Prioritize user privacy and data security in your app. Discuss best practices for data handling, user consent, and security measures to protect user information.

Post

Replies

Boosts

Views

Activity

Storing Password in System keychain (File-Based Keychain) for MFA Authorization Plugin
Hi everyone, I’m currently developing an MFA authorization plugin for macOS and am looking to implement a passwordless feature. The goal is to store the user's password securely when they log into the system through the authorization plugin. However, I’m facing an issue with using the system's login keychain (Data Protection Keychain), as it runs in the user context, which isn’t suitable for my case. Therefore, I need to store the password in a file-based keychain instead. Does anyone have experience or code snippets for objective-c for securely storing passwords in a file-based keychain (outside of the login keychain) on macOS? Specifically, I'm looking for a solution that would work within the context of a system-level authorization plugin. Any advice or sample code would be greatly appreciated! Thanks in advance!
0
0
27
8h
Is there a way to hide the 'Save to another device' option during iOS WebAuthn registration?
Hello, I am currently implementing a biometric authentication registration flow using WebAuthn. I am using ASAuthorizationPlatformPublicKeyCredentialRegistrationRequest, and I would like to know if there is a way to hide the "Save to another device" option that appears during the registration process. Specifically, I want to guide users to save the passkey only locally on their device, without prompting them to save it to iCloud Keychain or another device. If there is a way to hide this option or if there is a recommended approach to achieve this, I would greatly appreciate your guidance. Also, if this is not possible due to iOS version or API limitations, I would be grateful if you could share any best practices for limiting user options in this scenario. If anyone has experienced a similar issue, your advice would be very helpful. Thank you in advance.
0
0
116
18h
How to utilize each field of WebAuthn Options for implementation on iOS?
Hello, I am currently working on implementing credential registration for biometric authentication using WebAuthn in an iOS app. I am using ASAuthorizationPlatformPublicKeyCredentialProvider to create a credential registration request based on the data retrieved from the WebAuthn options endpoint. At the moment, I am only using user.id, user.name, and challenge from the options response, and I am unsure how to utilize the other fields effectively. I would greatly appreciate advice on how to use the following fields: **Fields I would like to use: ** rp (Relying Party) I am retrieving id and name, but I am not sure how best to pass and utilize these fields. Is there an explicit way to use them? authenticatorSelection How can I set requireResidentKey and userVerification in ASAuthorizationPlatformPublicKeyCredentialRegistrationRequest? Also, what are the specific benefits of using these fields? timeout Is there a way to reflect the timeout value in the credential registration request, and what would be the best way to handle this information in iOS? attestation The attestation field can contain values such as none or direct. How should I reflect this in the credential registration request for iOS? I would appreciate a sample implementation or guidance on the benefits of setting this field. extensions If I want to customize the authentication flow using the extensions field, how can I appropriately reflect this in iOS? For instance, how can I utilize extensions like credProps? pubKeyCredParams Regarding pubKeyCredParams, which is a list of supported public key algorithms, I am unsure how to use it to select an appropriate algorithm in iOS. How should I incorporate this information into the request? excludeCredentials I understand that setting excludeCredentials can prevent duplicate registration, but I am not sure how to use past credential information to set it effectively. Any advice on this would be appreciated. **Current Code ** Currently, I have implemented the following code, but I am struggling to understand how to add and configure the fields mentioned above. let publicKeyCredentialProvider = ASAuthorizationPlatformPublicKeyCredentialProvider( relyingPartyIdentifier: "www.example.com" ) let registrationRequest = publicKeyCredentialProvider.createCredentialRegistrationRequest( challenge: challenge, name: userId, userID: userIdData ) let authController = ASAuthorizationController(authorizationRequests: [registrationRequest]) authController.delegate = self authController.presentationContextProvider = self authController.performRequests() In addition to the above code, I would be grateful if anyone could advise on how to configure fields like rp, authenticatorSelection, attestation, extensions, and pubKeyCredParams as well. Furthermore, I would appreciate any insights into the benefits of setting each of these fields in iOS, and any security considerations to be aware of. If anyone has experience with this, your guidance would be extremely helpful. Thank you very much in advance!
0
0
60
18h
Question for Apple Sign In review rules.
I am researching to apply Apple Sign In to my app. I see response data from Apple just include user name and email (phone number is not required also), but currently my app has only one login method that is by phone number. So I would like to ask:
 Can I request an phone number (by an customize popup) from the user after Signin Apple successfully? If not then which approach that can I apply? Many thanks!
1
0
101
2d
macOS Authorization Plugin: Keychain Error -25308 When Storing Password
