Hi
I've been running after a problem on my iOS app, I'm creating hundreds of keypairs with SecKeyCreateRandomKey for several different usernames, in this case, different identifiers kSecAttrApplicationTag.
After I create the key pairs I extract the public keys using SecItemCopyMatching, again, hundreds of them.
Problem is, without a logic explanation, some of those keys cannot be extracted. After running after the issue for hours, I noticed that EVERY time I try to extract a public key and the identifier have exactly 87 chars, the public key cannot be found. Doesn't matter the content or names used on the identifier, every time the length hits 87, SecItemCopyMatching returns -25300
is this some kind of limitation that is not explained on the documentation?
thanks
digging deeply I noticed several identifier sizes fail to extract the key:
[982:69528] key with 7 chars is invalid
[982:69528] key with 23 chars is invalid
[982:69528] key with 39 chars is invalid
[982:69528] key with 55 chars is invalid
[982:69528] key with 71 chars is invalid
[982:69528] key with 87 chars is invalid
[982:69528] key with 103 chars is invalid
[982:69528] key with 119 chars is invalid
[982:69528] key with 135 chars is invalid
[982:69528] key with 151 chars is invalid
[982:69528] key with 167 chars is invalid
[982:69528] key with 183 chars is invalid
[982:69528] key with 199 chars is invalid
[982:69528] key with 215 chars is invalid
[982:69528] key with 231 chars is invalid
[982:69528] key with 247 chars is invalid
[982:69528] key with 263 chars is invalid
[982:69528] key with 279 chars is invalid
[982:69528] key with 295 chars is invalid
General
RSS for tagPrioritize user privacy and data security in your app. Discuss best practices for data handling, user consent, and security measures to protect user information.
Post
Replies
Boosts
Views
Activity
When trying to open an app that uses Local Authentication (FaceID) the auth process does not start right away, 3-4 times trying to auth is needed in order to get authenticated with the method the user has selected (FaceID), this is happening with many apps and seems that there's no a workaround.
[Edited by Moderator]
ES_EVENT_TYPE_NOTIFY_CREATE doesnt get triggerd if i copy a file to iPhone connected to mac device.
Also, ES_EVENT_TYPE_NOTIFY_MOUNT doesnt get triggered when an iphone is connected to a macos device
Is there a way to find out when the set of keychains changes? ie, when a keychain is added or removed? I searched here and grepped through the headers in Security.framework but nothing leaped out at me -- which could just mean I missed something, as happens frequently. (This is on macOS.)
Hey Apple team (and eskimo 🙏),
Our FinTech app uses iCloud Keychain shared web credentials to store a secure encryption password in iCloud Keychain.
Some of our new users seem to run into an issue where the app fails to successfully create a shared web credential.
All users are required to have the following two settings enabled:
Settings --> Passwords --> Password Options --> Autofill from iCloud Passwords & Keychain
Settings --> Apple D - -> iCloud - -> Passwords and Keychain --> 'Sync this iPhone'
The issue appears to resolve itself when the user restarts their iPhone. We've had this bug 3 times now and would like to understand the root cause.
We have a couple hypotheses:
iOS is failing to verify that the domain for the shared web credential is valid via <domain>/.well-known/apple-app-site-association (and then restarting triggers reverification)
Users were on a version of iOS where it was bugged (and then restarting finally completed an update to a new version). We've verified that the bug happened on 17.0.2 with one user (until they updated and it fixed itself)
Having tried to gain access to the total daily screen time API using the text/code from the below thread, we were unable to get any data access. Has anyone else had the same issue and any resolutions? Not looking for application limits, just statistics to inform user through our 3rd party application.
Thanks for any guidance around areas we can attempt
https://developer.apple.com/documentation/deviceactivity/deviceactivitydata/activitysegment
According to https://developer.apple.com/documentation/security/app_sandbox/discovering_and_diagnosing_app_sandbox_violations it is possible to view detailed violation reports for non-system services. Is it possible to do something similar for system services?
