在我的蜂窝数据中出现了一个名为BusinessExtensionsWrapper的程序组件,是个灰色的点不动,我好奇这是什么程序组件,既然是系统自带的,为什么要隐藏呢?对隐私有威胁吗?
Prioritize user privacy and data security in your app. Discuss best practices for data handling, user consent, and security measures to protect user information.
Post
Replies
Boosts
Views
Activity
Hi everyone,
I’m currently developing an MFA authorization plugin for macOS and am looking to implement a passwordless feature. The goal is to store the user's password securely when they log into the system through the authorization plugin.
However, I’m facing an issue with using the system's login keychain (Data Protection Keychain), as it runs in the user context, which isn’t suitable for my case. Therefore, I need to store the password in a file-based keychain instead.
Does anyone have experience or code snippets for objective-c for securely storing passwords in a file-based keychain (outside of the login keychain) on macOS? Specifically, I'm looking for a solution that would work within the context of a system-level authorization plugin.
Any advice or sample code would be greatly appreciated!
Thanks in advance!
Hello, I am currently implementing a biometric authentication registration flow using WebAuthn. I am using ASAuthorizationPlatformPublicKeyCredentialRegistrationRequest, and I would like to know if there is a way to hide the "Save to another device" option that appears during the registration process.
Specifically, I want to guide users to save the passkey only locally on their device, without prompting them to save it to iCloud Keychain or another device.
If there is a way to hide this option or if there is a recommended approach to achieve this, I would greatly appreciate your guidance.
Also, if this is not possible due to iOS version or API limitations, I would be grateful if you could share any best practices for limiting user options in this scenario.
If anyone has experienced a similar issue, your advice would be very helpful. Thank you in advance.
Hello, I am currently working on implementing credential registration for biometric authentication using WebAuthn in an iOS app. I am using ASAuthorizationPlatformPublicKeyCredentialProvider to create a credential registration request based on the data retrieved from the WebAuthn options endpoint.
At the moment, I am only using user.id, user.name, and challenge from the options response, and I am unsure how to utilize the other fields effectively. I would greatly appreciate advice on how to use the following fields:
**Fields I would like to use:
**
rp (Relying Party)
I am retrieving id and name, but I am not sure how best to pass and utilize these fields. Is there an explicit way to use them?
authenticatorSelection
How can I set requireResidentKey and userVerification in ASAuthorizationPlatformPublicKeyCredentialRegistrationRequest? Also, what are the specific benefits of using these fields?
timeout
Is there a way to reflect the timeout value in the credential registration request, and what would be the best way to handle this information in iOS?
attestation
The attestation field can contain values such as none or direct. How should I reflect this in the credential registration request for iOS? I would appreciate a sample implementation or guidance on the benefits of setting this field.
extensions
If I want to customize the authentication flow using the extensions field, how can I appropriately reflect this in iOS? For instance, how can I utilize extensions like credProps?
pubKeyCredParams
Regarding pubKeyCredParams, which is a list of supported public key algorithms, I am unsure how to use it to select an appropriate algorithm in iOS. How should I incorporate this information into the request?
excludeCredentials
I understand that setting excludeCredentials can prevent duplicate registration, but I am not sure how to use past credential information to set it effectively. Any advice on this would be appreciated.
**Current Code
**
Currently, I have implemented the following code, but I am struggling to understand how to add and configure the fields mentioned above.
let publicKeyCredentialProvider = ASAuthorizationPlatformPublicKeyCredentialProvider(
relyingPartyIdentifier: "www.example.com"
)
let registrationRequest = publicKeyCredentialProvider.createCredentialRegistrationRequest(
challenge: challenge,
name: userId,
userID: userIdData
)
let authController = ASAuthorizationController(authorizationRequests: [registrationRequest])
authController.delegate = self
authController.presentationContextProvider = self
authController.performRequests()
In addition to the above code, I would be grateful if anyone could advise on how to configure fields like rp, authenticatorSelection, attestation, extensions, and pubKeyCredParams as well. Furthermore, I would appreciate any insights into the benefits of setting each of these fields in iOS, and any security considerations to be aware of.
If anyone has experience with this, your guidance would be extremely helpful. Thank you very much in advance!
I am researching to apply Apple Sign In to my app. I see response data from Apple just include user name and email (phone number is not required also), but currently my app has only one login method that is by phone number.
So I would like to ask:
Can I request an phone number (by an customize popup) from the user after Signin Apple successfully? If not then which approach that can I apply?
Many thanks!
Is there a way to know the event of user unlocking on iOS Device in Application?
Hi everyone,
I'm working on a macOS authorization plugin (NameAndPassword) to enable users to log into their system using only MFA, effectively making it passwordless. To achieve this, I'm attempting to store the user's password securely in the Keychain so it can be used when necessary without user input.
