I am currently working on Fraud System Detection that will be used by one of the financial institutions. Those tools are related to ensuring user security. Our goal is to identify features that can trigger an early warning system for attempted fraud. We have identified three uncertain variables: Whether the user is having a conversation while using our app, Whether the user has specific screen sharing apps on their phone, Whether the user has enabled VPN connection. Here my doubts appear: Can we check the presence of a telephone conversation if we are not a VOIP application? Can we check the presence of installed programs using Universal Link and canOpenUrl(_:) method? Can we read "SCOPED" key from CFNetworkCopySystemProxySettings() dictionary? I will be glad for any advice and help.

Current Setup: Using Secure Enclave with userPresence access control Foreground keychain accessibility: whenPasscodeSetThisDeviceOnly Security Requirement: Our security group wants us to invalidate biometrics and require a username/password if a biometric item is added (potentially by a hostile 3rd party) Need to upgrade from userPresence to biometricCurrentSet to ensure re-authentication when biometric credentials change. Issue: After implementing biometricCurrentSet, authentication cancels after two failed biometric attempts instead of falling back to passcode. Current Detection Method: User completes initial biometric authentication Biometric changes occur (undetectable by app) App attempts Secure Enclave access Access denial triggers re-authentication requirement Cannot revoke refresh token after access is denied Security Concern: Current implementation allows new biometric enrollments to access existing authenticated sessions without re-verification. Question: What's the recommended approach to: Implement biometricCurrentSet while maintaining passcode fallback Properly handle refresh token invalidation when biometric credentials change Looking for guidance on best practices for implementing these security requirements while maintaining good UX.

I am currently unable to enable passkey in my app so I am having to tell my users to skip the prompts for using passkey. We have noticed that after a few times of this the OS will stop asking the user to register their passkey. The question is, how long does this last before the OS asks you to use passkey again? Is it permanent until you re-install the app? Just looking for a time frame if anyone knows.

Hello, I'm having a problem with taxes calculation for US, the thing is, for some very specific addresses the taxes are coming wrong because we don't have the full address before the authorization with Adyen (our payment provider), for example, when I put the address "1 Infinite Loop, CA, US, 95014" in my wallet, I'm not receiving the value "1 Infinite Loop" (addressLines[0]) in backend until we authorize in Adyen, but I need this field to calculate the taxes and show to the customer before the authorization. My question is, is there any way to have this field before the authorization? If not, you have any idea how other ecommerces that use ApplePay and Adyen handle with this problem? Thanks in advance!

completeRequestWithTextToInsert is used to return text into an arbitrary textfield via the context menu AutoFill/Passwords from a 3rd party password manager (or presumably the Passwords App) in iOS 18. While testing this feature in the debugger, it would often fail on the first invocation. It also appears to happen intermittently in the released app extension. Subsequent testing using the Passwords App shows it too may fail to return a value. I have confirmed this behaviour is repeatable with the Passwords App on an iPhone running iOS 18.3.1 Reboot the iPhone. Show the App Library, and right click Autofill. Select Passwords Select Passwords (App) Select a password. Nothing will be inserted (intermittently). Feedback assistant report: FB16788563

I'm trying to make an app that is able to quietly run in the background. It needs to detect other apps' or the system's incoming video and/or audio, using only on-device resources to determine if it might be a scam caller. It will tap into an escalating cascade of resources to do so. For video/image scam detection, it uses OpenCV to detect faces, then refers to a known database of reported scam imagery. For audio scam calls, we defer to known techniques of voice modulation in frequency and/or amplitude. Each video and/or audio result will be relayed via notification banner as well as recorded in-app. Crucially, if the results are uncertain, users have the option to submit it to a global collaborative cloud database for investigative teams; 60 second audio snippets or series of images where faces were detected (60 second equivalent). In the end, we expect to deploy this app across most parts of Asia and Africa, thereby protecting generations of iPhone and iPad users. However, we have not been able to find a method that does this, and there is no known correspondance able to provide such technical guidance. Please assist.

