Hello everyone, We have an iOS XCFramework that we distribute to our clients, and we're exploring ways to enhance its security. Specifically, we’d like to isolate the most sensitive code by running it in a separate process, making it harder to tamper with. During our research, we considered using XPC for iOS but found its functionality to be quite limited. We also explored App Extensions, but unfortunately, they cannot be integrated into an XCFramework. This leads us to the question: Is it possible to spawn a new process to run in parallel with the main one in iOS? If so, could you provide guidance or suggest alternative approaches to achieve this within the constraints of iOS development? Thank you in advance for your insights and advice! Best regards, Stoyan

Hi, I'm leveraging ASAuthorizationSecurityKeyPublicKeyCredentialProvider to authenticate users to an internal service using security keys or passkeys. I'm not using Sign in with Apple - registration is done in another internal service. We're using associated domains. This is on MacOS only. I'm wondering whether I can programatically determine whether the user has a passkey enrolled with our super-secret-internal-service.com domain already? The reason I'm asking is simply better UX - if the user doesn't have a passkey enrolled, I'd like to avoid offering them an option to use a platform authenticator and only offer them to tap their security key. We can assume that all users already have their security keys enrolled already. So something like the following: let securityKeyProvider = ASAuthorizationSecurityKeyPublicKeyCredentialProvider(relyingPartyIdentifier: options.rpId) let securityKeyRequest = securityKeyProvider.createCredentialAssertionRequest(challenge: options.challenge.data(using: .utf8) ?? Data()) let platformProvider = ASAuthorizationPlatformPublicKeyCredentialProvider(relyingPartyIdentifier: options.rpId) let platformKeyRequest = platformProvider.createCredentialAssertionRequest(challenge: options.challenge.data(using: .utf8) ?? Data()) var authRequests: [ASAuthorizationRequest] = [securityKeyRequest] if (userHasPasskeyForDomain("super-secret-internal-service.com")) { // TODO how do I check this?? authRequests.append(platformKeyRequest) } let authController = ASAuthorizationController(authorizationRequests: [platformKeyRequest, securityKeyRequest]) Many thanks!

I'm developing an authorization plugin for macOS and encountering a problem while trying to store a password in the system keychain (file-based keychain). The error message I'm receiving is: Failed to add password: Write permissions error. Operation status: -61 Here’s the code snippet I’m using: import Foundation import Security @objc class KeychainHelper: NSObject { @objc static func systemKeychain() -> SecKeychain? { var searchListQ: CFArray? = nil let err = SecKeychainCopyDomainSearchList(.system, &searchListQ) guard err == errSecSuccess else { return nil } let searchList = searchListQ! as! [SecKeychain] return searchList.first } @objc static func storePasswordInSpecificKeychain(service: String, account: String, password: String) -> OSStatus { guard let systemKeychainRef = systemKeychain() else { print("Error: Could not get a reference to the system keychain.") return errSecNoSuchKeychain } guard let passwordData = password.data(using: .utf8) else { print("Failed to convert password to data.") return errSecParam } let query: [String: Any] = [ kSecClass as String: kSecClassGenericPassword, kSecAttrService as String: service, kSecAttrAccount as String: account, kSecValueData as String: passwordData, kSecUseKeychain as String: systemKeychainRef // Specify the System Keychain ] let status = SecItemAdd(query as CFDictionary, nil) if status == errSecSuccess { print("Password successfully added to the System Keychain.") } else if status == errSecDuplicateItem { print("Item already exists. Consider updating it instead.") } else { print("Failed to add password: \(SecCopyErrorMessageString(status, nil) ?? "Unknown error" as CFString)") } return status } } I am callling storePasswordInSpecificKeychain through the objective-c code. I also used privileged in the authorizationDb (system.login.console). Are there specific permissions that need to be granted for an authorization plugin to modify the system keychain?

I am using the Secure Enclave to generate private keys with kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly and SecAccessControlCreateFlags.biometryCurrentSet. The public key is derived from the Secure Enclave private key at creation and stored in the Keychain for later retrieval. During testing, I observed the following: When the device's passcode is removed, the public key stored in the Keychain is deleted as expected. However, the private key in the Secure Enclave can still be fetched using SecItemCopyMatching, despite being tied to the passcode for protection. My questions are: Is this behavior expected? How does the Secure Enclave manage private keys in scenarios where the passcode is removed? Is there a way to ensure that the Secure Enclave private key is deleted entirely (not just rendered inaccessible) when the passcode is removed? Any clarification or relevant documentation references would be very helpful. Thank you!