However, when I attempt to store the password, I encounter error code -25308. Below is the code I'm using to save the password to the Keychain:
objc code
(void)storePasswordInKeychain:(NSString *)password forAccount:(NSString *)accountName {
NSData *passwordData = [password dataUsingEncoding:NSUTF8StringEncoding];
NSDictionary *query = @{
(__bridge id)kSecClass: (__bridge id)kSecClassGenericPassword,
(__bridge id)kSecAttrService: @"com.miniOrange.nameandpassword",
(__bridge id)kSecAttrAccount: accountName,
(__bridge id)kSecValueData: passwordData,
(__bridge id)kSecAttrAccessible: (__bridge id)kSecAttrAccessibleAfterFirstUnlock
};
// Delete any existing password for the account
OSStatus deleteStatus = SecItemDelete((__bridge CFDictionaryRef)query);
if (deleteStatus == errSecSuccess || deleteStatus == errSecItemNotFound) {
[Logger debug:@"Old password entry deleted or not found."];
} else {
[Logger error:@"Failed to delete existing password: %d", (int)deleteStatus];
}
// Add the new password
OSStatus addStatus = SecItemAdd((__bridge CFDictionaryRef)query, NULL);
if (addStatus == errSecSuccess) {
[Logger debug:@"Password successfully saved to the Keychain."];
} else {
[Logger error:@"Failed to save password: %d", (int)addStatus];
}
}
Any insights or suggestions would be greatly appreciated!
Hi,
ASCredentialProvider had been almost identically implemented on both iOS and macOS so far, but the ProvidesTextToInsert feature was only added to iOS. It would have been a crucial point to make Credential Providers available in all textfields, without users having to rely on developers correctly setting roles for their Text Fields.
It's right now impossible to paste credentials into Notes, or some other non-password text box both in web and desktop apps for example, in a seamless, OS-supported way without abusing Accessibility APIs which are understandably disallowed in Mac App Store apps. Or just pasting an SSH key, or anything. On macOS this has so many possibilities. It could even have a terminal command.
It's even more interesting that "Passwords..." is an option in macOS's AutoFill context menu, just like on iOS, however Credential Providers did not gain this feature on macOS, only on iOS.
Is this an upcoming feature, or should we find alternatives? Or should I file a feature request? If it's already in the works, it's pointless to file it.
Hi,
I use AudioQueueNewInput() with my very own run loop and dedicated thread. But now it doesn't show the mic alert window.
Howto fix this?
AudioQueueNewInput(&(core_audio_port->record_format),
ags_core_audio_port_handle_input_buffer,
core_audio_port,
ags_core_audio_port_input_run_loop, kCFRunLoopDefaultMode,
0,
&(core_audio_port->record_aq_ref));
Hi everyone,
I'm having a recurring issue with the "Sign in with Apple" integration in my web app, and I’m hoping someone here can help or share insights.
Here’s the situation:
I implemented "Sign in with Apple" following the official documentation, and it worked perfectly at first.
After about two weeks, I started getting the "invalid_client" error when redirecting to the authentication page.
I reviewed everything and discovered I hadn’t set up the email configuration properly in the Apple Developer Console. Once I fixed that, it worked fine again.
Now, the same error ("invalid_client") has returned, and I’ve triple-checked every part of my configuration:
The service ID, redirect URIs, and domain settings match exactly.
The client_secret is generated correctly with all required fields (iss, iat, exp, aud, and sub) and signed with ES256.
My server time is synchronized.
Nothing has changed in my code or configuration since it last worked.
This seems to be an issue on Apple’s end because everything was functioning perfectly before, and I’ve already resolved this once by updating settings in the Developer Console.
Has anyone else faced this issue? Is there something I might be missing, or could this be a problem with Apple’s service?
Any advice or guidance would be greatly appreciated!
Hi there, I'm currently working on a compatibility feature for Apple that allows the user to manage their keys and certificates from within our internal API. For this I need to retrieve all the items contained within keychains.
I am looking at the documentation for SecItem API but so far I have not really found an obvious way to link these items together. My best guess so far is to perform two queries, grabbing all SecKeys from the keychains, pairing them up with public keys through SecKeyCopyPublicKey, then downloading all CertItems and pairing them with public keys with SecCertificateCopyKey, and then join the two using public keys.
This sounds however somewhat involved and I was wondering if there was a better way of going about the process?
We run simple iOS Swift code triggered by a remote notification:
UserDefaults.standard.set("key", forKey: "value")
It runs fine when the app is active or inactive, but when the device is closed/locked and the code is triggered, we see a warning in Xcode:
Couldn't write values for keys (
key
) in CFPrefsPlistSource<0x3018802d0> (Domain: com.example, User: kCFPreferencesCurrentUser, ByHost: No, Container: (null), Contents Need Refresh: No): Path not accessible
Not updating lastKnownShmemState in CFPrefsPlistSource<0x3018802d0> (Domain: com.example, User: kCFPreferencesCurrentUser, ByHost: No, Container: (null), Contents Need Refresh: No): 767 -> 767
The issue is that there seems to be no way to catch that warning. The value is set, when it's re-read the value is correct. But the value is never written to disk, so after an app restart/update the value is gone, potentially has an old wrong value.
This code runs without any interruption, it's just showing the warning on iOS 17.7.1 on iPad:
UserDefaults.standard.set("key", forKey: "value")
UserDefaults.standard.synchronize()
print("value: \(UserDefaults.standard.string(forKey: "key"))")
Should there not be a way to catch this, so the code can act accordingly to the circumstances? It would be good to know inside the code that the value is not persisted. I would expect that an exception is generated somewhere which can be caught.
