We are implementing just-in-time account creation using Platform Single Sign-on. After creating the account, we are registering the user with PSSO and we want to ensure that the IDP account used for account creation matches the IDP account used in the user registration flow.
An easy way to do this appears to be using loginUsername on the ASAuthorizationProviderExtensionLoginManager object. loginUsername gets set during account creation and then we can check what the user is entering during registration.
The documentation, however, marks this attribute as deprecated. There is no indication of what could be used instead. Is there some other value we could look at? Does Apple have a plan to introduce a preferred API option?
Thanks!
Prioritize user privacy and data security in your app. Discuss best practices for data handling, user consent, and security measures to protect user information.
Post
Replies
Boosts
Views
Activity
$ tccutil reset All
This command resets the other permissions (i.e. camera, microphone) but doesn't reset the Local Network permission.
OS: macOS 15.0
After updating my phone to the ios 18 beta, i can’t access my snapchat or instagram camera or use apps that requires bluetooth anymore. it says i need to allow access for camera/bluetooth but when i checked settings, there’s no options for that. is there anyway i can solve this issue?
We develop an SDK that requires sharing a device-specific identifier with our web API, in order to guarantee that certain artifacts are only used on the correct device. For the device-specific identifier, we use UIDevice.currentDevice.identifierForVendor which should not be restricted under ATT.
In production, many developers are getting back to us with complaints of web requests being blocked:
nw_endpoint_handler_path_change [C1 [our url]:443 waiting parent-flow (satisfied (Path is satisfied), interface: en0[802.11], ipv4, dns, uses wifi)] blocked tracker
Connection 1: received failure notification
Connection 1: failed to connect 1:50, reason -1
Connection 1: encountered error(1:50)
Task <FA03088C-DDFC-437E-A06F-E05CC930E3E0>.<1> HTTP load failed, 0/0 bytes (error code: -1009 [1:50])
Task <FA03088C-DDFC-437E-A06F-E05CC930E3E0>.<1> finished with error [-1009] Error Domain=NSURLErrorDomain Code=-1009 "The Internet connection appears to be offline." UserInfo={_kCFStreamErrorCodeKey=50, NSUnderlyingError=0x3031118f0 {Error Domain=kCFErrorDomainCFNetwork Code=-1009 "(null)" UserInfo={_NSURLErrorBlockedTrackerFailureKey=true, _kCFStreamErrorDomainKey=1, _kCFStreamErrorCodeKey=50, _NSURLErrorNWPathKey=satisfied (Path is satisfied), interface: en0[802.11], ipv4, dns, uses wifi}}, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <FA03088C-DDFC-437E-A06F-E05CC930E3E0>.<1>, _NSURLErrorRelatedURLSessionTaskErrorKey=(
"LocalDataTask <FA03088C-DDFC-437E-A06F-E05CC930E3E0>.<1>"
), NSLocalizedDescription=The Internet connection appears to be offline., NSErrorFailingURLStringKey=..., NSErrorFailingURLKey=..., _kCFStreamErrorDomainKey=1}
Interestingly, I've made a few observations:
The blacklist seems to be persistent, across devices.
The blacklist stays in place regardless of whether we send no identifiable data in the web request (in fact, an empty ping request to our URL still gets blocked)
The only way to get past the block is to use ATT, and request from the user that we track them across websites. This is false, because we don't track any user data whatsoever; and iOS disables ATT by default (in the settings app, users have to opt-in).
Our iOS SDK already has an xcprivacy manifest mentioning the fact that we use a device-specific identifier, and that we send it to our web API URL. Still, we get blocked.
How can we fix this? We can standup a proxy URL but I'd imagine it's only a matter of time before that also gets blocked. Apple has not provided any guidance on the specifics of how domains get blocked, and how they can be unblocked.
We want to use AccessorySetupKit to pair our BLE accessories. However, currently all our products announce the same BLE service UUID. The manufacturer data is different for every product.
I try to pair our products with ASK and create the ASDiscoveryDescriptor with the expected manufacturer data:
let descriptorA = ASDiscoveryDescriptor()
descriptorA.bluetoothServiceUUID = CBUUID("CE1EB45C-1BD2-45BE-8163-ACC88BE94CB2") // same
descriptorA.bluetoothManufacturerDataBlob = Data([0xd2, 0x0a, 0x00, /* A */ 0x2a, 0x00, 0x00, 0x00]) // different
descriptorA.bluetoothManufacturerDataMask = Data([0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff])
let descriptorB = ASDiscoveryDescriptor()
descriptorB.bluetoothServiceUUID = CBUUID("CE1EB45C-1BD2-45BE-8163-ACC88BE94CB2") // same
descriptorB.bluetoothManufacturerDataBlob = Data([0xd2, 0x0a, 0x00, /* B */ 0x2b, 0x00, 0x00, 0x00]) // different
descriptorB.bluetoothManufacturerDataMask = Data([0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff])
However, it seems random which device is found, as if the service UUID is the primary key to handle things in ASK.
