Here's the scenario： I have two processes on my computer, named A and B. Both processes are monitored by the ESF, and both processes monitor the same ESF events, such as ES_EVENT_TYPE_AUTH_EXEC and ES_EVENT_TYPE_AUTH_OPEN. If processes A and B run at the same time, will event conflict occur? In ESF event processing, is there any way to achieve full event listening and keep cpu usage low

I have an iPhone with iOS 16.7.2, Microsoft Windows 11 23H2 and iCloud app for windows 14.2 and when I select option to turn on Advance Data Protection, it requested me to download iCloud for Windows latest version but there's not higher version that 14.2. I needed to delete profiles from my iPhone and then, I could activate data protection on but now, I can't access to iCloud app from Windows PC. Is there another way?

I have a question about the privacy manifest file (PrivacyInfo.xcprivacy). If the third party SDK used in our app is not updated (or the repository is read-only and not permanently updated), can we include the description for the third party SDK in the privacy manifest file of our app?

Hey, I am experiencing this bug where I ask the device activity report for data within a date range, in daily segments. the device report receives the truncated date range: some date 23:00 -> some other date 23:00. however the async data list returns date ranges of the sort: 22:00 -> 22:00 (of the next day). and sometimes it returns 22:00 -> 23:00 (of the same day), but then the data contained in that range is still relative to tne entire day since the total screen time is greater than an hour. I think that the way date intervals are treated by the device activity report extension contains bugs and is not consistent. Is anyone experiencing similar bugs?

The Endpoint Security provides the ES_EVENT_TYPE_AUTH_OPEN event, I can specify that the process intercepts the open specified file es_respond_flags_result(client, msg, 0x0, true);. However, WeChat (the chat app) intercepts the specified file the first time it is sent, and the second time it can be sent successfully, and the peer end can receive the file. I can confirm that es_respond_flags_result(client, msg, 0x0, true); is called. So, which auth event should I use? Thx!

We recently shipped option to sign up/in using passkeys. Everything was working as expected and we didn't have any issues with passing app store review process. Recently, when submitting new build with not passkey related updates, we got rejected due to the error, which apple reviewer faced during passkey creation. From our logs we can see that issue is about Associated Domains and webcredentials configuration: The operation couldn’t be completed. Application with identifier X is not associated with domain Y. The thing is that it is configured properly. AASA file is returned properly both from our server and from apple's CDN. Feature is 100% working on all our testing devices and we never got this error reported from any user. The only issue about that is received from reviewer device, which is iPad Air 5th generation on iOS 17.1.1 I was trying to reproduce the error in many ways, but I wasn't able to. Is it possible that the error is faced only by apple reviewers due to some specific environment setup they use? Or maybe TestFlight installs manage AASA files checking in some different way? I found something about that in one thread on apple developer forum: https://developer.apple.com/forums/thread/108339 but not sure if it can be related. Any help/guidance will be very appreciated, thanks!

It appears that for a successful registration of a passkey to a relying party using passkey autofill provider, the BE BS bits/flags in the attestation response need to be set to true. Please refer FLAGS byte of authData field part of attestationObject mentioned here - https://www.w3.org/TR/webauthn-2/#sctn-attestation. If those flags are set to false, the RP rejects saying - "The operation either timed out or was not allowed. See: https://www.w3.org/TR/webauthn-2/#sctn-privacy-considerations-client." What are the implications of having those flags set to true? Does it make the generated passkey syncable across devices using same apple id? If yes, is there at all anyway possible by which a generated passkey can be made device bound, basically can be generated and used only on a single iPhone/iOS device? Also, is there a plan to ever make those flags to be set to false in a future iOS release? Also, what does it mean in the credential provider popup where it says - "Available where is installed." in the below screenshot?

How do i get rid of the screen recording or mic usage privacy icon from the menubar its very annoying and its there alot even though its not even being used by anything it is an empty dropdown Image

Hi everyone, I'm looking into adding unique biometric authentication (fingerprints only) to a mobile app I'm developing. Is it possible to assign and recognize individual biometric data for a unique scan for the app? I'm interested in the technical feasibility, any notable security concerns, and would appreciate any insights or experiences you might have on this topic. Imagine logging into your phone or laptop using your thumbprint, and then, with the same device, accessing a specific app solely with your pinky finger's biometric data. This dual-layer security approach leverages different fingerprints for device and app access, enhancing user-specific authentication Thanks in advance for your help!

Hello everyone! I'm currently working on implementing a Secure Enclave to encrypt data from the Login Screen with my application. I've followed the guidelines outlined in the developer documentation, which you can find here: Secure Enclave Documentation. Despite following the documentation, I'm encountering issues with creating a key pair to encrypt data. I would appreciate any suggestions for necessary changes or additional permissions that might be required to address these challenges. Thanks!