I am currently using the ability to log in with my Instagram account using ASWebAuthenticationSession and it is not working! I filled in the URL directly and there was no problem on the web, but when I run it in SwiftUI in Xcode, it doesn't work and Error: The operation couldn’t be completed. (com.apple.AuthenticationServices.WebAuthenticationSession error 2.) I get this error. I was told that I need a custom scheme to return to mobile, but the Instagram redirect URL says no custom scheme. What should I do? IDs and URLs are placed under assumption. I have no idea since this is my first implementation. Should I send the scheme URL from the website to mobile once using Django or something else? import SwiftUI import AuthenticationServices struct InstagramLoginView: View { @State private var authSession: ASWebAuthenticationSession? @State private var token: String = "" @State private var showAlert: Bool = false @State private var alertMessage: String = "" var body: some View { VStack { Text("Instagram Login") .font(.largeTitle) .padding() Button(action: { startInstagramLogin() }) { Text("Login with Instagram") .padding() .background(Color.blue) .foregroundColor(.white) .cornerRadius(10) } if !token.isEmpty { Text("Token: \(token)") .padding() } } .alert(isPresented: $showAlert) { Alert(title: Text("Error"), message: Text(alertMessage), dismissButton: .default(Text("OK"))) } } func startInstagramLogin() { let clientID = "XXXXXXXXXX" // Instagram client ID let redirectURI = "https://example.com" // Instagram Redirect URI guard let authURL = URL(string: "https://api.instagram.com/oauth/authorize?client_id=\(clientID)&redirect_uri=\(redirectURI)&scope=user_profile,user_media&response_type=code") else { print("Invalid URL") return } authSession = ASWebAuthenticationSession(url: authURL, callbackURLScheme: "customscheme") { callbackURL, error in if let error = error { print("Error: \(error.localizedDescription)") return } guard let callbackURL = callbackURL else { print("Invalid callback URL") return } if let code = URLComponents(string: callbackURL.absoluteString)?.queryItems?.first(where: { $0.name == "code" })?.value { print("Authorization code: \(code)") getInstagramAccessToken(authCode: code) } } authSession?.start() } func getInstagramAccessToken(authCode: String) { let tokenURL = "https://api.instagram.com/oauth/access_token" var request = URLRequest(url: URL(string: tokenURL)!) request.httpMethod = "POST" let clientID = "XXXXXXXXXXXX" let clientSecret = "XXXXXXXXXXXXXX" // Instagram clientSecret let redirectURI = "https://example.com/" let params = "client_id=\(clientID)&client_secret=\(clientSecret)&grant_type=authorization_code&redirect_uri=\(redirectURI)&code=\(authCode)" request.httpBody = params.data(using: .utf8) request.setValue("application/x-www-form-urlencoded", forHTTPHeaderField: "Content-Type") URLSession.shared.dataTask(with: request) { data, response, error in if let error = error { print("Error: \(error.localizedDescription)") return } guard let data = data else { print("No data") return } if let jsonResponse = try? JSONSerialization.jsonObject(with: data, options: []) as? [String: Any], let accessToken = jsonResponse["access_token"] as? String { print("Access Token: \(accessToken)") // ここでアクセストークンを使用してInstagram APIにアクセスする } else { print("Failed to get access token") } }.resume() } } #Preview { InstagramLoginView() }

Hello developers, I'm currently working on an authorization plugin for macOS. I have a custom UI implemented using SFAuthorizationPluginView, which prompts the user to input their password. The plugin is running in non-privileged mode, and I want to store the password securely in the system keychain. However, I came across an article that states the system keychain can only be accessed in privileged mode. At the same time, I read that custom UIs, like mine, cannot be displayed in privileged mode. This presents a dilemma: In non-privileged mode: I can show my custom UI but can't access the system keychain. In privileged mode: I can access the system keychain but can't display my custom UI. Is there any workaround to achieve both? Can I securely store the password in the system keychain while still using my custom UI, or am I missing something here? Any advice or suggestions are highly appreciated! Thanks in advance! 😊

Hello, I'm currently working on an authorization plugin for macOS. I have a custom UI implemented using SFAuthorizationPluginView (NameAndPassword), which prompts the user to input their password. The plugin is running in non-privileged mode, and I want to store the password securely in the system keychain. However, I came across this article that states the system keychain can only be accessed in privileged mode. At the same time, I read that custom UIs, like mine, cannot be displayed in privileged mode. This presents a dilemma: In non-privileged mode: I can show my custom UI but can't access the system keychain. In privileged mode: I can access the system keychain but can't display my custom UI. Is there any workaround to achieve both? Can I securely store the password in the system keychain while still using my custom UI, or am I missing something here? Any advice or suggestions are highly appreciated! Thanks in advance!

