My team is currently working on implementing passkeys and wanted to better understand the various errors that can be thrown both when creating and logging in with a passkey. To my understanding, after invoking the passkey request via the authorization controller, if an error occurs, the authorizationController(controller:didCompleteWithError:) delegate method will be called. The error will be a ASAuthorizationError, and there are a few codes listed here. The docs are a bit vague about when each of these errors can occur and what the difference is between them, so I am posting this in the hopes of gaining more clarity. The errors for which we'd like some clarification are: failed This is pretty generic, how might this code be different than the other failure reasons, and what could cause it to be thrown either for creation or for authorization? invalidResponse Does this mean that the system received an invalid response from the Relying Party? notHandled What might cause the authorization request not to be handled? notInteractive What does it mean for the authorization request to not be interactive? Does this mean that none of the specified credentialIDs are available? Finally, is it possible for both creation and authorization to throw all of these errors, or are there some that are exclusive? Any help would be appreciated, thank you.

Hello, I have a fully functional webauthn relying party that uses passkeys and I am trying to implement an iOS sdk for it. On the server, the AASA file is valid and well served at /.well-known/assetlinks.json. I verified its validity with branch.io and that it is indeed cached by Apple's CDN (https://app-site-association.cdn-apple.com/a/v1/service.domain.com), but even will all these I still get the following error when installing the app on a device and starting the passkey ceremony: Passkey authorization failed. Error: The operation couldn’t be completed. Application with identifier TEAM.com.APP is not associated with domain service.domain.com So I then checked the system log when installing the app on my iPhone, and under the swcd process (which is apparently responsible of fetching the AASA file) I found the following error: swcd: Domain is invalid. Will not attempt a download. The issue that I have is that my domain is actually an IDN, it has a special character in it. But everywhere I have used it, I converted it to ASCII (punycode). With this conversion, Apple's CDN is able to fetch the AASA file, and the passkey ceremony works fine on a browser. So I don't understand how the device (both iPhone or Mac) finds this domain to be invalid? In the app's entitlements, I added the capability for an associated domain, with webcredentials:service.domain.com with the domain name converted to ASCII (punycode) and developer mode doesn't address this issue as it appears when the app is installed (and is not related to Apple's CDN). The last thing I tried was to add the domain with special characters in the app's entitlements (for webcredentials:) but then Xcode was unable to install the app on the device, and gave the following error: Failed to verify code signature (A valid provisioning profile for this executable was not found.) which happened only with a special character in the domain in the app's entitlements. All this leaves me kind of in a dead end, I understand Xcode or iOS/macOS has a hard time with IDNs and special characters (so do I), but I have no idea on how to solve this (without changing the domain name), so I would really appreciate any help. Thanks in advance. PS: I tested all this previously with another domain without special characters and it was working. It also had dashes ('-') in it and the new domain converted to ASCII is basically a regular domain with '-' in it so I suppose there is some kind of conversion made from ASCII back to special characters and that then, the domain is considered as invalid, but this doesn't really help me a lot... PS2: My devices are running on iOS 17.4.1 and macOS 14.4.1 with Xcode 15.2

Apple revealed the ContactsAccessButton in the WWDC24 session 10121: Meet the Contact Access Button. After watching the video, reading through the documentation as well as the sample code , I can only find a SwiftUI ContactsAccessButton. However, our code base is written largely in UIKit, and our team prefers to do complex work and customization with lists via UITableView as opposed to SwiftUI List. So we would greatly prefer to use a UIKit ContactAccessButton. Is there not a UIKit equivalent to ContactsAccessButton? If there is, where can we find it?

We are currently using "Sign in with Apple for the web": https://developer.apple.com/help/account/configure-app-capabilities/configure-sign-in-with-apple-for-the-web/ but we do not publish apps on the App Store. Because of corporate re-structuring, we need to migrate to a new Apple Developer / App Store Connect account. So we are looking to migrate "Sign in with Apple" users to the new account. Apple does provide guides on how to do it: https://developer.apple.com/documentation/technotes/tn3159-migrating-sign-in-with-apple-users-for-an-app-transfer but unfortunately, it only works if "Sign in with Apple" is used with an app published on the App Store (it requires app transfer). Who should we handle this case? Please help.

Anyone found a fix?

In the 'notes' app, users are allowed to set custom passwords to restrict other people who may know your device password from accessing it. However, in the 'lock and hide app', there is no support for custom passwords to prevent people who may know your device password from accessing your privacy. For example, your wife. Why is it necessary to allow certain places in the settings, such as permission settings and privacy reports, to still be able to view hidden apps after hiding them, instead of completely hiding them?

