Prioritize user privacy and data security in your app. Discuss best practices for data handling, user consent, and security measures to protect user information.

All subtopics

Post

Replies

Boosts

Views

Activity

Не приходят проверочный код с Alibaba.com
Добрый день! Я создал аккаунт на Alibaba.com с помощью AppleID, при регистрации был выдан подменный адрес почты @privaterelay.appleid.com, при попытке подтвердить почту, письма не пересылаются на мою основную почту.
1
0
670
Feb ’24
Using kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly
After a pen test it has been suggested we use kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly for keychain accessibility. It is currently using kSecAttrAccessibleAfterFirstUnlockValue We only store name, email, sms etc in our keychain but I've been asked to explore how much effort this would be My initial concern is what happens to users without a passcode? Is there a way to enforce this for users with a passcode but fallback to something else for other users? Thanks
1
0
457
Mar ’24
Understanding the List of 3rd Party SDKs that need Updates
Hey everyone, Was having a look into this article posted by Apple. I noticed that one of the SDKs I use - FirebaseMessaging - is included on that list. Having a look into the SDK's repository, I noticed that the Firebase team is already addressing the issue, as this PR shows. But, if you look at that SDK's PrivacyInfo.xcprivacy file, the NSPrivacyAccessedAPITypes property has no value associated with it. Apple clearly states that APIs that use required reason APIs are the ones that need to be updated until Sprint 2024. FirebaseMessaging looks like it doesn't, so why is it included on that list? Looking forward to your feedback.
0
0
501
Mar ’24
Is the GLKit library Apple's?
Hi. My team is still using GLKit. I have no choice but to keep using it to support non-iOS products as well. (We don't have many developers.) While researching 'Privacy Manifest', I found out that the third party library needs to add 'PrivacyInfo'. I confirmed on Xcode that GLKit is Apple SDKs. Does this mean it's not a third party library? Is using GLKit not related to 'Privacy Manifest'?
1
0
708
Mar ’24
Sharing Files and Photos into an App
I had a couple of questions someone could help me with, as I’m trying to do a little research for my team before they do a bunch of coding. We’re building an anywhere-to-anywhere encrypted file transfer app and wrestling currently with our share functionality. Currently, our users log into their app on their phone, and: within the application use a file picker to select files/photos and then select a destination that they pick from a permission-ed list. However, we really would like to also add the workflow where the user opens the photos or files app, finds a picture/file and then uses the share functionality to pass the object into the application, then The application launches, allowing the user to log into the app, then they pick from a list of permission-ed drop targets within the app and send the object In doing some research this morning regarding sharing files/pictures within our application, I found this thread Eskimo had more or less advised against what we intended to do: https://developer.apple.com/forums/thread/114485 We don’t want to save session tokens because of security concerns; we’re concerned primarily with third-party actors (governments primarily) having access to encryption keys. Is there a best-practice way for my team to open the app we're building and then passing the files/photos into our application? Does anyone have any advice on how to securely launch the application and pass the file/pic into the app given the constraints? Thanks!
1
0
443
Mar ’24
How to Create SecKeys from Data and Decrypt?
I am trying to communicate with a Java server over TCP, but I'm having issues trying to make the data secure in transit using RSA and AES. The server creates an AES key, encodes it in utf8, and sends it to the IOS Client, where it should be decoded back into a byte array as a Data object. Then, Using the Cryptokit framework, I try to create a SecKey object from it. I am stumped when trying to do so, though: func createSecKeyFromAESKeyData(aesKeyData: Data) -> SecKey? { // Define the key attributes let keyAttributes: [CFString: Any] = [ kSecAttrKeyClass: kSecAttrKeyClassSymmetric, kSecAttrKeySizeInBits: 128, kSecAttrIsPermanent: false ] // Convert the AES key data into a SecKey object var error: Unmanaged<CFError>? guard let key = SecKeyCreateWithData(aesKeyData as CFData, keyAttributes as CFDictionary, &error) else { if let error = error { print("Error creating SecKey: \(error.takeRetainedValue() as Error)") } else { print("Unknown error creating SecKey") } return nil } return key } Despite setting up my key attribute dictionary with the correct information (AES_128_GCM_SHA256, 128 bits, impermanent) based on how I generate it in the Java code, I keep getting a runtime error at the SecKeyCreateWithData call stating "Unsupported symmetric key type: 4865". I am unsure what this means and how to fix it as there doesn't seem to be any information on it online. If it helps, the Java code is using AES GCM with no padding, and we have confirmed that the data being sent is indeed 128 bits. How can I take this byte array and create a SecKey from it properly so we can pass secure data? Similarly, I have also tried using RSA encryption for some data, but with this method, I generate the key pair on the iOS client and send the parts of the public key to the Java server where it (seemingly correctly) created the cipher from the passed data. However, trying to send anything encrypted back resulted in "RSAdecrypt wrong input (err -27)" when decrypting: func decryptAESKey(encryptedKeyData: Data, privateKey: SecKey) -> Data? { // Decrypt the received AES key using the private key var error: Unmanaged<CFError>? guard let decryptedKeyData = SecKeyCreateDecryptedData(privateKey, .rsaEncryptionOAEPSHA256, encryptedKeyData as CFData, &error) as Data? else { print("Error decrypting AES key:", error!.takeRetainedValue() as Error) return nil } return decryptedKeyData } Any assistance in figuring out how to properly use SecKeys in these ways would be greatly appreciated. Additionally, the relevant Java code can be provided if necessary.
