When I reboot my iPhone 14 pro with Live Activity started, KeyChain information disappears.
So there is a problem that I have to sign-in again when I enter the app.
There is no problem rebooting the iPhone without Live Activity.
iOS17 didn't have this problem.
General
RSS for tagPrioritize user privacy and data security in your app. Discuss best practices for data handling, user consent, and security measures to protect user information.
Post
Replies
Boosts
Views
Activity
When I reboot my iPhone 14 pro with Live Activity started, Keychase information disappears.
So there is a problem that I have to sign-in again when I enter the app.
There is no problem rebooting the iPhone without Live Activity.
iOS17 didn't have this problem.
Hi, team.
So, I'm working on reading certificates from the keychain that have been stored or saved by other apps into it.
I understand that kSecAttrAccessGroupToken allows us to achieve that.
It is a requirement to use com.apple.token group in the entitlements file.
Having done that, I cannot store SecSertificates into the keychain, and into the security group. I can do it without the security group, but after adding in the dictionary the kSecAttrAccessGroup: kSecAttrAccessGroupToken, I can no longer add certificates.
I get the famous -34018. No entitlement found.
However, when I try to read certificates in the same access group, I do not get a -34018 error back. I instead get a -25300, which I understand means no keychain item was found in this access group.
How can this be happening?
Reading, the entitlement works, writing does not.
Here are my queries:
For adding:
let addQuery = [
kSecClass: kSecClassCertificate,
kSecValueRef: secCertificate as Any,
kSecAttrLabel: certificateName,
kSecAttrAccessGroup: kSecAttrAccessGroupToken
] as [CFString: Any]
let status = SecItemAdd(addQuery as CFDictionary, nil)
For reading:
var item: CFTypeRef?
let query = [
kSecClass: kSecClassCertificate,
kSecMatchLimit: kSecMatchLimitAll,
kSecReturnRef: kCFBooleanTrue as Any,
kSecAttrAccessGroup: kSecAttrAccessGroupToken
] as [CFString: Any]
let status = SecItemCopyMatching(query as CFDictionary, &item)
Dear Apple Team,
I hope this message finds you well.
Recently, while exploring Apple’s open-source resources, I came across some files that appear to contain sensitive information, including private keys. I wanted to reach out to clarify whether these files are intentionally made publicly available or if they might be exposed due to a potential misconfiguration.
Understanding the nature of these files is important, and I would appreciate any guidance you can provide regarding their accessibility and any necessary steps that should be taken to address this matter.
Thank you for your attention to this issue. I look forward to your response.
Hello there, we have implemented the Apple sign in our site, everything is working good except from two edge cases when the JWT returned by Apple sign in does not contain the user email, these cases are:
When users choose Hide My Email when creating their account and later manually change their settings and turning off the email forwarding (Tested).
For Apple at Work & School users. i.e. younger students may not have an email address. According to Apple docs, email could be empty for Sign in with Apple at Work & School users (Not tested).
The problem is that we use the email to confirm the user authentication, but when the email is not present in the JWT, our system won't be able to find the registered user.
We're currently working on a workaround for this, but we would like to confirm that these edge cases are known by apple and also ask some questions:
Is it correct to say that: Turning off the email forwarding will cause that Apple's identity token (JWT) does not include the user's email address?
Apple at Work & School users: is there a way to identify that someone is using this type of account?
Is there any other known edge case when the email could be empty in the JWT?
Thanks in advance!
Under iOS 18.0.1, I can't do any development that uses HTTPS, because I can't authorize my generated certificates on my phone. This was not a problem in the past.
Normally you AirDrop a root certificate authority to your phone, install the "profile" for it, and then trust it in Settings / General / About / Certificate Trust Authority. Then you can connect to another server on your network that's using the accompanying certificates.
But after sucessfully installing two profiles on my phone, neither shows up in Certificate Trust Authority. Anybody else seeing this?
This problem, in combo with this one (which prevents running on my Mac as an iPad app) has completely halted my project.
I've found reports of this problem that blamed an empty "common name" field in the certs, but that field is populated in both of these.
Good day. As part of a business unit separation, we are required to have our product with a different name, bundle IDs and certificates than our current configuration.
The product contains network extensions and requires Full Disk Access. We distribute this product to our customers who either support MDM or not.
I know from previous experience that a product can be transferred to a different account, which is something we could do only for some parts of our product (only a couple of Bundle IDs).
My question is what's the best way to do this. I can imagine that having a scripted scenario where the other business unit's product is removed from customers and ours is installed, in a different folder.
The main issue I can foresee is that because our architecture uses several network extensions that are installed as plugins (bad design I know), we would be asking the users for authorisation, again, to use those extensions, plus full disk access.
What options do I have?
Hi I am currently developping the "Sign in with apple" feature.
