We have a Web server for Apple Pass and we received a complaint from a user because the Pass is being deleted every few days from the Apple Wallet App and the user had to reinstall the pass every time. Upon checking our server logs we found DELETE (unregister) requests that were not initiated by the user. Here are some (there are more) of those logs (I replaced some details with * for privacy): From July [29/Jul/2024:23:06:30 +0000] "DELETE /apple_wallet/v1/devices/****/registrations/pass.com..*/** HTTP/1.1" 200 31 "-" "passd/1.0 CFNetwork/1496.0.7 Darwin/23.5.0" From August [17/Aug/2024:22:51:33 +0000] "DELETE /apple_wallet/v1/devices/****/registrations/pass.com..*/** HTTP/1.1" 200 31 "-" "passd/1.0 CFNetwork/1498.700.2 Darwin/23.6.0" From September [08/Sep/2024:23:32:11 +0000] "DELETE /apple_wallet/v1/devices/****/registrations/pass.com...*/** HTTP/1.1" 200 31 "-" "passd/1.0 CFNetwork/1498.700.2 Darwin/23.6.0" Other information for this specific user/device: Phone 14 Pro Max - iOS 17.6 User has few other passes installed but none has disappeared only our issued pass. We are hoping to get some help from Apple to figure out why the DELETE request is being sent out to our server without being initiated by the user. I have already filed a ticket to Apple with Case-ID: 9315232 But I haven't gotten any feedback after a few weeks and some follow ups.

I want to install a driver package without internet access and the installation fail. This I think it is due to it need internet to check for signature with Apple Server. The workaround is to disable System Integrity Protection, but I do not have the administrator password to disable it. How to install a driver and allow a driver to run without internet access and administrator account? This driver is develop by ourself but how to by pass the code signing and security check for others to use this driver on their Mac PC? Currently I am following https://developer.apple.com/documentation/systemextensions/ossystemextensionrequest/activationrequest(forextensionwithidentifier:queue:) to activate the system extension If the extension is inactive, the system may need to prompt the user for approval. Which others API can I use which do not need prompt user for approval? Beside in order to validate the code signing, it need to communicate with Apple server which required internet access. Any method to by pass this validation?

I wrote a Keychain controller that add, delete and fetch keychain items using SecItemAdd(_:_:)and related APIs with data protection keychain enabled (kSecUseDataProtectionKeychain). I am using it in a macOS Cocoa app. I am using Swift Testing to write my tests to ensure that the controller works as expected. As I understand, I should create my own keychain for testing rather than use the actual keychain in macOS. Currently, I created a separate keychain group (e.g. com.testcompany.testapp.shared) and added it to myapp.entitlements file so that the tests pass without failing because of the missing entitlement file. SecKeychainCreate(_:_:_:_:_:_:) and SecKeychainDelete(_:) API are deprecated with no alternative provided in the documentation. I noticed SecKeychain class but documentation doesn't explain much about it. How should I test my keychain controller properly so that it does not use the actual macOS keychain, which is the "production" keychain?

With the update to iOS version 18.0, there was a significant improvement in information security and user privacy, allowing apps to be locked using FaceID (or TouchID), with no possibility of using the phone's unlock passcode to access the locked app (see reference: https://www.reddit.com/r/Wealthsimple/comments/1fr1nnj/psa_ios_18_require_face_id_feature_mitigates/). As a result, even if someone else knew your iPhone unlock passcode, they wouldn't be able to open the locked apps, as FaceID (or TouchID) would be required. However, after updating to iOS 18.1.1, someone who knows your iPhone unlock passcode and is using your iPhone (or has stolen your iPhone and requested the unlock passcode) can inadvertently open the locked apps, because after a few failed attempts to open the locked app without FaceID (or TouchID), the iPhone will prompt for the unlock passcode to open the locked app. Even if the user has moved the app to the hidden folder, the content of that folder and the hidden apps within it can be opened with the iPhone unlock passcode after several failed attempts to open the hidden app without FaceID (or TouchID). It would be very important for users if this security and privacy weakness were eliminated, returning to what iOS 18.0 did: the only way to open a locked app is through FaceID (or TouchID), and it would not be possible to open it with the iPhone unlock passcode.

In my app, I use SecItem to store some data in the Keychain. I’d like to know — when a user sets up a new iPhone and transfers data from the old device, will those Keychain items be migrated or synced to the new device?

