I am building a NEPacketTunnelProvider, and in its configuration I set a SecIdentity persistent reference. That reference is passed to the tunnel provider but when I try to use it there, I get an errSecInteractionNotAllowed error. The private key for that identity is protected by .userPresence. If I remove the protection, the network extension can access the identity and the private key. Is there any way that a VPN network extension can use a keychain item protected by .userPresence?

Hi, our IOS App will use the OpenSSL library for a secure websocket communication with network devices. As far as i have understood we need to provide "Export compliance documentation" because we are using "standard encryption algorithm instead of, or in addition to, using or accessing the encryption within Apple's OS". But the documentation here does not indicate that we need to provide anything. Independently of that, the App needs to include a Privacy Manifest, right ? How does that look like ? Thanks in advance

Hello , I have obtained three strings from the server: ca (the root certificate), cert (the client certificate), and privateKey (the private key) for authentication between the iOS client and server. I have successfully used ca for server authentication. However, I am having trouble generating an NSURLCredential from the cert and privateKey strings for client authentication. Can anyone guide me on how to convert these strings into an NSURLCredential? Any example code would be greatly appreciated! Thank you for your help!

Hi, team. So, I'm working on reading certificates from the keychain that have been stored or saved by other apps into it. I understand that kSecAttrAccessGroupToken allows us to achieve that. It is a requirement to use com.apple.token group in the entitlements file. Having done that, I cannot store SecSertificates into the keychain, and into the security group. I can do it without the security group, but after adding in the dictionary the kSecAttrAccessGroup: kSecAttrAccessGroupToken, I can no longer add certificates. I get the famous -34018. No entitlement found. However, when I try to read certificates in the same access group, I do not get a -34018 error back. I instead get a -25300, which I understand means no keychain item was found in this access group. How can this be happening? Reading, the entitlement works, writing does not. Here are my queries: For adding: let addQuery = [ kSecClass: kSecClassCertificate, kSecValueRef: secCertificate as Any, kSecAttrLabel: certificateName, kSecAttrAccessGroup: kSecAttrAccessGroupToken ] as [CFString: Any] let status = SecItemAdd(addQuery as CFDictionary, nil) For reading: var item: CFTypeRef? let query = [ kSecClass: kSecClassCertificate, kSecMatchLimit: kSecMatchLimitAll, kSecReturnRef: kCFBooleanTrue as Any, kSecAttrAccessGroup: kSecAttrAccessGroupToken ] as [CFString: Any] let status = SecItemCopyMatching(query as CFDictionary, &item)

I have read that iOS data protection ensures most of the files to be stored encrypted. However, I saw someone insisting (elcomsoft blog) very few files are not encrypted. Are app’s cache files or tmp files not stored encrypted? For example, are safari history.db file and cache files stored in the flash encrypted?

Hello! My company makes use of SSL interception for its managed laptops (for various information security reasons). We've yet to find a good solution to avoid SSL cert errors in the Xcode Preview app. We've successfully installed/trusted our certs in the Xcode Simulator, but can't find any information on how to do the equivalent for the Xcode Preview. The inability to make use of the Preview App profoundly impacts productivity. It appears the Xcode Preview doesn't share the same certificate store as the Simulator, nor does it make use of the Mac's system keychain (where the certificates are also installed and trusted). If there’s anyone you can think of who might know a way around this issue it would be greatly appreciated. Many thanks!

Hi, I'm leveraging ASAuthorizationSecurityKeyPublicKeyCredentialProvider to authenticate users to an internal service using security keys or passkeys. I'm not using Sign in with Apple - registration is done in another internal service. We're using associated domains. This is on MacOS only. I'm wondering whether I can programatically determine whether the user has a passkey enrolled with our super-secret-internal-service.com domain already? The reason I'm asking is simply better UX - if the user doesn't have a passkey enrolled, I'd like to avoid offering them an option to use a platform authenticator and only offer them to tap their security key. We can assume that all users already have their security keys enrolled already. So something like the following: let securityKeyProvider = ASAuthorizationSecurityKeyPublicKeyCredentialProvider(relyingPartyIdentifier: options.rpId) let securityKeyRequest = securityKeyProvider.createCredentialAssertionRequest(challenge: options.challenge.data(using: .utf8) ?? Data()) let platformProvider = ASAuthorizationPlatformPublicKeyCredentialProvider(relyingPartyIdentifier: options.rpId) let platformKeyRequest = platformProvider.createCredentialAssertionRequest(challenge: options.challenge.data(using: .utf8) ?? Data()) var authRequests: [ASAuthorizationRequest] = [securityKeyRequest] if (userHasPasskeyForDomain("super-secret-internal-service.com")) { // TODO how do I check this?? authRequests.append(platformKeyRequest) } let authController = ASAuthorizationController(authorizationRequests: [platformKeyRequest, securityKeyRequest]) Many thanks!