We set up everything according to the documentation :
https://developer.apple.com/help/account/configure-app-capabilities/configure-private-email-relay-service
When trying to send an email from one of the registered communication emails (that is SPF and DKIM Authentication compliant) the emails are still ending up in the spam box.
If it can help the received email address (that is hidden) is a gmail.
I can not catch what is missing/wrong on our side.
In the FAQ about Local Network, a lot of topics are covered but, unless I missed something, I didn't see the topic of MDMs being covered.
[Q] Could the FAQ be updated to cover whether it is possible to grant this Local Network permission through a configuration profile?
The answer, based on google searches and different forums, seems to be a negative. It seems a bit strange considering that this feature has been available on iOS for at least 3 years.
Anyway, even if it is not possible, it would be useful to add in the FAQ that this is not possible.
I want to install a driver package without internet access and the installation fail. This I think it is due to it need internet to check for signature with Apple Server.
The workaround is to disable System Integrity Protection, but I do not have the administrator password to disable it.
How to install a driver and allow a driver to run without internet access and administrator account? This driver is develop by ourself but how to by pass the code signing and security check for others to use this driver on their Mac PC?
Currently I am following
https://developer.apple.com/documentation/systemextensions/ossystemextensionrequest/activationrequest(forextensionwithidentifier:queue:)
to activate the system extension
If the extension is inactive, the system may need to prompt the user for approval. Which others API can I use which do not need prompt user for approval?
Beside in order to validate the code signing, it need to communicate with Apple server which required internet access. Any method to by pass this validation?
Hello,
I started looking to implement SSO with Apple on my website using this tutorial : https://developers.appcharge.com/docs/apple-sso-login
However, when going to https://developer.apple.com/account/resources/identifiers/list
to generate a new Key, i'm getting the error :
"Unable to find a team with the given Team ID 'XXXXXXXX' to which you belong. Please contact Apple Developer Program Support".
It was a breeze to implement Google SSO, but not for Apple.
I can't find much help online, could you guide me ?
Regards
I have implemented Sign in with Apple on website one weeks ago, and it work perfectly.
However, recently we start to receive invalid_grant with no error description while token validation, however the same client secret works on IOS app without issue....
in ios app site , we used bundle id for client_id.
in web site , we used service id for client_id;
I try to create a new privateKey for web site and add redirect_uri params to /auth/token, but still error....
I tested it like this,
i got authorization code using Service ID
i tried authorization code with Service ID using browser :
successfully got the code
and requested access_token immately
2 and then, i tried validate the authorization grant code to obtain tokens
curl like this
curl -X POST https://appleid.apple.com/auth/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "client_id=my_service_id" \
-d "client_secret=my_client_secret" \
-d "code=sent_from_frontend" \
-d "grant_type=authorization_code" \
-d "redirect_uri=my_redirect_uri"
then get fail and no error_description error_code is 400
invalid_grant
is not invalid_client error, and client secret is not expired too
My decoded token looks like the following :
{
"alg": "ES256",
"typ": "JWT",
"kid": "my_kid"
}
{
"aud": "https://appleid.apple.com",
"sub": "my_service_id",
"iss": "team_id",
"exp": 1744012650,
"iat": 1728460650
}
When we develop 'Sign in with Apple' function on our app, we visited https://appleid.apple.com to verify the account. However, appleid.apple.com is mapped to an American IP, and it is not suitable for our app which is operated in China. I wonder whether there is a China Mainland IP available for the verification? Thanks very much.
We have a Web server for Apple Pass and we received a complaint from a user because the Pass is being deleted every few days from the Apple Wallet App and the user had to reinstall the pass every time.
Upon checking our server logs we found DELETE (unregister) requests that were not initiated by the user.
Here are some (there are more) of those logs (I replaced some details with * for privacy):
From July
[29/Jul/2024:23:06:30 +0000] "DELETE /apple_wallet/v1/devices/****/registrations/pass.com..*/** HTTP/1.1" 200 31 "-" "passd/1.0 CFNetwork/1496.0.7 Darwin/23.5.0"
From August
[17/Aug/2024:22:51:33 +0000] "DELETE /apple_wallet/v1/devices/****/registrations/pass.com..*/** HTTP/1.1" 200 31 "-" "passd/1.0 CFNetwork/1498.700.2 Darwin/23.6.0"
From September
[08/Sep/2024:23:32:11 +0000] "DELETE /apple_wallet/v1/devices/****/registrations/pass.com...*/** HTTP/1.1" 200 31 "-" "passd/1.0 CFNetwork/1498.700.2 Darwin/23.6.0"
Other information for this specific user/device:
Phone 14 Pro Max - iOS 17.6
User has few other passes installed but none has disappeared only our issued pass.
We are hoping to get some help from Apple to figure out why the DELETE request is being sent out to our server without being initiated by the user.