I'm currently implementing a function in SwiftUI to log in with my Instagram account. It's not working, I'm creating a Firebase Auth function and it comes back to the redirect URL. This may happen if browser sessionStorage is inaccessible or accidentally cleared. This may happen if browser sessionStorage is inaccessible or accidentally cleared. I get this error. I can't implement it. I have tried various methods, but all have failed. If anyone knows how to do this, please help. import SwiftUI import AuthenticationServices import FirebaseAuth struct InstagramLoginView: View { var body: some View { VStack { Text("Login with Instagram") // タイトル Button(action: { // ボタンが押された時にInstagramのログイン処理を開始 InstagramLoginHelper().startInstagramLogin() }) { Text("Login with Instagram") .padding() .background(Color.blue) .foregroundColor(.white) .cornerRadius(8) } } } } class InstagramLoginHelper: NSObject, ASWebAuthenticationPresentationContextProviding { func startInstagramLogin() { let clientID = "XXXXXXXXXXXX" let redirectURI = "https://XXXXXXXXXXX.firebaseapp.com/__/auth/handler" let authURL = "https://api.instagram.com/oauth/authorize?client_id=\(clientID)&redirect_uri=\(redirectURI)&scope=user_profile,user_media&response_type=code" let schem = "XXXXXXXXXXXX" if let url = URL(string: authURL) { let session = ASWebAuthenticationSession(url: url, callbackURLScheme: schem) { callbackURL, error in if let error = error { print("Error during authentication: \(error.localizedDescription)") return } if let callbackURL = callbackURL, let code = URLComponents(string: callbackURL.absoluteString)?.queryItems?.first(where: { $0.name == "code" })?.value { // 認証コードを使ってFirebaseでログインする self.loginWithInstagram(authCode: code) } } session.presentationContextProvider = self session.start() } } func loginWithInstagram(authCode: String) { // Firebaseのauthインスタンスを取得 let auth = Auth.auth() // InstagramのOAuthプロバイダを使用する let provider = OAuthProvider(providerID: "instagram.com") // Instagramの認証コードを使って、プロバイダの認証資格情報を生成 provider.getCredentialWith(nil) { credential, error in if let error = error { print("Error during authentication: \(error.localizedDescription)") return } if let credential = credential { // Firebaseにログイン auth.signIn(with: credential) { authResult, error in if let error = error { print("Error during Firebase authentication: \(error.localizedDescription)") } else { print("Successfully authenticated with Firebase.") } } } } } // ASWebAuthenticationPresentationContextProvidingの実装 func presentationAnchor(for session: ASWebAuthenticationSession) -> ASPresentationAnchor { return UIApplication.shared.windows.first { $0.isKeyWindow } ?? ASPresentationAnchor() } } #Preview { InstagramLoginView() }

I am currently implementing an authentication function using ASWebAuthenticationSession to log in with my Instagram account. I set a custom scheme for the callbackURLScheme, but In the Instagram redirect URL I was told I can't use a custom scheme. What should I do with the callbackURLScheme of the ASWebAuthenticationSession in this case?

We have special use case, We have two apps, App A (Electron) and App B (Swift). App B when run independently works completely fine but when bundles with App A and shipped as dmg, App B doesn't prompt for microphone permission anymore. What can be issue? What's right way to ship both app together such that App B is hidden and launched through App A only? How can I figure out what changes after App B is bundled and comes with App A. Even if I produce dmg of App A and install it on same system, App B doesn't ask for microphone permission anymore.