Hello. I’m running the 18.3 beta on an 15 pro and have noticed the green camera indicator light turns on when I switch apps. I also am unable to use my flashlight until it turns off (usually a second or two). I’ve checked my privacy and access settings and nothing looks out of the norm. I’ve also closed all rubbing apps, but the issue continues.

I'm trying to set up a configuration profile on a supervised device for a kid's phone. I want to force a VPN 100% of the time except for local network activity and some specific domains. Or at the very least, have a few apps go outside the tunnel. Apple makes this IMPOSSIBLE even though according to the documentation it should be possible. The IKEv2 vpntype has a key "OnDemandUserOverrideDisabled" which is supposed to prevent a user from toggling off the vpn, which obviously defeats the purpose of having it. However, as other users have posted, this DOES NOT WORK. So anyone can just turn off the vpn and be connected to the internet unprotected. On the "AlwaysOn" vpntype, the element "ApplicationExceptions" which would allow you to list a few applications that can go outside the tunnel DOES NOT WORK. This is critical because so many domains automatically block vpn servers and it's a huge pain. Also local network activity also gets blocked, which makes it impossible to connect to local devices. And there's no split tunneling possible with this vpntype. So basically, it's impossible. I WOULDN'T BE SURPRISED IF APPLE DID THIS INTENTIONALLY TO KEEP KIDS ADDICTED AND IN DANGER SO THEY USE THE PHONE MORE.

I have code where we're evaluating SSL certificates in sec_protocol_options_set_verify_block. We have the following code: let secTrust = sec_trust_copy_ref(trust).takeRetainedValue() isValidCertificate = SecTrustEvaluateWithError(secTrust, &error) I'm getting the error that the maximum temporal validity period has been exceeded: Error Domain=NSOSStatusErrorDomain Code=-67901 "“server.com” certificate is not standards compliant" UserInfo={NSLocalizedDescription=“server.com” certificate is not standards compliant, NSUnderlyingError=0x300ddd350 {Error Domain=NSOSStatusErrorDomain Code=-67901 "Certificate 0 “server.com” has errors: Certificate exceeds maximum temporal validity period;" UserInfo={NSLocalizedDescription=Certificate 0 “server.com” has errors: Certificate exceeds maximum temporal validity period;}}} When I inspect the certificate, it's valid for 394 days (4/16/2024 through 5/15/2025) and other than being a wildcard certificate, should be fully trusted. I can't find any information about this specific error. Is Apple requiring SSL certs to be less than 398 days now? Which brings me to the second part - we're OK using this to workaround it var trustFailureExceptions: CFData? = SecTrustCopyExceptions(secTrust) SecTrustSetExceptions(secTrust, trustFailureExceptions) But I haven't found anyway to be able to inspect trustFailureExceptions to ensure it only is this specific error. I'm concerned that otherwise this is going to open up validity exceptions for any certificate problem, which is definitely not what I want to do.

Am developing an iOS App, which uses a ZipFoundation wrapper around Compression. In XCode, have exported a document type with extension '.MU' in the Info.plist. On iPhone, when attempting to open archive called: 'Snapshot-test.mu' can OPEN as a mobile email attachment but FAILED via Files App referring to "iCloud Drive/Desktop" Here are the respective URLS "file:///private/var/mobile/Containers/Data/Application/<UniqueID>/Documents/Inbox/Snapshot-test.mu" "file:///private/var/mobile/Library/Mobile%20Documents/com~apple~CloudDocs/Desktop/Snapshot-test1.mu" Two questions: Is it possible to grant access to files residing remotely in iCloud? Is "iCloud Drive/Desktop" unique, whereas other iCloud locations would be OK?