I have encountered an issue where several (all?) of my Macbooks get into a sandbox violation situation (I assume). Below is in excerpt from logs focusing just on the sandbox violation. The errors are surrounded by XPC failures and errors.
error 23:23:21.382263+0100 kernel Sandbox: Family(1316) deny(1) mach-lookup com.apple.contactsd.persistence
error 23:23:24.385962+0100 kernel Sandbox: Family(1316) deny(1) mach-lookup com.apple.contactsd.persistence
error 23:23:27.389910+0100 kernel Sandbox: Family(1316) deny(1) mach-lookup com.apple.contactsd.persistence
error 23:23:36.408940+0100 kernel Sandbox: Family(1316) deny(1) mach-lookup com.apple.contactsd.persistence
error 23:23:45.419593+0100 kernel Sandbox: Family(1316) deny(1) mach-lookup com.apple.contactsd.persistence
error 23:23:54.432109+0100 kernel Sandbox: Family(1316) deny(1) mach-lookup com.apple.contactsd.persistence
The above is just an except, and it seems that Family, imagent and searchpartyuseragent are trying to access com.apple.contactsd.persistance once per second or so and failing (there are also some attempts to reach com.apple.timed.xpc, but an insignificant amount in comparison to com.apple.contactsd.persistance). This in turn causes Diagnostics Reporter to start, and then end hastily almost every ten seconds.
fault 23:23:05.903908+0100 Diagnostics Reporter Invalid launch.
fault 23:23:16.038017+0100 Diagnostics Reporter Invalid launch.
fault 23:23:26.136348+0100 Diagnostics Reporter Invalid launch.
fault 23:23:36.274543+0100 Diagnostics Reporter Invalid launch.
fault 23:23:46.414546+0100 Diagnostics Reporter Invalid launch.
I have no idea how I did this, but I seemed to have messed up sandbox access rights to contacts for some system services?
The "documentation" is poorly worded.
hi,there are some questions about Privacy manifest
1.why do we just see the information about app's manifest in PrivacyReport after app has been archived,that does not contain our SDK's manifest info.but our frameworks that app contains have manifest.
2.does every SDK need to add manifest if this SDK collects user data or uses API?
3.there is list of third-part-sdk https://developer.apple.com/support/third-party-SDK-requirements/ ,if we use an SDK not listed and the sdk has collected use data or used api that need to display reason,should we add manifest file?
I'm trying to log Endpoint Security events to os_log. I'd be grateful if someone could confirm that using the --oslog option with eslogger actually writes event data to the system log.
If I monitor with sudo eslogger exec fork exit I see events at the command line, yet if I add the --oslog option, I don't see those events when monitoring the log with sudo log stream --predicate 'subsystem == "com.apple.eslogger"'. Nor do I see them if I filter in the Console app on just the subsystem "com.apple.eslogger".
Have I missed out something with my work? Any help appreciated. Thanks.
Migrate existing Sign in with Apple user identifiers and private email relay addresses by exchanging transfer identifiers from one developer team to another with the user migration info endpoint.
View Technote TN3519 >
On recent macOS versions(Sonoma or previous), if system.login.screensaver is updated to use “authenticate-session-owner-or-admin” then fancy screensaver is not coming up, instead we are seeing only black screensaver ( black screen).
Note: Observed we are getting fancy screensavers with this setting on macOS BigSur.
Can you please let us know if this is an intentional change from macOS or we have any settings to enable to get fancy screensavers with recent macOS versions?
Thanks & Regards,
Tata Chaitanya
We have implemented a Notification Service Extension in our app to handle remote notification and access keychain to get certificate and identity to refresh network relay configuration. Using SecItemCopyMatching to get SecIdentityRef works when device is unlocked. Whenever push notification arrives and device is locked, our notification service extension failed to access keychain to get identity reference with error code -25308 errSecInteractionNotAllowed.
It looks like keychain is locked when device is locked. Is there a way to make keychain unlocked?
Hello,
I am creating CryptotokenKit persistent token extension for macOS using Xcode on Sonoma. The goal is to support external crypto provider over network (with API calls).
I created a bare minimum app and a new target “Persistent Token Extension”. Before I go into specific implementation, I wanted to check if my extension/token initialises correctly. My understanding is that once the host app is started and the extension is registered by the OS, future queries for digital identities should check with it as well.
I tried is accessing mTLS website with Safari and Firefox that require client certificates, as well running custom application using SecItemCopyMatching to query the keychain for identities.