I have an Endpoint system extension that, in theory, receives XProtect alerts. I regularly see XProtectPluginService starting programs like XProtecteRemediatorSheepSwap on my Mac. I would love to be able to put one or more files/bundles on my Mac that triggers the detectors, so I can see the alerts go from the Endpoint system extension through to the UI. Does Apple have or recommend a way (short of being infected) for triggering the XProtect detectors for testing?

Great post https://security.apple.com/blog/private-cloud-compute/ and I'd love to get on the action to help as a security researcher. There is a call to action, but it seems to be postponed until "after PCC becomes available in beta". Who at Apple should I keep in touch with and what is the best way to communite with that team. Thanks, François Proulx Software Supply Chain Security Research Lead at BoostSecurity.io

How do I add a privacy policy URL to an app?

While I am super happy to finally see an app outside Settings to manage passwords, it seems that some entries do not allow editing/adding of a website, eg. But some do: Anyone know why?

I have an application developed in QT in C++ and using Objective-C++ (.mm) as the native language for compiling IOs. In this application I need to access the configuration profiles installed on the iPhone (e.g. -> .pfx digital certificate) as I do successfully on MacOS using the keychain certificate. I am using the following code to try to search for the certificate in my .mm file: NSDictionary *query = @{ (id)kSecClass: (id)kSecClassCertificate, (id)kSecMatchLimit: (id)kSecMatchLimitAll, (id)kSecReturnRef: @YES, }; CFTypeRef result = NULL; OSStatus status = SecItemCopyMatching((CFDictionaryRef)query, &result); if (status == errSecSuccess) { NSArray *response = (__bridge_transfer NSArray *)result; for (id r in response) { qDebug() << "ok"; } } else { qDebug() << "error certificate: " << status; } Running this code always returns: error certificate: -25300 (errSecItemNotFound). Even with configuration profiles installed on the iPhone, they are listed in the tab VPN Management and Device -> Configuration Profiles. I would like to clarify some points such as: Is it possible to access the certificates installed on the IOs, list them and use them in digital signatures as I have already done successfully on MacOS (using the <Security/Security.h> lib in C++)? If it is possible, what would the code be like to list the installed configuration profiles and use their private key to sign the hash of a document? Is there any further configuration needed in the project architecture? For example: In XCode, I went to target -> Capability -> I added the Keychain sharing capability.

Hello, I am developing a smartcard CTK extension for macOS. I have trouble to smartcard logon the first time after a reboot or a logout (e.g. when there is the text "Your password is required to enable touch id"). Trouble = I'm not asked for the PIN. But time to time after a logout (from whatever account), I can login with the smartcard. After a lockscreen I can always login with the smartcard. Is there an easy way to debug the logon process ? Regards, ++dom

The release notes state the following: To protect users’ privacy, app group containers (in ~/Library/Group Containers) are now protected by System Integrity Protection. This is similar to the protection added to app data containers in macOS Sonoma. An app that’s properly entitled for an app group continues to have access to the app group container. Specifically, the app must use FileManager to get the app group container path and meet one of the following requirements: the app is deployed through Mac App Store; the app group identifier is prefixed with the app’s Team ID; or the app group identifier is authorised by a provisioning profile embedded within the app. If the app doesn’t meet these requirements, the system might present the user a prompt to authorize the app’s use of the app group container. If granted, that consent applies only for the duration of that app instance. This restriction also applies to app extensions, although in that case the system won’t prompt the user for consent but will instead just deny the access. (114586798) We have a helper app which is not sandboxed (due to it requiring Accessibility access/permissions) that accesses our group container. I've tested our helper app with the current beta of macOS Sequoia 15 (24A5264n) and it still works correctly, however I'm not clear if these restrictions are actually enforced in the current beta. I've tried testing for this by accessing the group container via Terminal (with Full Disk Access disabled for Terminal), but did not get any alert mentioned in the notes (or been otherwise restricted). Are these restrictions currently enforced?

