permit to select the Passkey to login in bar.example.com, which is agains specs From specs: For example, given a Relying Party whose origin is https://login.example.com:1337, then the following RP IDs are valid: login.example.com (default) and example.com, but not m.login.example.com and not com. Also looks like a bug, in this method: func prepareInterfaceToProvideCredential(for credentialRequest: ASCredentialRequest) If I've registered my Passkey for RP foo.example.com and trying to login to bar.example.com (the bug). In ASCredentialRequest.credentialIdentity.serviceIdentifier.identifier is foo.example.com but I am trying to login to bar.example.com, from this we can't understand on what RP is this Passkey used and can't restrict the use of Passkey in case it is used on a wrong RP. P.S: iCloud Passkeys works as expected.

I have an app that uses Apple's Endpoint Security system extension to collect a number of events including authentication events. I've noticed AKD (Apple Keychain Daemon?) generates fail authentication events when I unlock my Mac with either Touch ID or password. I don't think I've ever seen it succeed. Does anyone know what AKD is trying to authenticate and why it is failing? Should I mask these out from being shown, or are there cases where AKD authentication will matter? Hardware: MacBook Pro with M1 OS: macOS 13.5.2 Device is configured stand-alone (not a managed device)

Hi Apple Team, As for considering allowed reasons for accessing required reasoning API, fraud detection is not listed as allowed reason or any exception for scenarios involving fraud detection described in the document. I believe it is necessary to add, fraud detection as allowed reason or grant exception for scenarios involving fraud detection as valid usage, as these API's play crucial role in detection and prevention of frauds. API's playing crucial role in fraud detection and prevention. System boot time APIs User defaults APIs Disk space APIs Thank you.

Does the passkey created using third party provider model get synced to iCloud Keychain? If yes, can we avoid that using the attestation object somehow to have it ties to the device where it was created? Being new to this domain, I am not sure if I am asking a right question.

Hello there, Today, after five months I have received an email from Developer Relations that "The entitlement for Endpoint Security has been assigned to your account". As you can see on the attached images, this supposed to be the Production Entitlement (I got the dev entitlement a while ago). As far as I understand, I should be able to assign the entitlement in the "Identifiers>App IDs>App>Additional Capabilities". As you can see on my second screenshot, the UI only mentions "Development Developer ID" Distribution support. Furthermore, when creating a "Developer ID" (or event Mac App Store) provision profile, I should eventually see an "Additional Entitlements" section to be able to choose the production Entitlement. I can't find the "Additional Entitlements" UI in any Cert / identifier / Profile combinations. I tried Xcode 15's Automatic code signing as well, but it doesn't seem to do the trick. It totally seem as If I have never received the production entitlement. I saw Quinn's advice in an old thread, that presumably the entitlement was misaligned to the wrong profiles(?), and in this case: "To correct this, you’ll need to get back in touch with the folks who granted you the entitlement." I am devastated as I can be, I waited for this day like it was christmas. I was pinging the "endpoint-review . at . apple.com" email address for months with no success. Then why would they answer to my n+1th email? Anybody has any advice what to do? Which other email addresses should I try to ping? I still have 2 TSIs, but read earlier that they have no use in this regard. Thank you in advance for everyone

I am new. I inherited a half finished app. I successfully finished it in flipabit and got the app into Google Play with no problem. I am having a horrible time with Apple. The app had been rejected so many times by Apple, I decided that I would create a total new bundle.I have the Cert for signing, the mobile provision key, the Apple Distribution.cer , and an authorization key. I can't import any of them into keychain. I am thinking that that all these were created by someone else for the original app and I can't import any of mine, though that really doesn't make sense. Any and all ideas would be truly appreciated. I have been looking into upworkk to have someone do this for me but I am wondering how in the world they could do that.

Our authorization plugin implements a custom window using SFAuthorizationPluginView and needs to make web connections to do validations. We have not been able to get it to work using the native MacOS system APIs, such as NSURLSession or NSURLConnection when loaded from the lock screen. The same connection code works both in an independent executable, in a login plugin, and in the authentication plugin itself when it loads us from the elevate system privileges window. If we use libcurl it works correctly in all points, but we need to use the system APIs because we use third-party components that use them. The error it provides is "NSURLErrorDomain Code=-1202" MoreErrorInfo.log Analyzing the traces of the process that is responsible for loading our "SecurityAgentHelper" plugin, we have seen that the handshake of the certificates is not completed (logs attached). SecurityAgentHelper.logs We have verified that the problem extends from Catalina to Monterey. How can we solve the problem? Is it necessary to do something special?

Hello Here is a problem with creating SecKey for ios 10 after key derivation (HMAC + sha512) After derivation we get 32 bytes of private key and chainCode There is no problem to use this bytes to create P256 private key with function from iOS13 try? P256.Signing.PrivateKey(rawRepresentation: bytes) and then to get x963Representation to create a SecKey But on iOS10 - 12 we don't have an ability to use this function... So I have to convert 32 bites key to 97 somehow to represent it in ANSI x9.63 format Example of key bytes [110, 181, 159, 0, 54, 16, 25, 129, 87, 128, 85, 36, 192, 64, 195, 4, 20, 47, 243, 134, 160, 57, 30, 210, 89, 225, 223, 114, 11, 121, 57, 156] x963Representation [4, 37, 167, 241, 121, 238, 41, 22, 35, 158, 89, 144, 215, 243, 4, 91, 217, 243, 23, 42, 171, 228, 247, 89, 136, 123, 22, 71, 11, 205, 134, 29, 110, 83, 241, 239, 135, 37, 226, 40, 179, 11, 191, 193, 232, 124, 41, 160, 136, 53, 95, 33, 233, 207, 151, 83, 136, 234, 97, 4, 79, 115, 227, 69, 42, 252, 66, 68, 64, 32, 176, 11, 75, 206, 158, 228, 246, 9, 179, 36, 94, 186, 209, 125, 152, 192, 192, 141, 242, 200, 108, 181, 75, 103, 86, 171, 231] I see that x963Representation contains: header(04) + ? + ? + 32_Key_Bytes So the question is - how to count x and y to get the key form (04 || X || Y || K) to be able to create SecKey?