However, Token / TokenDriver seem to not initialize (logging never executes). Am I missing something here?
pluginkit sees the extension:
$ pluginkit -vvvvmi demo.TokenApp.TokenExt
demo.TokenApp.TokenExt(1.0)
Path = /Users/alexander/Library/Developer/Xcode/DerivedData/TokenApp-dzulesgoanwnacguirprimnipibk/Build/Intermediates.noindex/Previews/TokenApp/Products/Debug/TokenApp.app/Contents/PlugIns/TokenExt.appex
UUID = 617526E8-987A-493F-A9E3-6295FF5AB00D
Timestamp = 2024-01-19 13:13:35 +0000
SDK = com.apple.ctk-tokens
Parent Bundle = /Users/alexander/Library/Developer/Xcode/DerivedData/TokenApp-dzulesgoanwnacguirprimnipibk/Build/Intermediates.noindex/Previews/TokenApp/Products/Debug/TokenApp.app
Display Name = TokenExt
Short Name = TokenExt
Parent Name = TokenApp
Platform = macOS
Token.swift:
import CryptoTokenKit
import OSLog
class Token: TKToken, TKTokenDelegate {
private let log = Logger(subsystem: "demo.tokenapp", category: "Token");
func createSession(_ token: TKToken) throws -> TKTokenSession {
log.log(level: .info, "Token.createSession")
return TokenSession(token:self)
}
}
TokenDriver.swift:
import CryptoTokenKit
import OSLog
class TokenDriver: TKTokenDriver, TKTokenDriverDelegate {
private let log = Logger(subsystem: "demo.tokenapp", category: "TokenDriver");
func tokenDriver(_ driver: TKTokenDriver, tokenFor configuration: TKToken.Configuration) throws -> TKToken {
log.log(level: .info, "TokenDriver.tokenDriver")
return Token(tokenDriver: self, instanceID: configuration.instanceID)
}
}
My goal is:
Generate a public and private key pair
Add the private key to the keychain and protect it with the secure enclave
Create a self-signed certificate with the public key and send it to a server
Add the certificate to the keychain
When I communicate with the server I want to create a SecIdentity during the client challenge which is basically a SecCertificate + SecKey combo.
For the certificate generation I would like to use the swift-certificates library to not have to compose manually the certificate fields and signature.
My problem is that the swift-certificates during the Certificate initialisation needs a SecureEnclave.P256.Signing.PrivateKey private key and to add a key to the keychain we need a SecKey object. And unfortunately there is no clean way to create from one of them the other one. I read several threads here about this, but I haven't found a clean solution for it.
I tried to approach the problem from two directions:
First:
Create the key with the SecKeyCreateRandomKey, mark in the attributes that I want to protect the key with secure enclave and also mark that I want the private key to be kSecAttrIsPermanent so it is automatically saved in the keychain
The SecKeyCreateRandomKey returns a SecKey which is a reference to the private key from the keychain
(!) Unfortunately I haven't found a clean way to convert a SecKey to a -> SecureEnclave.P256.Signing.PrivateKey
There is a workaround to SecKeyCopyAttributes of the private key and to extract the bytes from the attributes["toid"], but I guess it's not safe to use an undocumented key ("toid") if there is no constant defined to it (the name could be changed in future releases)
Second approach:
Create a SecureEnclave.P256.Signing.PrivateKey
Create the Certificate using the swift-certificates
The created private key is protected by the secure enclave but it's not added automatically to the keychain so we should add it to can query after that the SecIdentity
(!) Unfortunately I haven't found a way to convert the SecureEnclave.P256.Signing.PrivateKey to -> SecKey.
There are threads which say that the SecKeyCreateWithData(...) helps us, but unfortunately if we set the kSecAttrTokenIDSecureEnclave in the attribute dictionary, the method creates a brand new key for us, regardless the passed data. So the initial key will never be the same as the newly created SecKey. This we can see in the method's implementation.
So I got stuck with both approaches because seemingly there is no clean way to switch between SecureEnclave.P256.Signing.PrivateKey and SecKey.
One solution would be to compose manually the certificate, without swift-certificates because like that we would not need a SecureEnclave.P256.Signing.PrivateKey object. But I would like to avoid the manual composition and signature calculation...
Anybody has any idea?
