Hi All,Just a quick question regarding the upgraded Touch ID and local authentication capabilities.I want to use the built-in fingerprint scanner on a iPad to allow multiple people to log into a custom application, what i want to do is to try and use the fingerprint scanner to save/recall user info that i want to store within my application.as example, an employee picks up an iPad, and by using the fingerprint scanner, while in the an application, the application should read the fingerprint of the employee and match that to a local database, if successful match, it will log the user into the application and display that user's specific information.Would something like this be possible? any other suggestions would really be appreciated as i have everything else working as needed , except for the biometric side.Thank you.

Have an app I'm working on that stores an item in the keychain. Everything was was working fine. I have a button in the UI that allows the user to clear out the keychain item:NSDictionary *query = @{(__bridge id)kSecClass: (__bridge id)kSecClassGenericPassword, (__bridge id)kSecAttrService: service, (__bridge id)kSecAttrAccount: accountKey}; OSStatus status = SecItemDelete((__bridge CFDictionaryRef)(query));Status is -25244 which is errSecInvalidOwnerEdit. This app created the keychain item to begin with. What would be the appropriate way to handle this type of error?

I made a javascript cloud app that runs on a webpage in a webview on my iPad app that communicates via WebSocket connection but it only works when im on my http site and not https or else I get an CFNetwork SSLHandshake failed (-9806) error in Xcode and on the website it says time out during handshake.Is this because the webserver on the iPad is running on HTTP instead of HTTPS?JAVASCRIPT CLOUD APPThis part in the cloud is working for HTTP when connecting to the web server on the iPad.var protocol = "ws"; if (this.useSecureConnection) protocol = "wss"; var url = protocol+'://localhost:'+this.port+'/service'; this.connection = new WebSocket(url);Xcode iOS iPad App (Objective-C)I thought that was the issue so I tried to enable HTTPS but I am not sure what to create for the "sslIdentityAndCertificates" method.- (BOOL)isSecureServer { HTTPLogTrace(); // Override me to create an https server... return YES; } /* * This method is expected to returns an array appropriate for use in kCFStreamSSLCertificates SSL Settings. * It should be an array of SecCertificateRefs except for the first element in the array, which is a SecIdentityRef. **/ - (NSArray *)sslIdentityAndCertificates{ HTTPLogTrace(); return nil; }Some of the other posts I have seen use APIs that are only available on Mac and not iOS.I tried several combinations of ATS permissions as well. All resulted in HTTPS not allowing for WebSocket connection.Any help is greatly appreciated! 🙂More Info:The cloud hosted webapp was built to be used on different devices as a webpage but we needed to add support for bluetooth to connect to a 3rd party hardware. To do that we needed to create a native "wrapper" for the webapp that would get bluetooth messages and process/send messages to the webapp in the webview via webSocket. This allows for the web app to use the bluetooth tool.