We noticed that the APNs Profile we downloaded on https://developer.apple.com/bug-reporting/profiles-and-logs/ is mentioning "Facetime and Call Activity Logging". Is it expected ?

If we record the user's Device Model (ie. iPhone 15), what checkbox do we need to select under Data Collection in App Privacy? Device model is not a unique identifier, we do not use it for tracking. We use it to know in aggregate which phone models are using our app the most so we can prioritize our QA to focus on the top devices. Please note: we DO NOT access Device ID, as we DO NOT use it.

During SmartCard pairing the PIN prompt enables the OK button only on user provides a PIN of 6 digits. Is there a way to submit the empty PIN in this flow, where the custom CTK is used here (the custom CTK would take care of the PIN from the custom ctk code). I was able to do an empty PIN submit once the I've paired the user successfully at login, unlock and other cli tools. Is there a way to do the same during the pairing? Once the user has successfully paired with the SmartCard authentication with PIN, I was able to see most of the authentication flows was prompting for the PIN authentication like login, unlock, CLI tools like ssh, su etc., perhaps at few apps where it is still prompted with the Password instead of PIN examples, when I tried to launch Keychain Access app or Add a user from users&groups system setting. Is this expected behaviour?

I have an app where I'm integrating the Branch.io SDK for deeplinks. I plan to use it just for deeplinks and that's it. The SDK provides it's own privacy manifest file with privacy tracking domains defined and some collected data types with "Used for Tracking" set to YES. Does anyone know if I can keep tracking disabled in the App Store Connect - App Privacy section in case if I'll configure the SDK to disable tracking completely without asking users with the ATT permission request?

After upgrading to 15.1, SSIDs can no longer be scanned. In my main application, there is a wifiAccess.app in the LaunchService folder that is killed by embbed. This app is the root process that is placed under launchDaemon and loaded by launchd CLLocationManager *locationManager = [[CLLocationManager alloc] init]; if (@available(macOS 10.15, *)) { [locationManager requestAlwaysAuthorization]; } else { // erlier version do not need localtion permission } NSError *error; NSData *ssidStrData = [ssid dataUsingEncoding:NSUTF8StringEncoding]; CWInterface *interface = [[CWWiFiClient sharedWiFiClient] interface]; NSSet<CWNetwork *> *networks = [interface scanForNetworksWithSSID:ssidStrData error:nil]; However, the obtained networks do not have ssid. {(<CWNetwork: 0x600000368680> [ssid=(null), bssid=(null), security=WPA2 Enterprise, rssi=-49, channel=<CWChannel: 0x600000370bd0> [channelNumber=44(5GHz), channelWidth={20MHz}], ibss=0], <CWNetwork: 0x600000370b30> [ssid=(null), bssid=(null), security=WPA2 Enterprise, rssi=-73, channel=<CWChannel: 0x600000370b00> [channelNumber=6(2GHz), channelWidth={20MHz}], ibss=0], <CWNetwork: 0x600000370be0> [ssid=(null), bssid=(null), security=WPA2 Enterprise, rssi=-44, channel=<CWChannel: 0x600000370c60> [channelNumber=165(5GHz), channelWidth={20MHz}], ibss=0] }, the main program has granted the location permission, but the location authorization has not responded in this wifiaccess process. And (lldb) po [locationManager authorizationStatus] kCLAuthorizationStatusNotDetermined. The output authorization is always unauthorized, but only the authorization option of the main application can be seen in the system Settings location permissions setting, wifiaccess.app is not present on the list

hey everyone.!! In one of my macOS projects I am trying to fetch the files and folders available on "Desktop" and "Document" folder and trying to showing it on collection view inside the my project, but when I try to fetch the files and folder of desktop and document, I am not able to fetch it. But if i try it by setting the entitlements False, I am able to fetch it. If any have face the similar issue, or have an alternative it please suggest. NOTE:- I have tried implementing it using NSOpenPanel and it works, but it lowers the user experience.

