Hello, Look at this basic C program: #include <stdio.h> int main() { printf("%llx\n", main); return 0; } The displayed address change on each run. This is due to ASLR. Is there a way to launch a program by forcing the main module's base address I would like to do something like that in my terminal: $ BASE_ADDRESS=0x10000 ./a.out How can i do that on mac os ? Is it possible to force base address loading for shared libraries too ? Thanks

Hello, when I attempted to use the passkey, the method - (void)prepareCredentialListForServiceIdentifiers:(NSArray<ASCredentialServiceIdentifier *> *)serviceIdentifiers requestParameters:(ASPasskeyCredentialRequestParameters *)requestParameters API_AVAILABLE(ios(17.0), macos(14.0)) API_UNAVAILABLE(watchos, tvos); didn't execute. Are there any specific prerequisites for this method to run? I would appreciate your assistance. Thank you.

I've been reading information/signing data using keys in the file keychain without too many problems but the other day I tried to generate a private key in the file and the secure enclave keychains and I faced the -30418 error. I made sure that the entitlements were correct based on previous posts but still no luck. Code kind of based off this: https://developer.apple.com/documentation/security/certificate_key_and_trust_services/keys/protecting_keys_with_the_secure_enclave Do you actually need to pay for the $99/per year developer account to generate private keys inside the keychains ?

I have some code where I'm using SecKeyCreateSignature using a SecKey that I retrieved using SecCopyItemMatching with an LAContext provided to the query via the kSecUseAuthenticationContext parameter. This is a biometrically-backed key so a Touch ID prompt is displayed for the user. Calling LAContext.invalidate() while that system prompt is present doesn't dismiss the prompt or cancel the SecKeyCreateSignature call. I was hoping that would behave similar to how calling LAContext.invalidate when calling LAContext.evaluatePolicy and dismiss the system prompt and cancel the evaluatePolicy call. Is this a bug/oversight, expected behaviour, or am I missing some required setup to accomplish what I'm trying to do?

Hello, I made a mechanism that shows my custom user interface in the lock screen of MacOS by using the example in https://developer.apple.com/library/archive/samplecode/NameAndPassword/ The UI is being displayed as required and working perfectly. But it will automatically gets removed form display when there is no input from user for 30 seconds. I need to prolong that time as I need to support multiple factor verifications such as push notification(where user need to accept push notification in mobile device rather than in mac), security key(where user needs to insert and tap a security device without needing to give any input in keyboard or trackpad). Please suggest me any solution regarding the ways to achieve this. Any information is appreciated. Thank you.

My app was rejected because the camera usage description was too vague. When I went back to update it with clearer language, the description now does not show up at all. I've edited the Privacy - Camera Usage Description in info.plist targeting the iOS app but it still does not show up. I looked at this old thread but I've already followed the steps suggested therein to no avail.

Hi there, bit of an odd one, we have no idea how this happened but now we can't seem to figure out how to fix. Our app requests Touch ID on macOS to authenticate a user. This is done in the ever so standard way [LAContent evaluatePolicy:...]... Functionally everything is fine, but for some reason there is no App Name on the system dialog... We don't even know when this started happening... Our App Icon is there but not the name, it's blank so the dialog looks strange (see attached pic). The text doesn't really make sense without the App Name. I wouldn't have even thought this was possible, the standard info.plist keys like CFBundleName and CFBundleDisplayName are all set correctly. Everything else seems totally fine. We're seeing this across every target/build/version/sku so it seems unrelated to a particular plist. There are no localizations for the App Name either, no InfoPlist.strings involved here. What could cause this, does anyone know? @eskimo, I'm afraid turning things up to 11 didn't help, so hoping you've got an idea?

On my mac platform I try to use the method SecKeyCreateSignature to sign data with algorithm kSecKeyAlgorithmRSASignatureRaw but always failed. I double checked the support status but it failed with sample code: if (!SecKeyIsAlgorithmSupported(privKeyRef, kSecKeyOperationTypeSign, kSecKeyAlgorithmRSASignatureRaw)) {return 0;} But on my iOS client, the kSecKeyAlgorithmRSASignatureRaw works well. If I can not use the algorithm kSecKeyAlgorithmRSASignatureRaw, which algorithm I can use to get the same signed result by sign the given to-be-signed raw data.

Hello community we have been using an Endpoint Security client within a system extension for quite a while now. After some users updated macOS to Sonoma, we got complaints about slower performance when using MS Office on Mac. The product features work as expected, and our system extension is loaded and delivers events. Upon inspection of the log files, we found the following (but not on all machines): [com.apple.TCC:access] Failed to create LSApplicationRecord for file:///Library/SystemExtensions/0062566E-9869-4CC4-A666-F641F5C011CD/com.sophos.endpoint.scanextension.systemextension/: 'The operation couldn’t be completed. (OSStatus error -10811.)' and [com.apple.TCC:access] -[TCCDAccessIdentity staticCode]: static code for: identifier com.sophos.endpoint.scanextension, type: 0: 0x7fb63da318c0 at /Library/SystemExtensions/0062566E-9869-4CC4-A666-F641F5C011CD/com.sophos.endpoint.scanextension.systemextension for almost each event delivered. We are using XPC from the system extension to a non-priviliged daemon process to process file content. A feedback has already been filed: FB13174804 An additional code-level support was returnd woithout any explanation. Signing checks of the system extension and the containing app (daemon) on Sonoma turn up without any errros. Any idea, whats going on here? Frank Fenn Sophos Inc.