Hello Apple Developer Community, I am reaching out to seek some assistance with an issue I've encountered related to user privacy settings in my app. Despite configuring the PrivacyInfo.xcprivacy file to disallow tracking and including specific domains within the Privacy Tracking Domains, I am observing that URLs containing these restricted domains are still being displayed within a webView in my app. Here are some specifics of the issue: The behavior occurs in both the iOS 17.1.1 simulator and on physical devices. I've double-checked the setup to ensure it aligns with the official documentation and expected privacy restrictions. I'm hopeful that someone in the community or from the Apple team can shed light on the matter. Why might the specified domains not be blocked as per the privacy settings? Any insights or guidance on resolving this would be greatly appreciated as it's crucial for maintaining the privacy standards of our app. Thank you for your time and help. Best regards,

Hello! I am a new developer and am attempting to use Apple's Device Activity API. However, I am struggling with the View of the Device Activity Report. For one, the view stretches to fill all available space instead of simply being the size of its content. Secondly, the background color seems fixed and I can't figure out how to remove it. The Screen Time API demo video shows this Device Activity API used with a clear background, so I know it is possible, I just can't figure out how to do it as it seems to be built into the Device Activity Report itself. Does anyone have any ideas? I'll attach a photo to show you what I mean. The black box is the Device Activity Report that I am trying to edit. Thank you for your help!

Hi! Is there any way to automate passkey testcases for safari? Does safari provide any emulated authenticator? The way we have virtual authenticator in chrome in developer tools. If no, can you please suggest a way to automate passkey testing using safari? Thank you!

Hi everyone, I'm working on the verification of the PassKey signature for the integration of PassKey into our product. I've implemented the verification of P256 signature and it's correctly verifying the passkey signature. However, I want to know if Apple's Passkey signature is doing a malleability check (if the signature's S value is <= N / 2). If this is the case for Apple's passkey, I'm planning to also include this in the service for the signature verification to ensure a higher security level from the Passkey. Can anyone please help to answer this question? I checked documentation and many articles but this wasn't stated in the documents. Thank you for your answer in advance.

I would like to develop a macOS application in Swift. This application will consist of 2 programs: a main program to be run by the user (standard account) and another one that will run with root privileges. The second program will only be invoked to perform privileged tasks. Running the main program under root permanently would be too risky. XPC will be used to trigger calls from the main program to the privileged program. How can I secure the privileged program to ensure that the calling program is indeed my main program and not another unauthorized program?

I have implemented an app to monitor computer events according to ESF framework, but a crash will appear, and the crash content is Time Awake Since Boot: 800000 seconds Time Since Wake: 2594 seconds System Integrity Protection: enabled Crashed Thread: 0 Exception Type: EXC_CRASH (SIGKILL) Exception Codes: 0x0000000000000000, 0x0000000000000000 Exception Note: EXC_CORPSE_NOTIFY Termination Reason: Namespace ENDPOINTSECURITY, Code 2 I can't find it. Why is this happening. Can you tell me under what circumstances such a crash would occur.

Hi, I am preparing privacy info manifest for my application. I am using stat to read not timestamp data from file. I wonder how in this case should I specify this info in the API usage? Should it be specified at all(since stat() is listed only in File Timestamp API)? Or maybe you can add stat to Disk space APIs and add one more reason there? Here is similar thread about this and nothing emerged so creating this to increase visibility of the problem: https://developer.apple.com/forums/thread/734750 Best regards, Konrad

Buongiorno, che tipo di accesso sicuro e che testimonia l'autenticità di un utente, è possibile usare ? E' possibile far inviare dall'utente che si vuol registrare, una foto di un suo documento di identità ed anche con la face authentication ? E' possibile usare lo SPID ? Grazie molto. Firenze Web Division.

Hello, I've come across information regarding macOS endpoint protection software: It seems Apple no longer allows them to create kernel extensions. It seems that endpoint software should now function with MACF by implementing hooks from userland. Does this mean the Endpoint Security Framework will soon become deprecated? I'm currently searching for a sample source code for MACF hooks, but I haven't found anything in the Apple developer documentation. Thanks

As the new requirement for Privacy manifests is coming this Spring 2024 (https://developer.apple.com/news/?id=r1henawx), Apple released a list of SDK's that need to comply with this requirement and provide a privacy manifest file: https://developer.apple.com/support/third-party-SDK-requirements/ I have some questions: Do i need to declare a privacy manifest file for the SDKs if i'm updating an old app that already includes one of these SDKs? Apple states "when you submit an app update that adds one of the listed SDKs as part of the update" which in my understanding applies only when an app adds an SDK for the first time in an app update. What happens with SDK's that are not in this list? Should every single SDK an app uses to include the privacy manifest file?