Hello, I have a problem. Our app is based on a set of javascript cross-platform development framework, which includes bridging and packaging of the Foundation Framework. This bridging and packaging itself does not make any API calls, but it contains almost all security APIs. This In this case, does this Framework, which is only used as a bridge, need to add a privacy manifest statement? But since it does not make any API calls, how should I fill in the content?

Hello All, I am new to iOS development and would like to detect the smart card readers connected to USB-C port on iOS (16+) devices. The smart card reader is a custom hardware and not MFi certified. So as per my understanding, I cannot use ExternalAccessory.framework without MFi certification. Correct? How else can I achieve this? Does TKSmartCardSlotManager works for this purpose (or is it only for NFC devices?)? Is there any example for how to use this interface? I couldn't find any example for this as a starting point... Thanks in advance.

Does Apple allow extensions to Face ID? I have a problem with the way it often reacts. I also have a simple solution. But does Apple allow extensions to Face ID?

Hi, I just received a new email from AppStore Review while submitting our app for review. This time I got informed, that I need to declare two NSPrivacyAccessedAPITypes: NSPrivacyAccessedAPICategorySystemBootTime and NSPrivacyAccessedAPICategoryFileTimestamp. I tried to find where we make use of APIs falling under these categories, but I couldn't find any in our app code. I searched within our SwiftPM checkout folder too, seeing if there is an SDK missing the PrivacyInfo.xcprivacy file itself or the required declaration, again no luck. In another thread is described how a link map could help to find the source of my problem, but this file doesn't help me at all. I can find occurrences of the API names as string, but not all of them are API calls (e.g. creationDate which is a custom property). So my question is now, how can I find the source of these warnings? I dislike the idea of blindly adding both declarations with all options on. Best, Thomas

I have an app that creates a private key in the secure enclave with a unique alias. It is created with the kSecAttrTokenIDSecureEnclave flag. According to the docs, such private keys should never leave the enclave under any circumstances and definitely not restored on new devices. After migrating to a new iPhone 15 the app does not offer to create a new private key in the enclave, but rather it is able to find the unique alias of the private key in the new phone. i.e. as if it found the private key on the new phone's secure enclave I believe (/hope) that in practice the object I get in the new iPhone from SecItemCopyMatching is not usable. I assume this is a bug that should be fixed by apple? How can I detect that this SecItemCopyMatching result is stale so I can ignore it and prompt the user to create a new keypair on the secure enclave? Thanks

I recently received a notification after my app submission, highlighting missing API declarations in accordance with the new privacy requirements. Following the guidelines, I already updated my pods, which now include their own privacy manifest files. However, I'm still facing issues as detailed in the attached communication from App Store Connect. Anyone know how to done this?

Our website supports Apple login, but after logging in, the server obtains the private mailbox of Apple users, but we found that sending emails to this private mailbox failed. The following is the response result I sent to the privacy mailbox using Google mailbox

From what I've gathered from the (rather old) documentation and sample projects on Authorization Plugins, I understand that those can be used to extend the macOS authorization services with custom (and possibly quite complex) requirements for privilege management. During my testing, I found it to be technically possible to allow a normal (non-admin) user to perform some actions that they normally couldn't by leveraging plugin mechanisms. For instance, if I alter the class of system.preferences.network from user to evaluate-mechanisms I can make it so my custom plugin decides which user is actually able to make modifications to the system through the Network settings pane. However, I've noticed that if I leave the actual authentication to the built-in authentication mechanism and perform my validations after that, the user will face a rather odd message: Clearly, even though this seems to work like I'd expected it to, there's something strange going on here. So my question is, what can I actually achieve with authorization plugins in terms of managing system privileges, and what should I use it for? Are there any alternatives I could consider? And if so, could they offer me the flexibility that implementing my own custom logic as a plugin does? I'm not sure what the best practices and recommendations are in terms of both security and usability regarding these plugins, and would very much appreciate some pointers in the right direction.

How can I differentiate between multiple children in order to display screentime data to the user separately for a parent with multiple children? As far as I can see, the options are .children, and .all? I understand I can retrieve some info from within the extension so I can group data separately, but is there any way to reliably filter between different children from within my app, say using a DeviceActivityFilter? Many thanks!

How to handle libraries that are not explicitly added by me, but pulled by other SPMs that I use in my project? For example Firebase SPM pulls other packages like Abseil, nanopb etc. Do I need to handle those, and make sure they contain privacy manifests, or is Firebase package "responsible" for those?