CDVAssetLibraryFilesystem.m, CDVDevice.m and srp.h and many pods Issue : Binary makes use of malloc function CWE: CWE-789: UncontrolledMemory AllocationOWASP Top 10: M7: Client CodeQualityOWASP MASVS: MSTG-CODE-8

I am putting together a demo app that will pick up keychain items shared via Keychain Access Groups (or Shared Items Groups, as described here). Sadly, I'm getting the infamous -34018 A required entitlement isn't present error when trying to load successfully saved items from main app A into my demo app B via SecItemCopyMatching. From everything I can tell -- after looking at Quinn's excellent Troubleshooting -34018 Keychain Errors post -- after dumping out the entitlements plist, I see the main app A and my new demo app B both have different ApplicationIdentifierPrefix'es compared to the team identifier. ApplicationIdentifierPrefix and TeamIdentifierPrefix are supposed be the same thing. I believe (from this ancient StackOverflow answer) it might be due to the fact I'm using my developer certificate (the one associated with my current team) along with Xcode's automatically managed signing may still be accidentally generating random application identifiers. Is it possible to do keychain item sharing with apps that were built/installed with developer provisioning profiles?

I can't import into keychain. I can't drop and drag. I have it turned on in iCloud. I tried creating a second keychain and it still doesn't work.

I started a daemon app with esf function through launchctl. I wanted to get the sample information of the daemon app through sample, but the program would restart, which was not a crash. // shell command sample pid -file ~/Downloads/test.txt

Hi guys, has anyone seen this issue? When installing an application, which requires Full Disk Access (kTCCServiceSystemPolicyAllFiles), user enables this feature, but after reboot, OS automatically turns it off. Filed feedback in case it's a new issue. Any idea how to fix it? Any workaround to keep Full Disk Access enabled? Thanks.

I would like to be able to store a secret in the keychain and make it accessible to a process running as root without any prompting of the user. So far I've only got this working if I opt for "Allow all applications to access this item." But if I do that, any process whether root or not has access to the item. On the other hand, if I choose "confirm before allowing access," the user is prompted for a root password. Unfortunately, "Always allow access by these applications" isn't an option because I need the secret in the context of an Authorization Plugin and so it's not a "normal" application that I can list. I'm wondering if maybe there's a way to set some sort of ACL from the command line. I've looked at the man page for security and not seen any obvious solution. My goal is to have my Authorization Plugin process "authenticate" itself to an XPC Service using a shared secret that both read from the keychain. If I can't get the keychain to work, I may do the same thing by using a shared secret in a file readable only by root. Any suggestions welcome. Thanks, Francis

Apple's Endpoint security framework seems to have ways to prevent deleting of file. If we write an app that has a system extension that uses this framework, will the same app be able to prevent deletion if its own .app file ? If yes, when a user attempts to delete the app from /Applications folder, can we ask the user to enter a 'master password' before user is able to delete the app ? The app is sandbox, signed by develope id, and for MacOS.

Hello, we had working DeviceActivityReport in our app for months now. However when building with Xcode 15 (previously betas, now the GM), the activity reports no longer displays anything on iOS 16 devices. If we run it with Xcode 14, it works. But with Xcode 15 builds, the device activity report only works on iOS 17 devices :( I am able to see some somewhat generic errors in the Console.app when opening screen that contains the report. -[_EXServiceClient launchWithConfiguration:error:]_block_invoke failed with error: Error Domain=com.apple.extensionKit.errorDomain Code=2 UserInfo={NSUnderlyingError=0x280b9b600 {Error Domain=RBSRequestErrorDomain Code=5 UserInfo={NSLocalizedFailureReason=<private>}}} Failed to create extensionProcess for extension '<private>' error: Error Domain=com.apple.extensionKit.errorDomain Code=2 UserInfo={NSUnderlyingError=0x280b9b600 {Error Domain=RBSRequestErrorDomain Code=5 UserInfo={NSLocalizedFailureReason=<private>}}}. Failed to make extensionProcess with error: Error Domain=com.apple.extensionKit.errorDomain Code=2 UserInfo={NSUnderlyingError=0x280b9b600 {Error Domain=RBSRequestErrorDomain Code=5 UserInfo={NSLocalizedFailureReason=<private>}}} Failed to get extension process and XPC endpoints with error: Error Domain=com.apple.extensionKit.errorDomain Code=2 UserInfo={NSUnderlyingError=0x280b9b600 {Error Domain=RBSRequestErrorDomain Code=5 UserInfo={NSLocalizedFailureReason=<private>}}} And I managed to find one error that is specific to our activity extension which says just: Cannot track instance that is already dead!