My questions are:
Is it possible to use only manufacturer data to distinguish between different products with the same service UUID?
How do I use bluetoothManufacturerDataMask properly? I assume that internally some filtering like this is done: DataBlob & DataMask == ReceivedManufacturerData & DataMask. Because of that I have set all bits of the mask to 1. Should this e done differently?
I want to reset the permission state of location services to "notDetermined" (CLAuthorizationStatus) while developing.
But using the command below gives me this error:
$ tccutil reset CoreLocation
tccutil: Failed to reset CoreLocation
same goes for
$ tccutil reset [my bundleId]
tccutil: Failed to reset CoreLocation approval status for [my bunldeId
Anyone know the reason for this?
Hi,
My app features its own lock screen secured by Face ID or Touch ID. With the introduction of the locked app feature in iOS 18, I want to ensure that users do not experience duplicate lock screens. Could you please advise on how to detect if the locked app feature is enabled in iOS 18, so I can disable my app's internal lock screen when necessary?
Thank you!
Why is it that after hiding an app, it can still be seen in many places in the settings, such as:
Settings -> General -> iPhone Storage
Settings -> private and security -> Pemissions
Settings -> Search
Settings -> Siri -> Siri APp Access -> Apps
Additionally, in the App Store, the hidden app still shows as downloaded.
Moreover, global searching for the full name of the app in global search also reveals the app and allows it to be opened.
Why isn't the hiding more thorough? Is this a bug or intentionally designed this way?
Hi,
Are there any samples that IdP vendors can use to add support for Platform SSO in their solutions?
I found this link: https://developer.apple.com/documentation/authenticationservices/platform_single_sign-on_sso/creating_extensions_that_support_platform_sso, which explains how to implement the extension on a device. However, I am having trouble understanding what needs to be implemented on the IdP itself from this documentation.
Does anyone have any links or resources that can help?
Thank you,
Bala
I am implementing passkeys for my Project. We hosted apple-app-site-association file in 2 different sites for my project maintenance. One is with ww.sitename.com and another is www3.sitename.com.
In Xcode adding each of them and testing individually. It's working good at first site and throwing error for second one like below
Application with identifier <> is not associated with domain <>
My app mostly rely on time sensitive local notifications (both critical and normal). If my app is hidden, no notifications are shown. Is there a way I can change it in iPhone settings or override it through Swift code even though the app is hidden.
import AppleProvider from 'next-auth/providers/apple';
export const appleProvider = AppleProvider({
name: 'Apple',
clientId: process.env.NEXT_PUBLIC_APPLE_CLIENT_ID as string,
clientSecret: process.env.NEXT_PUBLIC_APPLE_CLIENT_SECRET as string,
idToken: true,
authorization: {
url: 'https://appleid.apple.com/auth/authorize',
params: {
clientId: process.env.NEXT_PUBLIC_APPLE_CLIENT_ID as string,
scope: 'openid email name',
response_type: 'code',
response_mode: 'form_post',
},
},
token: {
url: 'https://appleid.apple.com/auth/token',
async request(context) {
console.log('----context', { context });
const url =
https://appleid.apple.com/auth/token +
?code=${context.params.code} +
&client_id=${context.provider.clientId} +
&client_secret=${context.provider.clientSecret} +
&redirect_uri=${context.provider.callbackUrl} +
&grant_type=authorization_code;
const response = await fetch(url, {
method: 'POST',
headers: {
'Content-Type': 'application/x-www-form-urlencoded',
},
});
console.log('----response', { response });
const tokens = await response.json();
console.log('----tokens', { tokens });
return { tokens };
},
},
});
Hello,
The man page for xpcservices.plist states that:
Services embedded in an application bundle will only be visible to the containing application (...)
What exactly "visible" means? Doest that mean that there is a mechanism to prevent other programs than the embedding application to access the XPCService's mach port or it just means that the XPCService is not listed (e.g. launchctl list) and if attacker can guess the mach port they can access it?
I'm asking to understand if there is a security gain using the -[NSXPCConnection setCodeSigningRequirement:] for embedded XPCServices.
I know how to set up a parental gate to keep a child user away from a web portal for parents or guardians. But is it even OK with Apple (or just in general) to open a browser from inside a kids app?
I can think of two ways to do this:
Launch a browser with UIApplication.shared.open(). This takes the user (presumably an adult) out of the app. Will Apple object to this?
Use an in-app browser with WKWebView. (Wrapped in UIViewRepresentable because I'm using SwiftUI.)