I added a PKCS12 file to the Certificates section of the mobileconfig using Apple Configurator. I've installed the profile on the device but I can't see how I can access this cert. I want to use it to response to a NSURLAuthenticationMethodClientCertificate challenge. Is it possible for an iOS app to get access to the cert this way?

We use few third party dependencies that declare API Reasons and we integrate those using SPM. Since SPM will statically link those dependencies in the main binary, we get a report from App Store that we need to declare those reasons in our Privacy manifest file. This is somewhat surprising since third party privacy manifest is bundled within our app, it is just independent of our app's main Privacy manifest file. Is there a way to aggregate all privacy manifest files, or does Apple plan to scan for all privacy manifest files in application bundle?

Hello! the other day I had troubles with running the application to interact with the Secure Enclave. (https://developer.apple.com/forums/thread/748611?page=1#783968022) While my program is running perfectly fine now, I still have questions regarding its security. QUESTIONS: Is there any functionality just with the public key to get an evidence of a corresponding private key to be protected by the Secure Enclave without showing the source code? Even with the most recent update of iOS 17.4, there is still no way to directly access the functionality of a Secure Element itself, is that right? So far I found a function SecureElementPass, and it seems like it’s the only interaction possible. What is the difference between using Security API and Apple CryptoKit? I heard some were saying it the matter of habit and device support, but I still would like to hear an opinion of a professional. Any information regarding that will be helpful. Thank you in advance for your time and effort!

Hello. I'm having an issue using SPM to include a privacy manifest in my project. For example, if I use Alamofire 5.9.0 (with the PrivacyInfo.xcprivacy file) using SPM, I am continuously receiving the email saying ITMS-91053: Missing API declaration - System Boot Time when submitting an app for review. But use the same version of Alamofire using cocoapod(as a dynamic library), the PrivacyAccessedAPI issue will not occur. Is there any resolution for this problem? If I use a library using SPM, do I need to add the library's information in the main app's PrivacyInfo.xcprivacy file? Thank you.

Hello. I am having issue with the privacy warnings. Basically i am using react native without expo and i want to fix the warnings that are displayed via apple store connect. As per instruction, i created the PrivacyInfo.xcprivacy file, added my project as target and filled the rules out. After doing that, when i try to build i get errors: "Multiple commands produce '/Users//Library/Developer/Xcode/DerivedData/-fvniikaunkvfgngctvgfjncckcat/Build/Products/Debug-iphonesimulator/.app/PrivacyInfo.xcprivacy'" "Target '' (project '') has copy command from '/ios/PrivacyInfo.xcprivacy' to '/Users//Library/Developer/Xcode/DerivedData/-fvniikaunkvfgngctvgfjncckcat/Build/Products/Debug-iphonesimulator/.app/PrivacyInfo.xcprivacy'" "That command depends on command in Target (project ): script phase “[CP] Copy Pods Resources”". Some solutions suggested removing the PrivacyInfo from Copy Bundle resources. That way the build worked but the app store connect still gave warning. to me the issue seems to arise during copy pods resources, it wants to create the PrivacyInfo.xcprivacy file, but it already exists. Or maybe it its something else. Any help or direction is much obliged

I have submitted an application for the Endpoint Security entitlement, however, I have yet to receive any feedback regarding its progress. Could someone kindly advise on the proper procedure to track the current status of my permission request?

G'day all, I'm working through the creation of a cross-platform decryption implementation for CryptoKit's HPKE and wish to use the Sender & Recipient type. I have been able to engineer the derived key, but the missing link is the nonce that is created and utilised by HPKE.Sender.seal(). I understand that I could create the key exchange and sealed box by myself and set my own random nonce, but I want to be able to utilise the HPKE.Sender.seal() functions to assist with this as well as create ciphertext data externally that can be opened with HPKE.Recipient.open(). By looking at Apple's open-source code available here, I can see that it seems to be exporting a key based on a "base_nonce" label on the context, which I think is what HPKE.Sender's exportSecret(context:outputByteCount:) can achieve. However using senders exportSecret(context:outputByteCount:) in the following way: let noncedata = try hpkeSender.exportSecret(context: Data("base_nonce".utf8), outputByteCount: 12) even just for one message (so the sequence number would be 0 and thus this data block unchanged), the AES-GCM implementation still returns a "cipher: message authentication failed" error. This is specifically in Go, but can be replicated in Python easily. I'm confident that the derived key is correct and is being fed to AES-GCM with the ciphertext correctly, and it's just the nonce generation that is not understood.