I am trying to generate public and private keys for an ECDH handshake. Back end is using p256 for public key. I am getting a failed request with status 0 public func makeHandShake(completion: @escaping (Bool, String?) -> ()) { guard let config = self.config else { completion(false,APP_CONFIG_ERROR) return } var rData = HandshakeRequestTwo() let sessionValue = AppUtils().generateSessionID() rData.session = sessionValue //generating my ECDH Key Pair let sPrivateKey = P256.KeyAgreement.PrivateKey() let sPublicKey = sPrivateKey.publicKey let privateKeyBase64 = sPrivateKey.rawRepresentation.base64EncodedString() print("My Private Key (Base64): \(privateKeyBase64)") let publicKeyBase64 = sPublicKey.rawRepresentation.base64EncodedString() print("My Public Key (Base64): \(publicKeyBase64)") rData.value = sPublicKey.rawRepresentation.base64EncodedString() let encoder = JSONEncoder() do { let jsonData = try encoder.encode(rData) if let jsonString = String(data: jsonData, encoding: .utf8) { print("Request Payload: \(jsonString)") } } catch { print("Error encoding request model to JSON: \(error)") completion(false, "Error encoding request model") return } self.rsaReqResponseHandler(config: config, endpoint: config.services.handShake.endpoint, model: rData) { resToDecode, error in print("Response received before guard : \(resToDecode ?? "No response")") guard let responseString = resToDecode else { print("response string is nil") completion(false,error) return } print("response received: \(responseString)") let decoder = JSONDecoder() do { let request = try decoder.decode(DefaultResponseTwo.self, from: Data(responseString.utf8)) let msg = request.message let status = request.status == 1 ? true : false completion(status,msg) guard let serverPublicKeyBase64 = request.data?.value else { print("Server response is missing the value") completion(false, config.messages.serviceError) return } print("Server Public Key (Base64): \(serverPublicKeyBase64)") if serverPublicKeyBase64.isEmpty { print("Server public key is an empty string.") completion(false, config.messages.serviceError) return } guard let serverPublicKeyData = Data(base64Encoded: serverPublicKeyBase64) else { print("Failed to decode server public key from Base64. Data is invalid.") completion(false, config.messages.serviceError) return } print("Decoded server public key data: \(serverPublicKeyData)") guard let serverPublicKey = try? P256.KeyAgreement.PublicKey(rawRepresentation: serverPublicKeyData) else { print("Decoded server public key data is invalid for P-256 format.") completion(false, config.messages.serviceError) return } // Derive Shared Secret and AES Key let sSharedSecret = try sPrivateKey.sharedSecretFromKeyAgreement(with: serverPublicKey) // Derive AES Key from Shared Secret let symmetricKey = sSharedSecret.hkdfDerivedSymmetricKey( using: SHA256.self, salt: "AES".data(using: .utf8) ?? Data(), sharedInfo: Data(), outputByteCount: 32 ) // Storing AES Key in Config let symmetricKeyBase64 = symmetricKey.withUnsafeBytes { Data($0) }.base64EncodedString() print("Derived Key: \(symmetricKeyBase64)") self.config?.cryptoConfig.key = symmetricKeyBase64 AppUtils.Log(from: self, with: "Handshake Successful, AES Key Established") } catch { AppUtils.Log(from: self, with: "Handshake Failed :: \(error)") completion(false, self.config?.messages.serviceError) } } } this is request struct model public struct HandshakeRequestTwo: Codable { public var session: String? public var value: String? public enum CodingKeys: CodingKey { case session case value } public init(session: String? = nil, value: String? = nil) { self.session = session self.value = value } } This is backend's response {"message":"Success","status":1,"data":{"senderId":"POSTBANK","value":"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAErLxbfQzX+xnYVT1LLP5VOKtkMRVPRCoqYHcCRTM64EMEOaRU16yzsN+2PZMJc0HpdKNegJQZMmswZtg6U9JGVw=="}} This is my response struct model public struct DefaultResponseTwo: Codable { public var message: String? public var status: Int? public var data: HandshakeData? public init(message: String? = nil, status: Int? = nil, data: HandshakeData? = nil) { self.message = message self.status = status self.data = data } } public struct HandshakeData: Codable { public var senderId: String? public var value: String? public init(senderId: String? = nil, value: String? = nil) { self.senderId = senderId self.value = value } }

I have something with a new individual on my team I've never seen before. They checked out our code repository from git and now anytime they try to open a .json file that is legitimately just a text file, GateKeeper tells them it cannot verify the integrity of this file and offers to have them throw this file away. I've seen this with binaries, and that makes sense. I removed the com.apple.quarantine extended attribute from all executable files in our source tree, but I've never seen GateKeeper prompt on text files. I could remove the extended attribute from all files in our source tree, but I fear the next time he pulls from git he'll get new ones flagged. Is there someway around this? I've never personally seen GateKeeper blocking text files.