Hi, I hope someone is able to help me with this query: Is there a mandatory requirement to display a view before presenting the App Tracking Transparency modal to explain to the user why the app is asking for tracking? I see there are a few apps which do this, but I don't see any mention of this as a mandatory requirement within the app store review guidelines. The modal can be customised with a description detailing why the app is asking for tracking and I believe this may be sufficient to pass an app store review. The guidelines also mention that the app must provide access to information about how and where the data will be used. We have these details in our privacy policy which is accessible from within the app. Is this sufficient or do we need a pre-modal view which contains a direct link the the privacy policy. Any advice on this would be much appreciated.

0 In WWDC 2022 Apple launched GA of Passkeys which will enable FIDO2 authentication in iOS ecosystem, the next gen open standards based authentication mechanism to replace passwords. On a Relying Party (RP) server supporting FIDO2 when a user registration is initiated, the browser generates a QR code to register a phone as platform authenticator. I am trying to build an app which opens up a QR scanner view and I want to register for the FIDO credential from the app by scanning the QR code generated by the browser. The parsed string is of the format - FIDO:/090409094349049349....... What information does this FIDO:/090409094349049349....... url protocol contain relating to the RP? Also, is there a way to decode this in Swift to get that information in json or string format? Since the camera app on iPhone is able to scan the QR and generate information like RP domain name and user being registered, I believe there should be a way to do this from a QR scanner inside an app as well. Or are these APIs private in nature only for usage of Camera app?

We have an app that has failed during the app review for the Japanese market but has been accepted in several other markets successfully. We need the user's name in native Katakana format as we need it to be displayed in our restaurant Point of Sale systems for workers to be able to read and understand. We use 'Sign up with Apple', but when doing so, if this returns an anglicised given and family name, we have to request the customer supply their Katakana format name so that our in-store systems and staff can process and fulfil their orders. When the App Review process automatically tests the app, it uses "Apple John" as a customer's name. Since this is not a Japanese name, we ask for it again in the correct format, or we cannot allow the user to register. This contravenes Apple's rules, and thus, our app is rejected. If the Apple identity used belonged to a user more typical of the target market, it would work as required. Does anyone else have this issue, and how did you work around it? Tim

I generate a keys using : let attributes: NSDictionary = [ kSecAttrLabel: label, kSecUseKeychain: getSystemKeychain()!, kSecAttrKeyType: kSecAttrKeyTypeEC, kSecAttrKeyType: kSecAttrKeyTypeECSECPrimeRandom, kSecAttrKeySizeInBits: 256, kSecPrivateKeyAttrs: [ kSecAttrIsPermanent: true, kSecAttrApplicationTag: tag, ] as [CFString : Any] ] var error: Unmanaged&lt;CFError&gt;? // Generate a new private key guard let privateKey = SecKeyCreateRandomKey(attributes, &amp;error) else { logger.error("failed to create a keypair \(String(describing: error))") return (nil, nil) } I keep getting this error : failed to create a keypair Optional(Swift.Unmanaged&lt;__C.CFErrorRef&gt;(_value: Error Domain=NSOSStatusErrorDomain Code=-2070 "internal error" (internalComponentErr) UserInfo={numberOfErrorsDeep=0, NSDescription=internal error})) The above code works absolutely fine on macOS Sonoma and older OS. This looks like a regression in the Apple API SecKeyCreateRandomKey(). What is a good workaround for this ?

In a project I was using Local Authentication to authenticate a user. When I got a request to support smartcard/PIV token authentication (which Local Authentication does not support), I had to switch to Authorization Services, which works pretty. There's only one issue I have. Local Authentication's evaluatePolicy:localizedReason:reply: requires a reason in the form "&lt;appname&gt;" is trying to &lt;localized reason&gt;. The app is currently translated into 41 languages and I would like to use the localized strings for the AuthorizationEnvironment of Authorization Services as well. The problem is that Local Authentication prefixes the localized string with something like "&lt;appname&gt;" is trying to and Authorization Services does not do this. Is there a way to get this prefix from somewhere so I can manually add it to the (partially) localized string? Any help would be highly appreciated. Thank you, Marc