Hi all, I’m trying to find a documentation about the supported encryption algorithms for p12 files to be imported in iOS. I can see in iOS 18 changelog that AES-256-CBC is now supported, but cannot find a detailed view on which list of algorithms are supported. Would appreciate it if you could point me in the right direction! Thanks in advance

I use activeInputModes in my app. I require the users to use English keyboard on one view controller in my app. At that page, I access the activeInputModes and return the English system keyboard. I don't customize the keyboard. Which one should I choose? In your NSPrivacyAccessedAPITypeReasons array, supply the relevant values from the list below. 3EC4.1 Declare this reason if your app is a custom keyboard app, and you access this API category to determine the keyboards that are active on the device. Providing a systemwide custom keyboard to the user must be the primary functionality of the app. Information accessed for this reason, or any derived information, may not be sent off-device. 54BD.1 Declare this reason to access active keyboard information to present the correct customized user interface to the person using the device. The app must have text fields for entering or editing text and must behave differently based on active keyboards in a way that is observable to users.

For starters, I save this IPS in my Files app and the next day permissions were no longer available for me to copy or duplicate. This is a brand new iPhone from Apple. It is a 14 Pro Max any help would be appreciated. { SharingViewService-2024-10-15.txt The sharingview ips

I wrote a Keychain controller that add, delete and fetch keychain items using SecItemAdd(_:_:)and related APIs with data protection keychain enabled (kSecUseDataProtectionKeychain). I am using it in a macOS Cocoa app. I am using Swift Testing to write my tests to ensure that the controller works as expected. As I understand, I should create my own keychain for testing rather than use the actual keychain in macOS. Currently, I created a separate keychain group (e.g. com.testcompany.testapp.shared) and added it to myapp.entitlements file so that the tests pass without failing because of the missing entitlement file. SecKeychainCreate(_:_:_:_:_:_:) and SecKeychainDelete(_:) API are deprecated with no alternative provided in the documentation. I noticed SecKeychain class but documentation doesn't explain much about it. How should I test my keychain controller properly so that it does not use the actual macOS keychain, which is the "production" keychain?

With the update to iOS version 18.0, there was a significant improvement in information security and user privacy, allowing apps to be locked using FaceID (or TouchID), with no possibility of using the phone's unlock passcode to access the locked app (see reference: https://www.reddit.com/r/Wealthsimple/comments/1fr1nnj/psa_ios_18_require_face_id_feature_mitigates/). As a result, even if someone else knew your iPhone unlock passcode, they wouldn't be able to open the locked apps, as FaceID (or TouchID) would be required. However, after updating to iOS 18.1.1, someone who knows your iPhone unlock passcode and is using your iPhone (or has stolen your iPhone and requested the unlock passcode) can inadvertently open the locked apps, because after a few failed attempts to open the locked app without FaceID (or TouchID), the iPhone will prompt for the unlock passcode to open the locked app. Even if the user has moved the app to the hidden folder, the content of that folder and the hidden apps within it can be opened with the iPhone unlock passcode after several failed attempts to open the hidden app without FaceID (or TouchID). It would be very important for users if this security and privacy weakness were eliminated, returning to what iOS 18.0 did: the only way to open a locked app is through FaceID (or TouchID), and it would not be possible to open it with the iPhone unlock passcode.

I've written a little utility targeting Mac, for personal use. In it, I need to be able to select a file from an arbitrary location on my drive. I have the "user selected file" entitlement added, and I have added my application to "Full Disk Access." But I still get a permissions error when I select a file with the file-open dialog (via .fileImporter). I dragged the application from the Xcode build directory to Applications before adding it to Full Disk Access. Any ideas?

I have been working with custom keys in Crashlytics. After triggering a manual crash, I encountered a missing dSYM file error. Even after uploading the required dSYM file, the crash report is not appearing under the Issues section. How can I resolve this and retrieve the crash report?