On Xcode 15.4, LAContext.biometryType had an @available attribute of visionOS 1.0. However, in Xcode 16, the @available attribute for biometryType was changed to a visionOS 2.0 minimum requirement, preventing the app from building if the minimum deployment target is earlier than visionOS 2.0. This was the attribute on Xcode 15.4: This is the attribute on Xcode 16: Feedback ID: FB13824190

Our service is using Apple device check api to prevent fraud happening. https://developer.apple.com/documentation/devicecheck/accessing-and-modifying-per-device-data But there is SSL connection timeout happen from June 1st. /app $ curl --connect-timeout 5 -v https://api.devicecheck.apple.com Trying 17.33.193.105:443... Connected to api.devicecheck.apple.com (17.33.193.105) port 443 (#0) ALPN, offering h2 ALPN, offering http/1.1 successfully set certificate verify locations: CAfile: /etc/ssl/certs/ca-certificates.crt CApath: none TLSv1.3 (OUT), TLS handshake, Client hello (1): SSL connection timeout Closing connection 0 curl: (28) SSL connection timeout Does apply add access limitation for specific ips?

Hello all, I'm looking for clarification on the functionality of Full Disk Access (FDA) in macOS. To illustrate my case, consider the following simple example program: #include <stdio.h> #include <string.h> #include <errno.h> int main(void) { const char *filePath = "/Library/Preferences/com.apple.TimeMachine.plist"; // Try to open the file FILE *file = fopen(filePath, "r"); if (file == NULL) { // If there is an error opening the file, print the error and exit printf("Error opening file %s: %s\n", filePath, strerror(errno)); return 1; } fclose(file); // If we reached here, the file was successfully opened printf("File %s opened successfully\n", filePath); return 0; } When this program is built and executed in Terminal.app with Terminal having FDA, the file opens successfully. Conversely, when FDA is revoked from Terminal and granted to the program, an error occurs due to insufficient privileges. Interestingly, building and executing the program within Xcode, without Xcode having FDA, but granting FDA to the resulting binary (either debug or release), allows the file to open successfully. Which is what I would expect for the above case as well. Running the same binary (with FDA enabled), which runs successfully within Xcode, in Terminal yields an error message. So, I have the following questions based on these observations: Why does the program access the file successfully when run from within Xcode, despite Xcode lacking FDA? Why does the program fail to access the file when run from Terminal without FDA, even though the program itself has FDA? What is the precise relationship between a parent process and its child process concerning FDA? These tests were conducted on macOS 14.5 with Xcode 15.4. Thanks in advance!

Hello, I have some questions. I need to use Signin in with apple with private email relay service When last week. Suddenly Apple Login didn't work on Web and I check my Service IDS on apple developer page, i got this message Depending on your product, you may need to configure multiple components for Sign in with Apple – From registering domains for Web Authentication to providing email sources to communicate with your users through the Private Email Relay service. I register my domain and email on Configure Sign in with Apple for Email Communication I use AWS Route53 and AWS SES(Simple Email Service) This is my DNS record of DKIM, SPF, MX ● DKIM record : sig1._domainkey.metapocket.io value : sig1.dkim.example.com.at.icloudmailadmin.com. ● SPF value : "v=spf1 include:icloud.com ~all" ● MX value &gt; 10 mx02.mail.icloud.com 10 mx01.mail.icloud.com Some wrong on my configuration of DNS ? I register on 5days ago, but status if failed now And how long does take of verification? My web service is error now

With the ScreenTime API Apple talks a lot about their focus on privacy and the data not leaving the device. Does that mean there would be a problem with an app where the users ScreenTime data is shared to a custom backend? Could this potentially cause an app to be rejected from the AppStore?

Is there a Description key for an app to explain why it's requesting Accessibility permissions?

[quote='751689021, Vlobe42, /thread/751689, /profile/Vlobe42'] this is an email I have sent to Apple with no luck: Dear Apple Developer Support Team, I am writing to seek urgent assistance with a persistent issue I have been encountering with Xcode. For several months now, every time I connect my iPhone to Xcode for development purposes, it automatically overwrites the user data of my apps with an old, seemingly random container. This issue is severely impacting my ability to continue development, as I cannot test new changes effectively. This occurs since a few months in every iOS and Xcode/macOS Version. I tried it with different Apps and Devices. Sometimes the entire Container (Documents) gets read only access so no new data can be created or changed by the user. I frequently used the replace container feature on Xcode so maybe this has something to do with it. This problem persists despite numerous attempts to resolve it on my end. I am at a critical point in my development timeline, and it is crucial for me to resolve this as soon as possible. Could you please advise on the next steps I should take to address this issue? If there are any logs or further information you require, I am more than willing to provide them. Thank you for your attention to this matter. I look forward to your prompt response and hope for a resolution soon. Best regards, Victor Lobe [/quote]