Hello, my dear colleages. I'm a new ios developer (actually I'm sr. android dev), so this is my first publishing in app store. I have create an app with memes, where users can create memes, share it and judge. I have already tearm of uses, privacy policy, registration and report (because I want to create a stable product), but apple has own opinion: Require that users agree to terms (EULA) and these terms must make it clear that there is no tolerance for objectionable content or abusive users - okay, I will add EULA to my links, but it already contains the rules of creating content A method for filtering objectionable content - blocking happens automatically by user reports. I explained it to the reviewer, but he ignored it and repeated this mark (all marks) again. By user reports the memes with 10 or more marks will be hidden for content delivery. What does he want else? How can the filters resolve it or content already hidden? What actually should I do and these "filters"? A mechanism for users to flag objectionable content - The same. What else does he want? A mechanism for users to block abusive users - This is jsut ridiculous! Users can not write each other and can not communicate with each other. They can only create and judge memes. I'm not sure that reviewer really was looking my app. Maybe 30 seconds? So, how can I follow to his marks if he doesn't listen and doesn't check? Use fake feature? That's shame! The developer must act on objectionable content reports within 24 hours by removing the content and ejecting the user who provided the offending content - The same. The blocking happens automatically. We don't have moderators and can control this process manually (only 2 members in the team). I really don't understand why apple make my life harder)) Google and Huawui have already published app in the internal testing without wrong useless marks. As I know this situation is normal behaviour for apple. Anyway I want to resolve this "marks" and finish the publish process - users are waiting for. Please guys, help me to do it correct - I don't have experience with apple support and it looks for me like a circus! P.S. Links to the terms of uses and privacy policy available on the register screen

In the new macOS and iOS updates (14.4 and 17.4 respectively), something has changed in regards to passkey creation: Any passkey created from Safari doesn't have any transports + the authenticatorAttachment is always set to platform, irrespective of whether a cross-platform authentication method is utilized, such as a hardware security key. All passkeys saved in iCloud Keychain created from any browser have an authenticatorAttachment always set to platform + empty authenticator transports. authenticatorAttachment always set to platform According to the WebAuthn specification (Section 5.4.5), the authenticatorAttachment descriptor plays a crucial role in guiding the client (browser or platform) to create or use an authenticator of a specific type. The options are platform for a built-in authenticator or cross-platform for a roaming authenticator. Some relying parties mandate a cross-platform method for the first passkey or as second authentication factor. This is to ensure users do not find themselves locked out when they try to sign in from a device that doesn't have access to the non-roaming webauthn credential. Unfortunately, the current implementation in Sonoma 14.4 forces the authenticatorAttachment to platform, thus preventing the creation of passkeys that comply with such policies on websites. For comparison, browsers like Chrome correctly return a cross-platform authenticatorAttachment when a hardware security key is used, and the same used to happen on previous macOS and iOS versions from Safari. Authenticator transports missing The absence of transport data (WebAuthn Section 5.8.4) for all passkeys created via Safari and iCloud Keychain passkeys created from all browsers further complicates the scenario. The transport hint is crucial for informing relying parties about the preferred transport method for the authenticator, be it USB, NFC, BLE, HYBRID or internal. This omission could lead to inefficiencies and a diminished user experience, as the system cannot optimize the authentication process based on the authenticators available to the user. These issues jeopardize the utility and adoption of passkeys across various platforms and browsers, a primary goal of WebAuthn and FIDO2 for widespread secure authentication practices. What is the rationale behind this choice and is there any workaround to be considered? Thanks for all the help and clarification!

I receive this from apple on review , what I suppose to change Guideline 5.1.2 - Legal - Privacy - Data Use and Sharing The app privacy information you provided in App Store Connect indicates you collect data in order to track the user, including Browsing History, Other Diagnostic Data, Crash Data, Performance Data, Name, Search History, Physical Address, Customer Support, and Other Data Types. However, you do not use App Tracking Transparency to request the user's permission before tracking their activity. Apps need to receive the user’s permission through the AppTrackingTransparency framework before collecting data used to track them. This requirement protects the privacy of users. Next Steps Here are two ways to resolve this issue: If you do not currently track, or decide to stop tracking, update your app privacy information in App Store Connect. You must have the Account Holder or Admin role to update app privacy information. If you track users, you must implement App Tracking Transparency and request permission before collecting data used to track. When you resubmit, indicate in the Review Notes where the permission request is located.