I am trying to generate public and private keys for an ECDH handshake. Back end is using p256 for public key. I am getting a failed request with status 0 public func makeHandShake(completion: @escaping (Bool, String?) -> ()) { guard let config = self.config else { completion(false,APP_CONFIG_ERROR) return } var rData = HandshakeRequestTwo() let sessionValue = AppUtils().generateSessionID() rData.session = sessionValue //generating my ECDH Key Pair let sPrivateKey = P256.KeyAgreement.PrivateKey() let sPublicKey = sPrivateKey.publicKey let privateKeyBase64 = sPrivateKey.rawRepresentation.base64EncodedString() print("My Private Key (Base64): \(privateKeyBase64)") let publicKeyBase64 = sPublicKey.rawRepresentation.base64EncodedString() print("My Public Key (Base64): \(publicKeyBase64)") rData.value = sPublicKey.rawRepresentation.base64EncodedString() let encoder = JSONEncoder() do { let jsonData = try encoder.encode(rData) if let jsonString = String(data: jsonData, encoding: .utf8) { print("Request Payload: \(jsonString)") } } catch { print("Error encoding request model to JSON: \(error)") completion(false, "Error encoding request model") return } self.rsaReqResponseHandler(config: config, endpoint: config.services.handShake.endpoint, model: rData) { resToDecode, error in print("Response received before guard : \(resToDecode ?? "No response")") guard let responseString = resToDecode else { print("response string is nil") completion(false,error) return } print("response received: \(responseString)") let decoder = JSONDecoder() do { let request = try decoder.decode(DefaultResponseTwo.self, from: Data(responseString.utf8)) let msg = request.message let status = request.status == 1 ? true : false completion(status,msg) guard let serverPublicKeyBase64 = request.data?.value else { print("Server response is missing the value") completion(false, config.messages.serviceError) return } print("Server Public Key (Base64): \(serverPublicKeyBase64)") if serverPublicKeyBase64.isEmpty { print("Server public key is an empty string.") completion(false, config.messages.serviceError) return } guard let serverPublicKeyData = Data(base64Encoded: serverPublicKeyBase64) else { print("Failed to decode server public key from Base64. Data is invalid.") completion(false, config.messages.serviceError) return } print("Decoded server public key data: \(serverPublicKeyData)") guard let serverPublicKey = try? P256.KeyAgreement.PublicKey(rawRepresentation: serverPublicKeyData) else { print("Decoded server public key data is invalid for P-256 format.") completion(false, config.messages.serviceError) return } // Derive Shared Secret and AES Key let sSharedSecret = try sPrivateKey.sharedSecretFromKeyAgreement(with: serverPublicKey) // Derive AES Key from Shared Secret let symmetricKey = sSharedSecret.hkdfDerivedSymmetricKey( using: SHA256.self, salt: "AES".data(using: .utf8) ?? Data(), sharedInfo: Data(), outputByteCount: 32 ) // Storing AES Key in Config let symmetricKeyBase64 = symmetricKey.withUnsafeBytes { Data($0) }.base64EncodedString() print("Derived Key: \(symmetricKeyBase64)") self.config?.cryptoConfig.key = symmetricKeyBase64 AppUtils.Log(from: self, with: "Handshake Successful, AES Key Established") } catch { AppUtils.Log(from: self, with: "Handshake Failed :: \(error)") completion(false, self.config?.messages.serviceError) } } } this is request struct model public struct HandshakeRequestTwo: Codable { public var session: String? public var value: String? public enum CodingKeys: CodingKey { case session case value } public init(session: String? = nil, value: String? = nil) { self.session = session self.value = value } } This is backend's response {"message":"Success","status":1,"data":{"senderId":"POSTBANK","value":"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAErLxbfQzX+xnYVT1LLP5VOKtkMRVPRCoqYHcCRTM64EMEOaRU16yzsN+2PZMJc0HpdKNegJQZMmswZtg6U9JGVw=="}} This is my response struct model public struct DefaultResponseTwo: Codable { public var message: String? public var status: Int? public var data: HandshakeData? public init(message: String? = nil, status: Int? = nil, data: HandshakeData? = nil) { self.message = message self.status = status self.data = data } } public struct HandshakeData: Codable { public var senderId: String? public var value: String? public init(senderId: String? = nil, value: String? = nil) { self.senderId = senderId self.value = value } }

In our application, we store user information (Username, Password, accessToken, Refresh token, etc.) in the keychain. However, after performing a hard reboot (unplugging and plugging back in), when we attempt to retrieve the ‘refresh token’ or ‘access token’ from the keychain, we receive the old token instead of the newly saved one.

Hi there, I'm continuing to build up the API on keychain, I'm trying to implement the ability to create an own certificate chain for validation purposes, similar to ssl. To this extent I need to retrieve the certificates from the System's stores but I can't seem to find a way to do this in code? Creating a query with kSecMatchTrustedOnly only returns certificates which are seemingly manually marked as trusted or otherwise just skips over the System roots keychain. As far as I understand using kSecUseKeychain doesn't work either, since (besides SecKeychain being deprecated) it only works with SecItemAdd.