1
0
828
Mar ’24
Conditions under which a JWT client token expires
In order to use Sign in with Apple, I issued a JWT client according to the instructions and was able to connect without any problems, but suddenly an INVALID_CLIENT error started to occur. The error was resolved by re-obtaining the JWT client token and resetting it. The validity period of the JWT client token is 6 months and it has not expired yet, but I would like to know why I am getting an INVALID_CLIENT error.
1
0
371
Mar ’24
I'm trying to incorporate Sign-In with Apple for my Swift Application
I am getting an error "Cannot create a iOS App Development provisioning profile for "TheSwiftUIWay.login". Personal development teams, including "Cyril John", do not support the Sign in with Apple capability" I have created a developer account but I didnt enroll in the developer program. Am I able to use Sign-In with Apple with the free version of the Apple Developer Account? If so, can you please give me some directions on how I can fix this error?
1
0
545
Mar ’24
Multiple problems with ES_EVENT_TYPE_NOTIFY_DUP
Hello, 3 questions regarding Endpoint Security Framework: Does ESF support tracing the dup2(2) function? There is the ES_EVENT_TYPE_NOTIFY_DUP event, but it seems that it only reports dup(2), not dup2(2)? Does ESF support tracing the dup(2), and close(2) calls, if the file descriptor passed to these functions refer to a pipe handle instead of a file handle? If not, do you have any plans of extending the support for pipes as well? Could the es_event_dup_t structure support reporting which file handle has been duplicated into which value (source file descriptor value, and target file descriptor value)? Currently this structure only supports the "target" file object, without any information which file descriptor has been cloned into which file descriptor, which is not helpful at all. For example, if we open file A and we get fd1, then open the same file A and we get fd2, then perform dup(fd1), then with ESF it seems that it's impossible to tell if we've duplicated fd1 or fd2. Also this model doesn't support dup2(2) usage at all.
4
0
719
Mar ’24
How secure is the communication between iOS app and its safari mobile extensions
Can someone share how secure is the communication between iOS app and its safari mobile extension. Is it encrypted? Are there any references to best practices to follow? If a user has opened multiple tabs and has multiple extensions can there be security issues during their communication like one extension able to read other extensions memory?
0
0
489
Mar ’24
AppAttest attestKey returns invalid key error
Dear Experts, I have App Attest deployed in an app that is currently in TestFlight. Its works OK most of the time. For one particular user, however, attestKey fails with DCErrorInvalidKey for a new key that it has just created. I have some insight into what the app is doing because I send diagnostics to the server. It seems that for this user, the sequence of events is: Initially the app has no key ID saved. The user initiates an action that requires App Attest-signed communication with my server. The app calls generateKey which seems to succeed. The app fetches a challenge from the server. The app calls attestKey. attestKey returns DCErrorInvalidKey. The app doesn't save the key ID persistently, so next time the same thing happens. attestKey really shouldn't fail with the invalid key error for a key that it has just created, should it? What could be going on here?
6
2
1.4k
Mar ’24
Purposely trigger XProtect detectors?
I have an Endpoint system extension that, in theory, receives XProtect alerts. I regularly see XProtectPluginService starting programs like XProtecteRemediatorSheepSwap on my Mac. I would love to be able to put one or more files/bundles on my Mac that triggers the detectors, so I can see the alerts go from the Endpoint system extension through to the UI. Does Apple have or recommend a way (short of being infected) for triggering the XProtect detectors for testing?
2
0
781
Mar ’24
Support on Apple Privacy Manifest
As per the https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_data_use_in_privacy_manifests Mentions that Third-party SDKs need to provide their own privacy manifest files. What about the SDKs which are in-house? Meaning if the application contains the SDKs which are developer within the same company as the application would be treated as Third-party SDKs?
1
0
594
Mar ’24
Keychain ACLs and evaluatedPolicyDomainState
If on iOS an app protects a keychain item with an access control list that specifies .biometryCurrentSet in its SecAccessControlCreateFlags the app loses access to the item if the set of currently enrolled fingers (for Touch ID) or the currently enrolled user (for Face ID) changes - which corresponds to a change of the evaluatedPolicyDomainState. We have users reporting loss of such items even though - as they assure us - they have not touched (no pun intended) anything under "[Touch|Face] ID & Code" in Preferences.app. Is there another reason why an app may lose access to such items?
0
0
428
Mar ’24