I've encountered an issue with the keychain on macOS 15.0.1. When an admin account changes the password for a non-admin local account, the system should prompt to unlock the login keychain at the next login, giving the user an opportunity to update the keychain password. However, when I attempted to change a local account password using an admin account through system configuration on macOS 15.0.1, the system did not show such a prompt. Instead, it directly created a new login keychain. In the keychain directory, I could see that the old keychain had been renamed to login_rename_X.keychain-db. Additionally, this operation caused the Touch ID and passwords saved in the keychain to be cleared. Does anyone know how to handle this issue so that the local account is prompted to update the keychain password during login?

Hello, I've developed a macOS app with an AutoFill Credential Provider extension that functions as a passkey provider. In the registration flow, I want my app to appear as a passkey provider only when specific conditions are met. Is there a way to inspect the request from the web before the passkey provider selection list is displayed to the user, determine whether my app can handle it, and then use that result to instruct the OS on whether to include my app in the passkey provider selection list? Alternatively, is there a way to predefine conditions that must be met before my app is offered as a passkey provider in the selection list? Thanks!

I'm currently implementing a function in SwiftUI to log in with my Instagram account. It's not working, I'm creating a Firebase Auth function and it comes back to the redirect URL. This may happen if browser sessionStorage is inaccessible or accidentally cleared. This may happen if browser sessionStorage is inaccessible or accidentally cleared. I get this error. I can't implement it. I have tried various methods, but all have failed. If anyone knows how to do this, please help. import SwiftUI import AuthenticationServices import FirebaseAuth struct InstagramLoginView: View { var body: some View { VStack { Text("Login with Instagram") // タイトル Button(action: { // ボタンが押された時にInstagramのログイン処理を開始 InstagramLoginHelper().startInstagramLogin() }) { Text("Login with Instagram") .padding() .background(Color.blue) .foregroundColor(.white) .cornerRadius(8) } } } } class InstagramLoginHelper: NSObject, ASWebAuthenticationPresentationContextProviding { func startInstagramLogin() { let clientID = "XXXXXXXXXXXX" let redirectURI = "https://XXXXXXXXXXX.firebaseapp.com/__/auth/handler" let authURL = "https://api.instagram.com/oauth/authorize?client_id=\(clientID)&amp;amp;redirect_uri=\(redirectURI)&amp;amp;scope=user_profile,user_media&amp;amp;response_type=code" let schem = "XXXXXXXXXXXX" if let url = URL(string: authURL) { let session = ASWebAuthenticationSession(url: url, callbackURLScheme: schem) { callbackURL, error in if let error = error { print("Error during authentication: \(error.localizedDescription)") return } if let callbackURL = callbackURL, let code = URLComponents(string: callbackURL.absoluteString)?.queryItems?.first(where: { $0.name == "code" })?.value { // 認証コードを使ってFirebaseでログインする self.loginWithInstagram(authCode: code) } } session.presentationContextProvider = self session.start() } } func loginWithInstagram(authCode: String) { // Firebaseのauthインスタンスを取得 let auth = Auth.auth() // InstagramのOAuthプロバイダを使用する let provider = OAuthProvider(providerID: "instagram.com") // Instagramの認証コードを使って、プロバイダの認証資格情報を生成 provider.getCredentialWith(nil) { credential, error in if let error = error { print("Error during authentication: \(error.localizedDescription)") return } if let credential = credential { // Firebaseにログイン auth.signIn(with: credential) { authResult, error in if let error = error { print("Error during Firebase authentication: \(error.localizedDescription)") } else { print("Successfully authenticated with Firebase.") } } } } } // ASWebAuthenticationPresentationContextProvidingの実装 func presentationAnchor(for session: ASWebAuthenticationSession) -&amp;gt; ASPresentationAnchor { return UIApplication.shared.windows.first { $0.isKeyWindow } ?? ASPresentationAnchor() } } #Preview { InstagramLoginView() }