Hi everyone, I'm working on a macOS authorization plugin (NameAndPassword) to enable users to log into their system using only MFA, effectively making it passwordless. To achieve this, I'm attempting to store the user's password securely in the Keychain so it can be used when necessary without user input. However, when I attempt to store the password, I encounter error code -25308. Below is the code I'm using to save the password to the Keychain: objc code (void)storePasswordInKeychain:(NSString *)password forAccount:(NSString *)accountName { NSData *passwordData = [password dataUsingEncoding:NSUTF8StringEncoding]; NSDictionary *query = @{ (__bridge id)kSecClass: (__bridge id)kSecClassGenericPassword, (__bridge id)kSecAttrService: @"com.miniOrange.nameandpassword", (__bridge id)kSecAttrAccount: accountName, (__bridge id)kSecValueData: passwordData, (__bridge id)kSecAttrAccessible: (__bridge id)kSecAttrAccessibleAfterFirstUnlock }; // Delete any existing password for the account OSStatus deleteStatus = SecItemDelete((__bridge CFDictionaryRef)query); if (deleteStatus == errSecSuccess || deleteStatus == errSecItemNotFound) { [Logger debug:@"Old password entry deleted or not found."]; } else { [Logger error:@"Failed to delete existing password: %d", (int)deleteStatus]; } // Add the new password OSStatus addStatus = SecItemAdd((__bridge CFDictionaryRef)query, NULL); if (addStatus == errSecSuccess) { [Logger debug:@"Password successfully saved to the Keychain."]; } else { [Logger error:@"Failed to save password: %d", (int)addStatus]; } } Any insights or suggestions would be greatly appreciated!
3
0
153
2d
ASCredentialProvider/ProvidesTextToInsert macOS support
Hi, ASCredentialProvider had been almost identically implemented on both iOS and macOS so far, but the ProvidesTextToInsert feature was only added to iOS. It would have been a crucial point to make Credential Providers available in all textfields, without users having to rely on developers correctly setting roles for their Text Fields. It's right now impossible to paste credentials into Notes, or some other non-password text box both in web and desktop apps for example, in a seamless, OS-supported way without abusing Accessibility APIs which are understandably disallowed in Mac App Store apps. Or just pasting an SSH key, or anything. On macOS this has so many possibilities. It could even have a terminal command. It's even more interesting that "Passwords..." is an option in macOS's AutoFill context menu, just like on iOS, however Credential Providers did not gain this feature on macOS, only on iOS. Is this an upcoming feature, or should we find alternatives? Or should I file a feature request? If it's already in the works, it's pointless to file it.
0
0
96
3d
Repeated "Invalid Client" Error with Sign In with Apple
Hi everyone, I'm having a recurring issue with the "Sign in with Apple" integration in my web app, and I’m hoping someone here can help or share insights. Here’s the situation: I implemented "Sign in with Apple" following the official documentation, and it worked perfectly at first. After about two weeks, I started getting the "invalid_client" error when redirecting to the authentication page. I reviewed everything and discovered I hadn’t set up the email configuration properly in the Apple Developer Console. Once I fixed that, it worked fine again. Now, the same error ("invalid_client") has returned, and I’ve triple-checked every part of my configuration: The service ID, redirect URIs, and domain settings match exactly. The client_secret is generated correctly with all required fields (iss, iat, exp, aud, and sub) and signed with ES256. My server time is synchronized. Nothing has changed in my code or configuration since it last worked. This seems to be an issue on Apple’s end because everything was functioning perfectly before, and I’ve already resolved this once by updating settings in the Developer Console. Has anyone else faced this issue? Is there something I might be missing, or could this be a problem with Apple’s service? Any advice or guidance would be greatly appreciated!
0
0
134
6d
Retrieving private-public-certificate triples from keychain
Hi there, I'm currently working on a compatibility feature for Apple that allows the user to manage their keys and certificates from within our internal API. For this I need to retrieve all the items contained within keychains. I am looking at the documentation for SecItem API but so far I have not really found an obvious way to link these items together. My best guess so far is to perform two queries, grabbing all SecKeys from the keychains, pairing them up with public keys through SecKeyCopyPublicKey, then downloading all CertItems and pairing them with public keys with SecCertificateCopyKey, and then join the two using public keys. This sounds however somewhat involved and I was wondering if there was a better way of going about the process?
3
0
196
6d
UserDefaults.standard.set() shows warning, but it can not be acted upon?