I'm createing RSA public and private key pairs like below.var statusCode: OSStatus var publicKey: SecKey? var privateKey: SecKey? let publicKeyAttribute: [NSObject : NSObject] = [kSecAttrIsPermanent: true as NSObject, kSecAttrApplicationTag: "com.anu.keys.apppublic".data(using: String.Encoding.utf8)! as NSObject] let privateKeyAtrribute: [NSObject: NSObject] = [kSecAttrIsPermanent: true as NSObject, kSecAttrApplicationTag: "com.anu.keys.appprivate".data(using: String.Encoding.utf8)! as NSObject] var keyPairAttr = [NSObject: Any]() keyPairAttr[kSecAttrType] = kSecAttrKeyTypeRSA keyPairAttr[kSecAttrKeySizeInBits] = 2048 keyPairAttr[kSecReturnData] = true keyPairAttr[kSecPublicKeyAttrs] = publicKeyAttribute keyPairAttr[kSecPrivateKeyAttrs] = privateKeyAtrribute statusCode = SecKeyGeneratePair(keyPairAttr as CFDictionary, &publicKey, &privateKey)This generates two keys properly and keys are like below,public key<SecKeyRef algorithm id: 1, key type: RSAPublicKey, version: 4, block size: 2048 bits, exponent: {hex: 10001, decimal: 65537}, modulus: B4854E2DA6BA5EBC96C38BD44078D314E4504D130A03018ACD17D0F6679C3B6C9937B5D932A635AEAC32B9245EC400208C1F79932174EF804468D0DCE40DAF5B544CF9E4BCD7C49BA5D0BF3F8246B89B57A3A910CBB5200DCA6145E3EE216CE9C4A3283F1027AA15F7543BD3BEFF35BE24EE709CF8EB12545970AFFDA38CA11410ECA20A8F428D228ED07BF5399A2F55D93D7C143BAFA59A08E4FF932C3A689FA7F3F166B79A43837028319CB383F716B594F317ED6E20D7A8003190A13BC132D5B13708EDAEA3E2012B16CF37437BB617070D9A6DDFE55884A79BD530E4E654B823A8BBBF0AA777C8E46E94BD83E1C59EC6E1D34E69405640C309515243AA8D, addr: 0x608000420e80>private key<SecKeyRef algorithm id: 1, key type: RSAPrivateKey, version: 4, block size: 2048 bits, addr: 0x60000003b960>But I cannot use those keys with any other platforms such as .net or android. it says invalid key format. in android the key can see like below,***** key-----BEGIN RSA PUBLIC KEY----- MIIBCgKCAQEA0bipoOhkkvPxcsyOzcqsIUeVe0+iwe8W7N4EbHZMgujRERu1TPpy UcCO0uuKmm1TU09Kl40rRvDbtgB1YcGV3FPnNp3sOyFVsdyZ5bzxZtyyLrSWtj/n bLnGwaG9xJSwd2R/pTQLzOLV5KldwD2eUb3Z4Z4e9Z8II7eWgGaCLLqbrtEAa05N EqARckxrzJ1S3j+59h4AQovF72KI90/kRPryT2OGDiVlJ6CTjn2ZnTYcx65X6Rwf AeJKHZAGhw96j9tXyS+dJcXy4IBUTi3PXw0aEfhHQr/JsSHuMp/8mrhVJEokXb1C gKDZgJXujpGhCBdztHBAJxLBQMlODg7srwIDAQAB -----END RSA PUBLIC KEY-----Private key-----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAsfxMagVKY5++61Kot0esyhEOesqyQlZNvWbqMBcOoaOAb3pk LvwaGJ2YtD12u4yDEKcY5rpX7B/2t8GBHf+74NG47zAutf4Gf6qgQRUmIx2b7i4k WBt3KIifb/Zfs9KVJLhD4007bg1OtXA4kIhhXiuvhajDjDLOEthogF45CkJe+N67 JnH5hVW5CqBxPyRCrWCFbEHcXs5H515JV/Kz1+JVrB2/M03fW751wptO2GdGwsde ofqQzY+WUzqUihXigIjAVLFRemky3HpwuhzXUJn6A0ZD4tkk1JLstpSSJdBpH+L2 b9QlOitehxFgRsYmto+idpD1XrS9UyUtmpbTuwIDAQABAoIBAQCYvrAJcJ7lnmtn Ytm96LoF89tcT+Xpfk1bFR43xSHeYAXSJdQiamIu69joHbNuwuib+vsoz5Sy5L+D 9YHMb/MZvoIaa1w6/VUwbQr4r6C6FCgEoP65ymBZnd5OZL6/ASLTj3tbb6VoDe2V UkiI6TG+cnlAmJOxFsy5aZVNTQ9gmCMS0+AdpTbDsxTPg3y0EKFXeVRyKjq0lO9m p3G5yHkFjzWWY6s5XHx27gDTt8eXg/un72Qsz1rh5iUnAoxrga0Oco3Yk9DMvMwz a1I1Lo5fpB6FbTGX3k24heSnLDFEnlBvsBBg0g/n/qgwoZJ81MgG8Q4kAfeScuCI sYVnHEBpAoGBAOpnrKEkyhk1rXG4Md+z1/odhqx89mV7mF1ttW4IhFcwpJSMohsG r27Ic87whkpRxz2Mwj3B5WPGne4UkbvniH46n3jEW7ZIUF+ASVWkjMaGJWtOqSLC I19Snie9WvpREwaCVuvT2l4IeM1WL5gKotBwa3csZgGYH6gcyW5Ipbo/AoGBAMJh /+WXbohF4+A989q0jYjRRhKwUJAYeK8/AePrx8MnAXnRd09TiqeGn0Xig/RNZ0RE 96/TC1dTIBIHk5aDMy3vQhhYF0KbwcQWmCOnGo1qNTTaWTa3UitFMWf0hO0HuZtp RyD1YwhHP0W2tiK2GVjCreqIYASCpYKLq5Qq1K+FAoGARk2h8RLfqn/27UyZaMa/ 2DxS0BkKrZVMNXlaGQ5k4uGr+wHS/NgcddWZJk/tdwzf/Q3ilDM7YZmIdIemzfy7 a2CZw9bgyuMVeA85733S2xgQ0QZepBYmFcjptnGMf9chJaqh90krDVjtImjfDXLj MjEFilC+p2vA0uMPZwxS6HECgYAc5dLUQBoHmlRRTwSEvBjagToopxujAHBYpUZT qwbMpWzbvl89ZM8VLrdY/V7en+89P/+OnRJvjgUTiRrQ4npmVs59rgLvPRamXzGJ A1u4MFTuoZNnxgMqOaQprzlfv6lBSHpxlOl/HpByfcJAENBd2LtgRZv4r6+JY9hD M8bgvQKBgCDTSCLj5c1CYyuJMdrz9L5+xLFmrmL48djhK460ZcmcZ/gP808CyXx/ sDneow+JWt7Jb3p5zyUvvq1aDGNSsn4plB2rg7AqtoHcZYyFFZGI/K/b6JZna1yu FUYOfcanunabxY1wPQxuvR+AEuufBjB0aKg+qkLCCN1HYQtLs+N8 -----END RSA PRIVATE KEY-----why is this. why ios(Apple) cannot provide standard public/private keys that can use with rest APIs and with other platforms. I don't want to use any third party libraries. hope your help with this.