There’s a critical, actively exploited vulnerability in Apple’s iOS activation servers allowing unauthenticated XML payload injection: https://cyberpress.org/apple-ios-activation-vulnerability/ This flaw targets the core activation process, bypassing normal security checks. Despite the severity, it’s barely discussed in public security channels. Why is this not being addressed or publicly acknowledged? Apple developers and security researchers should urgently review and audit activation flows—this is a direct attack vector on device trust integrity. Any insights or official response appreciated.

Hello, first time poster here. I'm struggling to find any info/documentation on why bluetooth game controllers DON'T require bluetooth entitlement when app sandboxing is enabled but do require USB. any pointers would be much appriciated Chris

I was curious as to the procedure for having an encryption key leaked and was hoping to have your opinions on how these two questions will be answered [if you were in the position]. Q1: Let's say, for instance, that you're making a social media network that stores private messages in a database network (such as Firebase) and uses basic encryption to store that data into an encrypted format (e.g., text message: "Hello Mous772!"; Firebase data: "deaErG5gao7J5qw/QI3EOA=="). But oh no! Someone got access to the encryption key used to encrypt hundreds of thousands of messages. You cannot simply delete thousands of messages because of this hacker, so how should you deal with this? This is where my question comes in. Is it possible to change the encryption key for all of the data if I am using the code system at the bottom of this question and using that code system to store encrypted data in Firebase? If so, how would you go about doing that? (Please use simple language; I'm not good with this stuff). Q2: What, in your opinion, is the best way to prevent this in the first place? I was told that a good solution was to store two sets of the same data; when one kegs it, we shut down the original and use the backup; however, this does not sound sustainable at all. I want to know what steps can be taken to ensure this never happens. [Please don't give me "Well... you can never *really hide these keys!" I'm well aware it's not possible to never have them leaked ever; I'm just looking for best practices only.] This is the encryption system we are using for this hypothetical app. // MARK: Value // MARK: Private private let key: Data private let iv: Data // MARK: - Initialzier init?(key: String, iv: String) { guard key.count == kCCKeySizeAES128 || key.count == kCCKeySizeAES256, let keyData = key.data(using: .utf8) else { debugPrint("Error: Failed to set a key.") return nil } guard iv.count == kCCBlockSizeAES128, let ivData = iv.data(using: .utf8) else { debugPrint("Error: Failed to set an initial vector.") return nil } self.key = keyData self.iv = ivData } // MARK: - Function // MARK: Public func encrypt(string: String) -> Data? { return crypt(data: string.data(using: .utf8), option: CCOperation(kCCEncrypt)) } func decrypt(data: Data?) -> String? { guard let decryptedData = crypt(data: data, option: CCOperation(kCCDecrypt)) else { return nil } return String(bytes: decryptedData, encoding: .utf8) } func crypt(data: Data?, option: CCOperation) -> Data? { guard let data = data else { return nil } let cryptLength = data.count + key.count var cryptData = Data(count: cryptLength) var bytesLength = Int(0) let status = cryptData.withUnsafeMutableBytes { cryptBytes in data.withUnsafeBytes { dataBytes in iv.withUnsafeBytes { ivBytes in key.withUnsafeBytes { keyBytes in CCCrypt(option, CCAlgorithm(kCCAlgorithmAES), CCOptions(kCCOptionPKCS7Padding), keyBytes.baseAddress, key.count, ivBytes.baseAddress, dataBytes.baseAddress, data.count, cryptBytes.baseAddress, cryptLength, &bytesLength) } } } } guard Int32(status) == Int32(kCCSuccess) else { debugPrint("Error: Failed to crypt data. Status \(status)") return nil } cryptData.removeSubrange(bytesLength..<cryptData.count) return cryptData } } //let password = "UserPassword1!" //let key128 = "1234567890123456" // 16 bytes for AES128 //let key256 = "12345678901234561234567890123456" // 32 bytes for AES256 //let iv = "abcdefghijklmnop" // 16 bytes for AES128 //let aes128 = AES(key: key128, iv: iv) //let aes256 = AES(key: key256, iv: iv) //let encryptedPassword128 = aes128?.encrypt(string: password) //aes128?.decrypt(data: encryptedPassword128) //let encryptedPassword256 = aes256?.encrypt(string: password) //aes256?.decrypt(data: encryptedPassword256)