We run simple iOS Swift code triggered by a remote notification: UserDefaults.standard.set("key", forKey: "value") It runs fine when the app is active or inactive, but when the device is closed/locked and the code is triggered, we see a warning in Xcode: Couldn't write values for keys ( key ) in CFPrefsPlistSource<0x3018802d0> (Domain: com.example, User: kCFPreferencesCurrentUser, ByHost: No, Container: (null), Contents Need Refresh: No): Path not accessible Not updating lastKnownShmemState in CFPrefsPlistSource<0x3018802d0> (Domain: com.example, User: kCFPreferencesCurrentUser, ByHost: No, Container: (null), Contents Need Refresh: No): 767 -> 767 The issue is that there seems to be no way to catch that warning. The value is set, when it's re-read the value is correct. But the value is never written to disk, so after an app restart/update the value is gone, potentially has an old wrong value. This code runs without any interruption, it's just showing the warning on iOS 17.7.1 on iPad: UserDefaults.standard.set("key", forKey: "value") UserDefaults.standard.synchronize() print("value: \(UserDefaults.standard.string(forKey: "key"))") Should there not be a way to catch this, so the code can act accordingly to the circumstances? It would be good to know inside the code that the value is not persisted. I would expect that an exception is generated somewhere which can be caught. It seems .completeFileProtectionUntilFirstUserAuthentication enables files to be written to disk while the device is closed/locked, can something similar be used for UserDefaults.standard?
1
0
104
6d
CryptoKit equivalent for pk_to_curve25519
Hello, I have a public key of type Curve25519.KeyAgreement.PublicKey that I create from the raw representation using: Curve25519.KeyAgreement.PublicKey(rawRepresentation: Data(base64Encoded: "08sYq4gExgX+UApEwLaASkE+TZjAxG1FPYaT+mj2irk=")!) I'm trying to convert that key to a curve, but I don't see an equivalent function in CryptoKit for the Javascript function pk_to_curve25519. Can someone please help? For completeness, I'm trying to implement the handshake protocol that's a part of secure scuttlebutt. https://ssbc.github.io/scuttlebutt-protocol-guide/
1
0
124
6d
Assistance Needed with Missing Email ID in Apple Sign-In ID Token
Dear Apple Developer Support Team, I am writing to request assistance regarding an issue with the Apple Sign-In integration for my application, specifically in obtaining the email ID from the id_token. We are using the following Apple Sign-In authorization URL to initiate the sign-in process: https://appleid.apple.com/auth/authorize?response_type=code&response_mode=query&client_id=com.whattotrust.client&redirect_uri=https%3A%2F%2Fdev-web.whattotrust.com%2Fauth%2Fcallback After successfully authenticating the user and obtaining the authorization code, we use this endpoint to request the id_token and access_token: https://appleid.apple.com/auth/token While we are able to retrieve the tokens, we are experiencing issues when attempting to extract the user's email ID from the id_token. This issue has been consistent across multiple accounts. Despite successfully decrypting the id_token, the email field is either missing or unavailable. but with few emails we are getting email Could you please help us understand if there is an additional step or specific condition required to ensure that the email ID is included in the id_token? We would greatly appreciate any guidance on how to resolve this issue. Thank you for your support and assistance in resolving this matter.
0
0
124
1w
Accessing camera from SSO extension
I'm trying to create an "Extensible Enterprise SSO" extension as described in the Introducing Extensible Enterprise SSO tech talk. My SSO extension works fine, but I want to be able to access the camera (via AVFoundation) from within the SSO extension. According to this thread (which I can't seem to be able to reply to) - it should be possible to access the camera from within an SSO extension, however this doesn't work for me. When I try to access the camera, I get the permission dialog, but after accepting, the camera preview is empty and no camera frames are produced. I don't get any errors/warnings in the logs, but it immediately fires AVCaptureSession.wasInterruptedNotification notification with AVCaptureSessionInterruptionReasonKey = 1 which corresponds to videoDeviceNotAvailableInBackground. However, the SSO extension view controller is clearly not in the background, so is this a bug - or are there special rules for requesting camera permission in an SSO extension? The same camera access works fine in the host app, just not inside the extension. Interestingly, accessing the camera in a WKWebView using various webcam test pages, doesn't work either. All of these tests have been on iPadOS 18.
0
1
167
1w
Issue with NSWorkspace openApplicationAtURL on Login Screen
When I tried to launch my application from non-gui process (from launch daemon) NSworkspace openApplicationAtURL failed if I tried to run it when my device on the login screen. Everything is working if someone logged in, but on the login screen I have the error The application “TestApp” could not be launched because a miscellaneous error occurred. with code 256 NSWorkspace* workspace = [NSWorkspace sharedWorkspace]; NSWorkspaceOpenConfiguration* config = [NSWorkspaceOpenConfiguration configuration]; config.createsNewApplicationInstance = YES; config.activates = NO; config.promptsUserIfNeeded = NO; config.addsToRecentItems = NO; [workspace openApplicationAtURL: appURL configuration: config completionHandler:^(NSRunningApplication *app, NSError *error) { }]; Sometimes after the third try it works, sometimes not at all. I try to use "open" command, it works on MacOS Sequoia, but not working for operating systems below, I see this error The application cannot be opened for an unexpected reason, error=Error Domain=RBSRequestErrorDomain Code=5 "Launch failed." UserInfo={NSLocalizedFailureReason=Launch failed., NSUnderlyingError=0x600002998120 {Error Domain=OSLaunchdErrorDomain Code=125 "Domain does not support specified action" UserInfo={NSLocalizedFailureReason=Domain does not support specified action}}} All these problems occur only on the login screen. I'm developing screen share utility, so I need somehow to launch my application on the login screen. Could someone please help me understand what is recommended way to launch application on the login screen?
3
0
230
1w