Post

Replies

Boosts

Views

Activity

Reply to Keychain ACLs: Relationship between .userPresence and .devicePasscode
Sorry Quinn, I'll try to be more specific: We want the key to be usable with either biometry or device passcode - hence .userPresence - but we want to be able to decide whether to allow biometry in some cases or not. With .userPresence this does not seem to be possible out of the box since this always seems to prefer biometry if available. We tried passing a LAContext which has been used to access a (different) keychain item protected with .devicePasscode, but to no avail.
Sep ’24
Reply to CBATTErrorRequestNotSupported while transferring data between Bluetooth LE devices
Hi Argun, thank you; indeed the error occurred while trying to read from a characteristic. Here is a snippet of the log: I just assumed that if 6 was CBATTErrorRequestNotSupported then 65535 would be kBluetoothSDPErrorCodeReservedEnd. However I was able to resolve the issue. I reviewed all the changes that happened since I had it working and as it turns out the instances' type I store details about the connection in got changed from a class to a struct. This change in semantics make it very likely that the connection got dropped while the read was in process. After I changed the type back to a class everything worked as it did before.
Aug ’24
Reply to Performing manual server trust authentication
I did just that: Calling SecTrustEvaluateAsyncWithError (on a background queue) myself before calling SecTrustCopyCertificateChain (on the main queue). The latter, however, lead to Xcode printing "This method should not be called on the main thread as it may lead to UI unresponsiveness." which apparently resulted from SecTrustCopyCertificateChain calling SecTrustEvaluateIfNecessary even though I had already done that. So I ended up calling SecTrustCopyCertificateChain on the background queue as well.
Apr ’24
Reply to Performing manual server trust authentication
Sure: I am required to implement HPKP (aka. Public Key Pinning Extension for HTTP) as defined in RFC 7469 which is not supported out of the box (cf. FB5986841). Additionally I have to secure the first-ever connection as well by supporting preloaded pins, but I cannot use Identity Pinning (cf. thread and FB12333846). So I have to build everything from scratch.
Apr ’24
Reply to Performing manual server trust authentication
I see. However, doing this: Leave ATS enabled. Intercept the server trust authentication challenge (NSURLAuthenticationMethodServerTrust). Apply your extra checks. Complete the challenge with .performDefaultHandling. causes the trust evaluation to be performed after the extra checks, correct? What if I wanted to have the system check be done first - then I would to resort to calling SecTrustEvaluate myself?
Apr ’24