Trying to apply 'always trust' to certificate added to keychain using both SecItemAdd() and SecPKCS12Import() with SecTrustSettingsSetTrustSettings(). I created a launchdaemon for this purpose. AuthorizationDB is modified so that any process running in root can apply trust to certificate. let option = SecTrustSettingsResult.trustRoot.rawValue // SecTrustSettingsResult.trustAsRoot.rawValue for non-root certificates let status = SecTrustSettingsSetTrustSettings(secCertificate, SecTrustSettingsDomain.admin, [kSecTrustSettingsResult: NSNumber(value: option.rawValue)] as CFTypeRef). Above code is used to trust certificates and it was working on os upto 14.7.4. In 14.7.5 SecTrustSettingsSetTrustSettings() returns errAuthorizationInteractionNotAllowed. In 15.5 modifying authorization db with AuthorizationRightSet() itself is returning errAuthorizationDenied.Tried manually editing authorization db via terminal and same error occurred. Did apple update anything on Security framework? Any other way to trust certificates?

Hi, I am using CryptoKit in my app. I am getting an error sometimes with some users. I log the description to Firebase but I am not sure what is it exactly about.  CryptoKit.CryptoKitError error 2  CryptoKit.CryptoKitError error 3 I receive both of these errors. I also save debug prints to a log file and let users share them with me. Logs are line-by-line encrypted but after getting these errors in the app also decryption of log files doesn't work and it throws these errors too. I couldn't reproduce the same error by myself, and I can't reach the user's logs so I am a little blind about what triggers this. It would be helpful to understand what these errors mean. Thanks

My high-level goal is to add support for Game Mode in a Java game, which launches via a macOS "launcher" app that runs the actual java game as a separate process (e.g. using the java command line tool). I asked this over in the Graphics & Games section and was told this, which is why I'm reposting this here. I'm uncertain how to speak to CLI tools and Java games launched from a macOS app. These sound like security and sandboxing questions which we recommend you ask about in those sections of the forums. The system seems to decide whether to enable Game Mode based on values in the Info.plist (e.g. for LSApplicationCategoryType and GCSupportsGameMode). However, the child process can't seem to see these values. Is there a way to change that? (The rest of this post is copied from my other forums post to provide additional context.) Imagine a native macOS app that acts as a "launcher" for a Java game.** For example, the "launcher" app might use the Swift Process API or a similar method to run the java command line tool (lets assume the user has installed Java themselves) to run the game. I have seen How to Enable Game Mode. If the native launcher app's Info.plist has the following keys set: LSApplicationCategoryType set to public.app-category.games LSSupportsGameMode set to true (for macOS 26+) GCSupportsGameMode set to true The launcher itself can cause Game Mode to activate if the launcher is fullscreened. However, if the launcher opens a Java process that opens a window, then the Java window is fullscreened, Game Mode doesn't seem to activate. In this case activating Game Mode for the launcher itself is unnecessary, but you'd expect Game Mode to activate when the actual game in the Java window is fullscreened. Is there a way to get Game Mode to activate in the latter case? ** The concrete case I'm thinking of is a third-party Minecraft Java Edition launcher, but the issue can also be demonstrated in a sample project (FB13786152). It seems like the official Minecraft launcher is able to do this, though it's not clear how. (Is its bundle identifier hardcoded in the OS to allow for this? Changing a sample app's bundle identifier to be the same as the official Minecraft launcher gets the behavior I want, but obviously this is not a practical solution.)

I am using the CryptoKit SecureEnclave enum to generate Secure Enclave keys. I've got a couple of questions: What is the lifetime of these keys? When I don't store them somewhere, how does the Secure Enclave know they are gone? Do backups impact these keys? I.e. can I lose access to the key when I restore a backup? Do these keys count to the total storage capacity of the Secure Enclave? If I recall correctly, the Secure Enclave has a limited storage capacity. Do the SecureEnclave key instances count towards this storage capacity? What is the dataRepresentation and how can I use this? I'd like to store the Secure Enclave (preferably not in the Keychain due to its limitations). Is it "okay" to store this elsewhere, for instance in a file or in the UserDefaults? Can the dataRepresentation be used in other apps? If I had the capability of extracting the dataRepresentation as an attacker, could I then rebuild that key in my malicious app, as the key can be rebuilt with the Secure Enclave on the same device, or are there measures in place to prevent this (sandbox, bundle id, etc.)