I have already filed a ticket to Apple with Case-ID: 9315232
But I haven't gotten any feedback after a few weeks and some follow ups.
I have read that iOS data protection ensures most of the files to be stored encrypted. However, I saw someone insisting (elcomsoft blog) very few files are not encrypted. Are app’s cache files or tmp files not stored encrypted? For example, are safari history.db file and cache files stored in the flash encrypted?
Hi,
I'm currently in the middle of debugging between my macOS and server for implementing Platform SSO.
As part of the debug process, I sometimes want to restart the whole process, which means to get into the beginDeviceRegisteration method again.
I noticed that even if I push the Repair button in the user (under settings) it will go again and again into the beginUserRegistration, but it will not go again to the device registration.
Is there an option to reset the Platform SSO device registration? (already tried Repair, remove MDM profile of the PSSO etc.)
I am currently implementing an authentication function using ASWebAuthenticationSession to log in with my Instagram account.
I set a custom scheme for the callbackURLScheme, but
In the Instagram redirect URL
I was told I can't use a custom scheme.
What should I do with the callbackURLScheme of the ASWebAuthenticationSession in this case?
I heard and read in reddit and GitHub about that UIDevice.current.identifierForVendor.uuidString is restricted according to privacy. Its better use DeviceCheck API or create my own UUID. So is it correct? If its so please can you share apple privacy update about this?
I'm currently implementing a function in SwiftUI to log in with my Instagram account.
It's not working, I'm creating a Firebase Auth function and it comes back to the redirect URL.
This may happen if browser sessionStorage is inaccessible or accidentally cleared. This may happen if browser sessionStorage is inaccessible or accidentally cleared.
I get this error.
I can't implement it. I have tried various methods, but all have failed.
If anyone knows how to do this, please help.
import SwiftUI
import AuthenticationServices
import FirebaseAuth
struct InstagramLoginView: View {
var body: some View {
VStack {
Text("Login with Instagram") // タイトル
Button(action: {
// ボタンが押された時にInstagramのログイン処理を開始
InstagramLoginHelper().startInstagramLogin()
}) {
Text("Login with Instagram")
.padding()
.background(Color.blue)
.foregroundColor(.white)
.cornerRadius(8)
}
}
}
}
class InstagramLoginHelper: NSObject, ASWebAuthenticationPresentationContextProviding {
func startInstagramLogin() {
let clientID = "XXXXXXXXXXXX"
let redirectURI = "https://XXXXXXXXXXX.firebaseapp.com/__/auth/handler"
let authURL = "https://api.instagram.com/oauth/authorize?client_id=\(clientID)&redirect_uri=\(redirectURI)&scope=user_profile,user_media&response_type=code"
let schem = "XXXXXXXXXXXX"
if let url = URL(string: authURL) {
let session = ASWebAuthenticationSession(url: url, callbackURLScheme: schem) { callbackURL, error in
if let error = error {
print("Error during authentication: \(error.localizedDescription)")
return
}
if let callbackURL = callbackURL, let code = URLComponents(string: callbackURL.absoluteString)?.queryItems?.first(where: { $0.name == "code" })?.value {
// 認証コードを使ってFirebaseでログインする
self.loginWithInstagram(authCode: code)
}
}
session.presentationContextProvider = self
session.start()
}
}
func loginWithInstagram(authCode: String) {
// Firebaseのauthインスタンスを取得
let auth = Auth.auth()
// InstagramのOAuthプロバイダを使用する
let provider = OAuthProvider(providerID: "instagram.com")
// Instagramの認証コードを使って、プロバイダの認証資格情報を生成
provider.getCredentialWith(nil) { credential, error in
if let error = error {
print("Error during authentication: \(error.localizedDescription)")
return
}
if let credential = credential {
// Firebaseにログイン
auth.signIn(with: credential) { authResult, error in
if let error = error {
print("Error during Firebase authentication: \(error.localizedDescription)")
} else {
print("Successfully authenticated with Firebase.")
}
}
}
}
}
// ASWebAuthenticationPresentationContextProvidingの実装
func presentationAnchor(for session: ASWebAuthenticationSession) -> ASPresentationAnchor {
return UIApplication.shared.windows.first { $0.isKeyWindow } ?? ASPresentationAnchor()
}
}
#Preview {
InstagramLoginView()
}
Hello,
I would like to secure the exchanges between my application and my webservices to make sure requests are only made by an authentic application.
By searching the internet I discovered that App Attest from Device Check framework exists but it looks like there are some limitation about it :
App Attest doesn't work on most App Extensions (like Share extension)
We are limited by the requests count made to the App Attest webservice (only when generating the Apple certificate, one time by device / application).
The problem is I need this security on my app extension because I have a Share extension sending e-mails.
Do you have advice to secure the exchanges between my app and my webservices ?