I store certificate (as SecIdentity ) in keychain because my application needs clientCertficate.I know when a User uninstall application, keychian content still exist.But in My application, I manage userInformation client certificate and CoreData.So, I want to delete keychain content when user uninstall application for not occering mismatch between Keychain and CoreData.Is it possible to do above ?Or should I delete keychain content when the app re-installed ?

I have been working on integrating Touch ID in my iOS application. If the multiple fingerprints are registered at the OS level.Is there anyway to know which fingerprint was scanned. (not the fingerprint infodata just like a unique key)For example :- There are three fingerprint in the iOS DeviceIf fingerprint one is scanned then perform Task A.If fingerprint two is scanned then perform Task C.If fingerprint Three is scanned then perform Task B.

On MacOSX 10.14 (Mojave) the behavior changed, the following code runs on 10.13 but fail on 10.14.The creation of "CGEventTapCreate" is failing (returning null) on Mojave but works before.Any thoughts? Thanks in advance!// alterkeys.c // http://osxbook.com // // Complile using the following command line: // clang -Wall -o alterkeys alterkeys.c -framework ApplicationServices // #include <ApplicationServices/ApplicationServices.h> // This callback will be invoked every time there is a keystroke. // CGEventRef myCGEventCallback(CGEventTapProxy proxy, CGEventType type, CGEventRef event, void *refcon) { // Paranoid sanity check. if ((type != kCGEventKeyDown) && (type != kCGEventKeyUp)) return event; // The incoming keycode. CGKeyCode keycode = (CGKeyCode)CGEventGetIntegerValueField( event, kCGKeyboardEventKeycode); // Swap 'a' (keycode=0) and 'z' (keycode=6). if (keycode == (CGKeyCode)0) keycode = (CGKeyCode)6; else if (keycode == (CGKeyCode)6) keycode = (CGKeyCode)0; // Set the modified keycode field in the event. CGEventSetIntegerValueField( event, kCGKeyboardEventKeycode, (int64_t)keycode); // We must return the event for it to be useful. return event; } int main(void) { CGEventMask eventMask = CGEventMaskBit(kCGEventLeftMouseDown) | CGEventMaskBit(kCGEventLeftMouseUp); CFMachPortRef eventTap = CGEventTapCreate(kCGSessionEventTap, kCGHeadInsertEventTap, 0, eventMask, myCGEventCallback, NULL); if (!eventTap) { fprintf(stderr, "failed to create event tap\n"); exit(1); } // Create a run loop source. CFRunLoopSourceRef runLoopSource = CFMachPortCreateRunLoopSource( kCFAllocatorDefault, eventTap, 0); // Add to the current run loop. CFRunLoopAddSource(CFRunLoopGetCurrent(), runLoopSource, kCFRunLoopCommonModes); // Enable the event tap. CGEventTapEnable(eventTap, true); // Set it all running. CFRunLoopRun(); // In a real program, one would have arranged for cleaning up. exit(0); }