Hi, I’m currently working on an app that uses a third-party SDK to perform smart card authentication via PKCS#11 APIs. Specifically, the app interacts with the smart card to retrieve certificates, detect the card reader, and perform encryption and decryption operations on provided data. I’m wondering if it's possible to replace the PKCS#11 APIs and the third-party SDK with Apple's CryptoTokenKit framework. Does CryptoTokenKit provide equivalent functionality for smart card authentication, certificate management, and encryption/decryption operations? Additionally, I’ve come across the following CryptoTokenKit documentation: CryptoTokenKit API - TKSmartCardSlotManager Could you provide an example code or any guidance on how to implement this functionality using CryptoTokenKit, particularly for interacting with smart cards, managing certificates, and performing cryptographic operations? Thank you for your assistance.

I was referred to here, #102484182418 I'm trying to setup apple login on my community site but I'm having a hard time getting it to work. I keep getting "invalid_request​ Invalid client id or web redirect url." The last tech said she thanks its setup right but we could not get it to work. Here are my steps https://xenforo.com/docs/xf2/connected-account-apple/ I just someone to look at my Certificates, Identifiers &amp; Profiles and make sure I have them setup right.

Hi We use login using apple id feature in our website. However when it comes to apple id, it is possible for user to hide the original email and show a relay email. We have found that this relay email doesn't work Hence looking for a possible solution to acquire the real email from the user. Is there a possibility in doing that? any help would be greatly appreciated. Best Regards Hasintha

When I tried to launch my application from non-gui process (from launch daemon) NSworkspace openApplicationAtURL failed if I tried to run it when my device on the login screen. Everything is working if someone logged in, but on the login screen I have the error The application “TestApp” could not be launched because a miscellaneous error occurred. with code 256 NSWorkspace* workspace = [NSWorkspace sharedWorkspace]; NSWorkspaceOpenConfiguration* config = [NSWorkspaceOpenConfiguration configuration]; config.createsNewApplicationInstance = YES; config.activates = NO; config.promptsUserIfNeeded = NO; config.addsToRecentItems = NO; [workspace openApplicationAtURL: appURL configuration: config completionHandler:^(NSRunningApplication *app, NSError *error) { }]; Sometimes after the third try it works, sometimes not at all. I try to use "open" command, it works on MacOS Sequoia, but not working for operating systems below, I see this error The application cannot be opened for an unexpected reason, error=Error Domain=RBSRequestErrorDomain Code=5 "Launch failed." UserInfo={NSLocalizedFailureReason=Launch failed., NSUnderlyingError=0x600002998120 {Error Domain=OSLaunchdErrorDomain Code=125 "Domain does not support specified action" UserInfo={NSLocalizedFailureReason=Domain does not support specified action}}} All these problems occur only on the login screen. I'm developing screen share utility, so I need somehow to launch my application on the login screen. Could someone please help me understand what is recommended way to launch application on the login screen?

Under iOS 18.0.1, I can't do any development that uses HTTPS, because I can't authorize my generated certificates on my phone. This was not a problem in the past. Normally you AirDrop a root certificate authority to your phone, install the "profile" for it, and then trust it in Settings / General / About / Certificate Trust Authority. Then you can connect to another server on your network that's using the accompanying certificates. But after sucessfully installing two profiles on my phone, neither shows up in Certificate Trust Authority. Anybody else seeing this? This problem, in combo with this one (which prevents running on my Mac as an iPad app) has completely halted my project. I've found reports of this problem that blamed an empty "common name" field in the certs, but that field is populated in both of these.

We recently deployed Attestation on our application, and for a majority of the 40,000 users it works well. We have about six customers who are failing attestation. In digging through debug logs, we're seeing this error "iOS assertion verification failed. Unauthorized access attempted." We're assuming that the UUID is blocked somehow on Apple side but we're stumped as to why. We had a customer come in and we could look at the phone, and best we can tell it's just a generic phone with no jailbroken or any malicious apps. How can we determine if the UUID is blocked?