It seems .completeFileProtectionUntilFirstUserAuthentication enables files to be written to disk while the device is closed/locked, can something similar be used for UserDefaults.standard?
Hello, I have a public key of type Curve25519.KeyAgreement.PublicKey that I create from the raw representation using:
Curve25519.KeyAgreement.PublicKey(rawRepresentation: Data(base64Encoded: "08sYq4gExgX+UApEwLaASkE+TZjAxG1FPYaT+mj2irk=")!)
I'm trying to convert that key to a curve, but I don't see an equivalent function in CryptoKit for the Javascript function pk_to_curve25519. Can someone please help?
For completeness, I'm trying to implement the handshake protocol that's a part of secure scuttlebutt. https://ssbc.github.io/scuttlebutt-protocol-guide/
We received a rejection today based on an invalid PrivacyInfo.xcprivacy file. It contained one extra space character was somehow added to a value field.
Is there a tool that can check the validity of our PrivacyInfo.xcprivacy files?
In our application, we store user information (Username, Password, accessToken, Refresh token, etc.) in the keychain. However, after performing a hard reboot (unplugging and plugging back in), when we attempt to retrieve the ‘refresh token’ or ‘access token’ from the keychain, we receive the old token instead of the newly saved one.
Does macos app support passkey?
Can I also use passkey's functionality if it's an internal release, not an Apple App Store release?
Private relay emails are ending up in the spam folder, even though SPF and DKIM are set up correctly.
Dear Apple Developer Support Team,
I am writing to request assistance regarding an issue with the Apple Sign-In integration for my application, specifically in obtaining the email ID from the id_token.
We are using the following Apple Sign-In authorization URL to initiate the sign-in process:
https://appleid.apple.com/auth/authorize?response_type=code&response_mode=query&client_id=com.whattotrust.client&redirect_uri=https%3A%2F%2Fdev-web.whattotrust.com%2Fauth%2Fcallback
After successfully authenticating the user and obtaining the authorization code, we use this endpoint to request the id_token and access_token:
https://appleid.apple.com/auth/token
While we are able to retrieve the tokens, we are experiencing issues when attempting to extract the user's email ID from the id_token. This issue has been consistent across multiple accounts. Despite successfully decrypting the id_token, the email field is either missing or unavailable. but with few emails we are getting email
Could you please help us understand if there is an additional step or specific condition required to ensure that the email ID is included in the id_token? We would greatly appreciate any guidance on how to resolve this issue.
Thank you for your support and assistance in resolving this matter.
I'm trying to create an "Extensible Enterprise SSO" extension as described in the Introducing Extensible Enterprise SSO tech talk.
My SSO extension works fine, but I want to be able to access the camera (via AVFoundation) from within the SSO extension.
According to this thread (which I can't seem to be able to reply to) - it should be possible to access the camera from within an SSO extension, however this doesn't work for me.
When I try to access the camera, I get the permission dialog, but after accepting, the camera preview is empty and no camera frames are produced.
I don't get any errors/warnings in the logs, but it immediately fires AVCaptureSession.wasInterruptedNotification notification with AVCaptureSessionInterruptionReasonKey = 1 which corresponds to videoDeviceNotAvailableInBackground.
However, the SSO extension view controller is clearly not in the background, so is this a bug - or are there special rules for requesting camera permission in an SSO extension? The same camera access works fine in the host app, just not inside the extension.
Interestingly, accessing the camera in a WKWebView using various webcam test pages, doesn't work either.
All of these tests have been on iPadOS 18.
When I tried to launch my application from non-gui process (from launch daemon) NSworkspace openApplicationAtURL failed if I tried to run it when my device on the login screen.
Everything is working if someone logged in, but on the login screen I have the error
The application “TestApp” could not be launched because a miscellaneous error occurred. with code 256
NSWorkspace* workspace = [NSWorkspace sharedWorkspace];
NSWorkspaceOpenConfiguration* config = [NSWorkspaceOpenConfiguration configuration];
config.createsNewApplicationInstance = YES;
config.activates = NO;
config.promptsUserIfNeeded = NO;
config.addsToRecentItems = NO;
[workspace openApplicationAtURL: appURL
configuration: config
completionHandler:^(NSRunningApplication *app, NSError *error)
{
}];
Sometimes after the third try it works, sometimes not at all.
I try to use "open" command, it works on MacOS Sequoia, but not working for operating systems below, I see this error
The application cannot be opened for an unexpected reason, error=Error Domain=RBSRequestErrorDomain Code=5 "Launch failed." UserInfo={NSLocalizedFailureReason=Launch failed., NSUnderlyingError=0x600002998120 {Error Domain=OSLaunchdErrorDomain Code=125 "Domain does not support specified action" UserInfo={NSLocalizedFailureReason=Domain does not support specified action}}}
All these problems occur only on the login screen. I'm developing screen share utility, so I need somehow to launch my application on the login screen.
Could someone please help me understand what is recommended way to launch application on the login screen?