Option 2 has some problems with Google SSO, which is a requirement for me. Some details in stackoverflow 2016 and stackoverflow 2019 and gitHub. I can't figure out how to apply the solutions in those posts to the SwiftUI architecture or even the UIViewRepresentable.
I'm having trouble opening files residing on a custom filesystem implemented as a kext via sandboxed apps.
Preview.app is one such example.
The app launches, but it won't display file contents.
In system log files I'm seeing entries related to com.apple.foundation.filecoordination:claims with no error messages to indicate a possible reason why file contents aren't being displayed.
Non-sandboxed apps, such as GoogleChrome.app do not exhibit such behaviour.
The kext is unsigned and running in an environment with SIP disabled and Security Mode reduced to Permissive.
What is required for a 3rd party filesystem kext to integrate with sandboxed apps?
Any pointers and/or assistance would be greatly appreciated.
Does anyone have recent experience of what App Review consider acceptable for location purpose strings these days?
My map apps simply display a blue spot on the map showing your current location when you turn on the app's location button. That data doesn't leave the app; I'm not selling it to anyone, or doing anything nefarious. For years, I've had concise location purpose strings such as "Your location will be shown on the map".
Now, App Review seem to find that inadequate. They say: "One or more purpose strings in the app do not sufficiently explain the use of protected resources. Purpose strings must clearly and completely describe the app's use of data and, in most cases, provide an example of how the data will be used. Next steps: Update the ... location purpose string to explain how the app will use the requested information and provide an example of how the data will be used. "
I've just look at what Apple Maps uses as its purpose string, and it's just "Your location is used to show your position on the map, get directions, estimate travel times, and improve search results." I'm only doing the first of those things, so surely "Your location is used to show your position on the map" would get approved, right? Wrong!
I have similar issues with the photos purpose string.
Hello, I need to verify my domain and email with spf
I need to use Signin with apple with private relay service
Here is my records of DNS Service(AWS Route53)
My domain is metapocket.io
DKIM
record : sig1._domainkey.metapocket.io
value : sig1.dkim.metapocket.io.at.icloudmailadmin.com.
SPF
"v=spf1 include:zoho.com ~all"
"v=spf1 include:icloud.com ~all"
"v=spf1 include:metapocket.io ~all"
"v=spf1 include:amazonses.com ~all"
TXT
"zoho-verification=zb03635298.zmverify.zoho.com"
"apple-domain-verification=RaNdOmLeTtErSaNdNuMbErS"
"apple-domain=4oc6zwBOLpmdRGr9"
Something wrong here??
Why i got failed spf verification.. Please help me
We're using this (on a mac) to do 3rd party authentication. The completion handler is getting
Authentication session got error: [The operation couldn’t be completed. (com.apple.AuthenticationServices.WebAuthenticationSession error 1.)], in domain: [com.apple.AuthenticationServices.WebAuthenticationSession]
That seems to be generated if the auth window is closed. However... it's not being closed, so we end up spawning a second one to do it, and this one seems to work.
I have a bunch of certificate related things, along with a bunch of secure notes stored in the keychain.
These, like previously in System Preferences, don’t show up in the new Passwords app (as tested in iOS).
So before I risk losing all that information by installing Sequoia, I wonder if the KeychainAccess.app is still around, allowing me to access these items.
In case Apple is listening: do NOT remove that app, until all the critical functionality is also in Passwords, or some other app….
I'm a new app developer and I've read through most relevant posts on this topic here and elsewhere. Many of the forum posts here are specific to Objective-C, or old enough to be considered outdated in the fast-moving world of computing. Many of the posts elsewhere are about protecting authentication secrets, which doesn't apply in my case, and a lot are by someone with a product to sell, which I've ignored.
My app is 99.9% Swift and I'm not going to store any authentication secrets in the IPA. What I'd like to protect is the core mechanism of my product, which has to be included in the binary and is small (< 10k lines). I want to make it so it's harder to steal the source code than it is to recreate my functionality from scratch, which is difficult even with the app in front of them.
From what I gathered, Swift code compiled by Xcode is protected from reverse engineering / decompilation by the following:
Symbolization of the app
Native builds from Xcode destroys names of variable, functions, etc.
Swift code is compiled in such a way that makes stealing harder than Objective-C
This should make me feel better, but the threat-level is increasing with the availability of free, commercial-grade decompilers (e.g. Ghidra) and machine learning. The fact that iOS 18 supports a checkm8 (i.e. jailbreakable) device means that decrypting the IPA from memory is still trivial.
Questions
People talk about stealing authentication secrets via reverse-engineering, but is the same true for mechanisms (i.e. code)?
How common is the issue of source-code stealing in iOS apps?
Can machine learning be leveraged to make decompilation/reverse engineering easier?
Will I get rejected by App Review for obfuscating a small portion of my code?