Hello,I have a local WebSocket server running inside an iOS app on iOS 13+. I'm using Swift NIO Transport Services for the server.I'm using NWProtocolTLS.Options from Network framework to specify TLS options for my server.I am providing my server as an XCFramework and want to let users to be able to specify different parameters when launching the server.For specifiying the TLS supported version, everything is working fine by using :public func sec_protocol_options_set_max_tls_protocol_version(_ options: sec_protocol_options_t, _ version: tls_protocol_version_t) public func sec_protocol_options_set_min_tls_protocol_version(_ options: sec_protocol_options_t, _ version: tls_protocol_version_t)But I also want to be able to specify some cipher suites. I saw that I can use :public func sec_protocol_options_append_tls_ciphersuite(_ options: sec_protocol_options_t, _ ciphersuite: tls_ciphersuite_t)But it seems that some cipher suites are enabled by default and I can't restrict the cipher suites just to the ones I want, I can just append others.NWProtocolTLS.Options class has an init() function which states "Initializes a default set of TLS connection options" on Apple documentation.So my question is, is there a way to know what TLS parameters this initialization does ? Especially the list of cipher suites enabled by default ? Because I can't find any information about it from my research. I used a tool to test handshake with my server to discover the cipher suites supported and enabled by default but I don't think it is a good way to be sure about this information.And is there a way to specify only cipher suites I want to be supported by my server by using NWProtocolTLS.Options ?Thank you in advance,Christophe

Hi, https://opensource.apple.com/source/HTTPServer/HTTPServer-11/CocoaHTTPServer/Vendor/CocoaAsyncSocket/GCDAsyncSocket.m.auto.html I am getting security threat in GCDAsyncSocket.m class file  There are 13 occurrences of memcpy() function which is an insecure function acc to security tool. Below is the issue description and reference links from security team. Issue description : Use of insecure functions/potential dangerous functions Reference link: CWE-676: Use of Potentially Dangerous Function This would explain why SECURITY TEAM is recommending the change of these functions. Please provide solution for this as soon as possible as it is very urgent. Thanks and Regards, Priya Mehndiratta

At my app I have a SecKey which I want to sign some Data with it, and at my sever I need to do the verification process, but this time with openSSL. I didn't find any common key or any steps to achieve this between Apple Security framework and OpenSSL. For example, I've tried the following: Signing (Apple Security): let signedStrCFData = SecKeyCreateSignature(key, .rsaSignatureRaw, plaintextData, &error) Verifying (OpenSSL): ret = RSAverify(NIDrsaSignature, (const unsigned char *)challenge, (unsigned int)strlen(challenge), challengeenc, challengeenc_size, rsa); Which key to choose is not really important to me (as long as it's a reasonable signing key), so I tried multiple types of keys, but I wasn't able to do it. Any idea what I'm missing here?

Hello, we trying to develop passwordless flow in the browser, but when we invoke navigator.credentials.create, it resolves an empty object {}. We acquired options from StrongKey server and parsed them in navigator options as was shown on wwdc20-10670 demo. An excerpt of source code is below: { 		publicKey: { 				rp: {name: queryParams.rpName}, 				user: { 						name: queryParams.userName, 						id: toUint8Array(queryParams.userId), 						displayName: queryParams.displayName 				}, 				pubKeyCredParams: [{type: "public-key", alg: -7}], 				challenge: toUint8Array(queryParams.challenge), 				authenticatorSelection: {authenticatorAttachment: "platform",}, 				attestation: "direct" 		} } The user is requested to proceed with TouchID/FaceID/etc. and everything looks as expected, but the returned value is empty. We have tested the flow in the latest Chrome, Safari and Safari for iOS. Has anyone encountered this behavior as well?