Hi, I want to support client certifcate authentication for a URL loaded in WKWebView. Certificate is in the smartcard that is connected to iOS device through lightning port smart card reader. For USB-C type reader, iOS supports this out of the box. But for the lightning port reader, I thought of writing a CTK extension to access smartcard and read the certificate. I have a smart card sdk to access the smartcard. Could you please let me know which is the extension that should be used for this purpose. There are 2 types of extensions available in Xcode. Smartcard extension and Persistent Token extension. Which one should be used for this case? When I tried persistent token extension, it seems to hit sign function inside Tokensession class but with smartcard extension it is not getting called when I try to access the URL in WKWebView after certificate selection. Also the smartcard sdk has EAAccessory framework dependency. Is EAAccessory allowed to be used in CTK extension? https://developer.apple.com/forums/thread/111691?answerId=342707022 says EAAccessory is not working inside app extension. Thanks in advance.
// Example configuration: com.apple.configuration.security.passkey.attestation
{
"Type": "com.apple.configuration.security.passkey.attestation",
"Identifier": "B1DC0125-D380-433C-913A-89D98D68BA9C",
"ServerToken": "8EAB1785-6FC4-4B4D-BD63-1D1D2A085106",
"Payload": {
"AttestationIdentityAssetReference": "88999A94-B8D6-481A-8323-BF2F029F4EF9",
"RelyingParties": [
"www.example.com"
]
}
}
I have an app that is getting rejected from TestFlight because of this error:
ITMS-90683: Missing purpose string in Info.plist - Your app’s code references one or more APIs that access sensitive user data, or the app has one or more entitlements that permit such access. The Info.plist file for the “TurtleTuner.app” bundle should contain a NSCameraUsageDescription key with a user-facing purpose string explaining clearly and completely why your app needs the data. If you’re using external libraries or SDKs, they may reference APIs that require a purpose string. While your app might not use these APIs, a purpose string is still required. For details, visit: https://developer.apple.com/documentation/uikit/protecting_the_user_s_privacy/requesting_access_to_protected_resources.
The app does not use the camera, only the microphone. I cannot find references to the camera in any of the third party libraries I'm using.
What are some ways to troubleshoot this beyond looking for "camera" in the few dependencies?
For context, this commit allows the app to get through successfully to TestFlight: https://github.com/tsargent/turtle-tuner/commit/67d4a52e62839ad6c2a49848bea9c408d983f17a
While this following commit, which reverts the commit, fails on TestFlight with the mentioned camera permission error: https://github.com/tsargent/turtle-tuner/commit/c95b0b16c4e85d77e625d36b816ed53faa826cf5
Hello Everyone,
Is there any method or callback event to obtain the current time and date mode (Automatic or Manual) in Swift?
In Android, Settings.Global.AUTO_TIME is used for the same.
Could anyone advise on the equivalent functionality or approach for iOS development?
Thanks in advance!
Hello, according to this doc Apple will begin blocking app store submissions in Spring 2024 when an application or one of its 3rd-party SDKs calls certain iOS/iPadOS system APIs without declaring a reason for doing so via a privacy manifest.
It seems that for framework and app targets, adding a privacy manifest is relatively straightforward: Add the xcprivacy file to the project and make it a member of the appropriate build target. For apps and fameworks, this will cause the privacy manifest to be copied into the root directory of the .app or .framework bundle at build time.
I work on a SDK which ships to application developers as a static library (.a) bundled within a xcframework. It seems that Xcode will not allow a privacy manifest file to be added as a member of a static library target. Which I assume is because when compiled, a static library build target does not produce a bundle like a ".app" or ".framework" which you'd get when compiling an app or framework target. Just a standalone (.a) file. What is the recommended way for developers of static libraries to provide application developers with a privacy manifest for their SDK? Is there a mechanism for including the privacy manifest somewhere within the xcframework bundle at the time it is created for the static lib, so that it automatically gets copied into an application which may link to it? If not, can the privacy manifest be included in a resource bundle which we already provide to our partners along with the static lib? Or does the manifest need to exist within the root directory of the application bundle since the contents of the static lib will ultimately get embedded into the app binary? If that is the case, do we need to provide our app partners with a separate standalone xcprivacy file, which they would need to incorporate into their project?