We noticed that your app collects information about the user’s friends, contacts, or other third-party persons without the knowledge or consent of those parties. Specifically, the app allows users to enter an IMEI from an iOS device and obtain information. The App Store is designed to be a safe and trusted place for users to discover apps and apps on the App Store are held to a high standard for privacy, security, and content. Next Steps To resolve this issue, please remove any features that collect personal third-party user data from your app. i have a problem with that , but in my app I asked user accpect with Terms of Use & Privacy Policy for use onwer Serial or IMEI for main content ! but app review always Reject my project pls help me , tks a lot for erevyone have a nice day !

Hi there, I'm trying to do a raw signature but the SecKeyRawSign is deprecated, so I am wondering if there is any way to do it using SecKeyCreateSignature, and EC key and the kSecKeyAlgorithmECDSASignatureMessageX962SHA256 algo. I've noticed that this method applies a hash before signing the data, and I want to avoid that. Is that possible? If not, what other options do i have? Thanks in advance.

Hi, I have a query regarding the inclusion of the privacy manifest. Particularly, these SDKs are not maintained by their respective vendors or the community. Do we have any existing procedures or guidelines in place to tackle such scenarios? or is it possible to represent these SDKs from the app privacy manifest? Thanks.

Hello We have a react native iOS app and we are having issues with password autofill. We have read some documentation on "associated domains" but cant find anything specific to our issue. We don't currently have a website with login. Is that necessary to utilize password auto fill? Thanks for any help

Hello, is it possible to interact with a nearby device through Bluetooth LE, from the authorization plugin? Currently, I have: a plugin bundle, registered with the authorization mechanisms; a daemon that I have set up to contain all the business logic added the com.apple.security.device.bluetooth entitlement to the daemon package, to allow Bluetooth communication; registered the daemon through LaunchDaemons so that it is managed by launchd And I'm using XPC to communicate between the plugin and the daemon. When I send the request to the daemon to scan for peripherals, I get a TCC error: 0xd5a Error 0x23e5 161 0 tccd: [com.apple.TCC:access] Refusing TCCAccessRequest for service kTCCServiceBluetoothAlways from client Sub:{...} in background session The above error seems to suggest that I can't grant the bluetooth permission from the daemon itself, is there a recommended way to grant permissions before running it? And if granted, would I be able to utilize the framework successfully from the logon screen? Other options I have tried: Invoking the framework directly from the plugin, which failed. Probably because the Security agent process isn't entitled to communicate via Bluetooth and that it would require changing the host process entitlements plist, which I don't have access to? 🤔 Attempting to use a launch agent in lieu of a daemon, with proper entitlement, but that didn't work either. Probably because launch agents are loaded after the user has successfully logged in and I was invoking it before? 🤔 And lastly, I looked into the possibility of utilizing Privacy Preference MDM payload to grant access, but it seems like the MDM options do not include Bluetooth support. Is there any other way to accomplish this? Thank you!

Hello everybody. I have a pack of UI tests for the Biometrics authentication. And in the beginning of each test I need there to be no permissions for Biometrics (granted or denied). I found the resetAuthorizationStatus(for:) method that allows resetting everything except Biometrics :( Is there any way I can reset this permission without deleting the whole app in tearDown()?

hello, I want to use the latest addition in security i.e., passkeys across apple ecosystem. I have 2 iPhones (D1 and D2) I have created passkey from D1 for some RP (eg. walmart.com) D1 has a screen-lock using index-finger. The passkey is successfully stored in my iCloudKeyChain Now I go to D2 The screen-lock in D2 is made up of middle-finger. I configure my iCloudKeyChain on D2 using same apple-id If I want to bring the same passkey on D2 that I stored from D1 in iCloudKeyChain , am I required to provide screen unlock finger-print of D1 i.e., index-finger ?? Thanks.

I need to control and shield apps with a set period. For example, I need to set 20 minutes limit. And when I use the device more than 20 minutes in a row, than block all apps for some period (to have a rest for the eyes)

**We noticed that your app collects information from various public sources to build individual profiles, which is not appropriate for the App Store. Next Steps To resolve this issue, please remove any feature that attempts to build individual profiles based on collected public data. ** I do not understand what information that I collect from various public sources to build individual profiles My app takes the image from user and process it to extract facial features and compare other faces in the app database also the user can create an account if he wants to post a missing report and I ask to input the name and gender and date of birth and other information of missing person and all of this I explain in app review But I still face this replay what to do ?

A website visitor used iCloud Private Relay to send a hate crime email through our web form. What options do we have to prevent this from happening and/or to find out who this person is?

Hello, Let's imagine an application (Application A) which launch another application (Application B). These applications are bundle apps. What happens if Application B tries to read a file in current user's Documents folder ? TCC will check if the application is allowed to access to Documents folder. But will it check this right for application A or application B (or both ?) I have tried to run an application from Terminal. My terminal is authorized to access to Documents folder. And i am surprised because TCC did not asked me to allow the application itself. It seems TCC is looking for parent process rights. Can you confirm ? Thanks