I'm developing a macOS app that will usually be running in a non-admin user environment. But I have a screen of the app that I would like to secure so as to make it only accessible to admin users (think: parents). I can't figure out what API I'm supposed to use to prompt for specifically an ADMIN user. I've tried googling a ton, but I must be trying the wrong search terms, because I can't find anything. The API for LAContext() is almost what I want, I can get it to prompt for a password, but it seems to ONLY work for the current logged in user. I can't find a policy type that allows me to specify something like .adminUserAuthentication. It seems like LAContext() was not meant for this use case. But then, what is the right API to call to do this? Can someone point me in the right direction? I don't want to limit myself to this only working for supervised users, or users with parental controls turned on, I would like a generic solution. I've seen apps that prompt for admin credentials on regular non-admin users, so it must be possible, right?

I am developing a Java app that integrates with SmartCard reader. One of the features that I try to implement is reading/setting terminal (card reader) configuration without a tag being present on the reader. This can be done by sending so called escape codes. But to enable these escape codes we need to enable them in the driver. In case of macOS this will be SmartCardServices and the file that I should edit is: /usr/libexec/SmartCardServices/drivers/ifd-ccid.bundle/Contents/Info.plist I need to set ifdDriverOptions property to 0x0001. This procedure was described in this helpful GitHub comment https://github.com/pokusew/nfc-pcsc/issues/13 I tried to follow other instructions provided there but I hit the wall with read-only file system error. I wonder if there is an idiomatic way to change these settings. Why this is important? Sending new configuration via escape command is the only way to un-brick terminal that was (by mistake) wrongly configured.

Quinn, you've often suggested that to validate the other side of an XPC connection, we should use the audit token. But that's not available from the XPC object, whereas the PID is. So everyone uses the PID. While looking for something completely unrelated, I found this in the SecCode.h file OSStatus SecCodeCreateWithXPCMessage(xpc_object_t message, SecCSFlags flags, SecCodeRef * __nonnull CF_RETURNS_RETAINED target); Would this be the preferred way to do this now? At least from 11.0 and up. Like I said, I was looking for something completely unrelated and found this and don't have the cycles right now to try it. But it looks promising from the description and I wanted to check in with you about it in case you can say yes or no before I get a chance to test it. Thanks

In Swift, I need to create a CMS to input a web service. In Android we used 'spongycastle' https://www.bouncycastle.org/docs/pkixdocs1.4/org/bouncycastle/cms/CMSSignedData.html But I did not find a sample or solution for Swift or objective C. I also read Apple related documents https://developer.apple.com/documentation/security/cryptographic_message_syntax_services#1677736 , but still nothing special. Does anyone have experience working with a specific solution for Swift or objective C code to do this? thank you.

Hi, When attempting to perform a credential registration, I constantly get the error Application with identifier <...> is not associated with domain <domain> I've verified the following: The file is present on the required URL path https://123.com/.well-known/apple-app-site-association { "webcredentials": { "apps": [ "<PREFIX>.bundleID" ] } } Added the Capabilities to my domain Confirmed that the CA is valid and there are no redirects. Am I missing something? My device is able to properly access the file

I have created a custom username/password lock screen using SFAuthorizationPluginView. When lock the screen the view appears. The cursor start blinking in TextField. However, it always automatically dismiss in 20 second if ideal. I could see the Mechanism dealloc gets called and dismiss the view. Based on my investigation, I think the system kill the view in 20second, and there is no ways to increase that and keep the custom screen for more time. Any help will be appreciate.

I'm developing an authorization plugin to provide 2 Factor Authentication (2FA) for macOS. When FileVault is enabled, macOS Recovery prompts the user for a password to unlock FileVault FDE (Full Disk Encryption) before macOS can startup. The FDE password entered during Recovery is saved somehow so that after macOS starts up it can be used to log the user in without prompting them to re-enter their password. This feature is configurable with setting 'DisableFDEAutoLogin'. We would like our authorization plugin to implement the same behavior. The first place I thought to look for the FDE password (from within our authorization mechanism) is in Context value kAuthorizationEnvironmentPassword but it's not there. Is it possible for an authorization plugin to obtain this password the same as the standard login mechanism and if so how?

We used ecb mode before, but now we need to change to aes-gcm algorithm to encrypt and decrypt messages and verify signatures. I know that there is “/AES/GCM/NoPadding” in java to achieve gcm. Does Apple provide corresponding function libraries?

I got the permission from Apple (yay), and when I generate a profile on the portal, I can select it. But when I download it... it doesn't have it. Looking at the profile on the portal again, it says I have "Enabled Capabilities Endpoint Security, In-App Purchase". (Although how did that get there?)