I'm working on replacing an AppKit-based Mac app with one built on Catalyst, and the Catalyst app doesn't seem to be able to read the keychain item that was saved by the old app. Both apps are using the same bundle ID. The old app uses the old SecKeychain APIs - SecKeychainFindGenericPassword and friends - and the Catalyst app uses the newer SecItemCopyMatching and such. When I try using the new API in the old app to search for the entry, it works, but the exact same code in Catalyst fails. Here's how I save an item in the old app: NSString *strItemId = @"my_item_id; NSString *username = @"user"; const char *userPointer = [username UTF8String]; NSString *password = @"password"; const char *pwPointer = [password UTF8String]; SecKeychainItemRef ref = NULL; OSStatus status = SecKeychainFindGenericPassword(0, (UInt32)strlen(strItemId.UTF8String), strItemId.UTF8String, 0, NULL, NULL, NULL, &ref); if (status == errSecSuccess && ref != NULL) { //update existing item SecKeychainAttribute attr; attr.length = (UInt32)strlen(userPointer); attr.data = (void *)userPointer; attr.tag = kSecAccountItemAttr; SecKeychainAttributeList list; list.count = 1; list.attr = &attr; OSStatus writeStatus = SecKeychainItemModifyAttributesAndData(ref, &list, (UInt32)strlen(pwPointer), pwPointer); } else { status = SecKeychainAddGenericPassword(NULL, (UInt32)strlen(strItemId.UTF8String), strItemId.UTF8String, (UInt32)strlen(userPointer), userPointer, (UInt32)strlen(pwPointer), pwPointer, NULL); } And here's the query code that works in the old app but returns errSecItemNotFound in Catalyst: NSMutableDictionary *queryDict = [[[NSMutableDictionary alloc]init]autorelease]; [queryDict setObject:(__bridge id)kSecClassGenericPassword forKey:(__bridge id)kSecClass]; [queryDict setObject:(@"my_item_id") forKey:(__bridge id)kSecAttrService]; [queryDict setObject:(__bridge id)kSecMatchLimitOne forKey:(__bridge id)kSecMatchLimit]; [queryDict setObject:(__bridge id)kCFBooleanTrue forKey:(__bridge id)kSecReturnAttributes]; CFMutableDictionaryRef outDictionary = nil; OSStatus err = SecItemCopyMatching((__bridge CFDictionaryRef)queryDict, (CFTypeRef *)&outDictionary); I tried creating a new blank AppKit-based Mac app project in Xcode and gave it the old Mac app's bundle ID, and the SecItemCopyMatching query code above works there. Then I created a new iOS target with Catalyst enabled, also with the same bundle ID, and the query code running there under Catalyst returned errSecItemNotFound. So maybe the issue is something specific to Catalyst? Is there something I need to do with the Catalyst app to give it access to the old app's keychain entry, besides setting its bundle ID to match the old app?

Yes, there is a Keychain Access app available on Sequoia (in System/Library/CoreServices/Applications), but it is not the old one; secure notes can neither be created nor retrieved. All of my old secure notes appear to be lost. Yes, I can make new secure notes in the Notes app, but my old secure notes cannot be transferred because they no longer exist.

I locked a few Apps like YouTube and my browser with the new App Lock feature from IOS 18 and all works well, if I want to access the app over the home screen. The problem appears if the app is closed completely and I open a link which gets opened in the locked app. Then the App lock gets bypassed and the app opens completely without authentication.

I see that all of my passwords moved from both login and iCloud keychains to Passwords app. The API that worked SecItemCopyMatching now returns -25300 aka not found. What's the API to access passwords in Sequoia ?

Hi , I did The MFA(2FA) of Email OTP For MacOS Login Screen using, Authorization Plugin, Using This git hub project. It is working For Login Screen , Im trying to Add The Same plugin for LockScreen but it is not working at lock Screen , Below is the reffrense theard For The issue , https://developer.apple.com/forums/thread/127614, please Share The Code that should Present the NSwindow at Screen Saver (Lock Screen) MacOS .

I'm currently exploring Apple's Auth-Plugin extension and have modified the authdb to log in to a Mac device without using the default login password. Specifically,I am replacing builtin:authenticate,privileged with a custom privileged mechanism that authenticates the user and grants desktop access based on our custom logic. However, this approach does not unlock the user's Keychain. Since I'm bypassing the login password, the Keychain remains locked. I'm considering whether a certificate-based persistent token could be used to unlock the Keychain. Is this approach recommended, or is there a more suitable solution, such as using CryptoTokenKit or another available API?

Hi, I need to import a trusted certificate to the system keychain without prompting the user. I’m importing the certificate with this command line: sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" <certificate> that running from the post install script of my PKG. I'm running the PKG from my daemon service. The certificate is imported to the keychain but it's not trusted. This is the error that i'm getting: sectrustsettingssettrustsettings: the authorization was denied since no user interaction was possible. What is the right why for doing it? Thanks

NSLocalizedDescription=The certificate for this server is invalid. You might be connecting to a server that is pretending to be “domain” which could put your confidential information at risk., _kCFStreamErrorDomainKey=3, Xcode: 15.4 simulator iOS version: 17.5 in Info.plist I have this NSAppTransportSecurity NSAllowsArbitraryLoads Note: The server certificate valid.

I'm encountering an issue after upgrading to macOS Sequoia when trying to import a PKCS12 certificate. The following code, which worked fine on previous macOS versions, now returns an error code -25293 (errSecAuthFailed): NSDictionary *options = @{(__bridge id)kSecImportExportPassphrase: @""}; CFArrayRef items = NULL; OSStatus status = SecPKCS12Import((__bridge CFDataRef)pkcs12Data, (__bridge CFDictionaryRef)options, &amp;items); The same build, using the same certificate and import process, works perfectly on earlier versions of macOS. Has anyone else experienced this issue or found a workaround for certificate imports on macOS Sequoia?