We did an app transfer in mid-August as part of our process to incorporate the business.
We have approximately 100,000 users who have logged in with their Apple IDs, and as part of the transfer process, we followed the documentation below to transfer the account information.
https://developer.apple.com/documentation/sign_in_with_apple/bringing_new_apps_and_users_into_your_team
During the identifier exchange process, an invalid_request error occurred for approximately 10,000 users.
https://developer.apple.com/documentation/sign_in_with_apple/bringing_new_apps_and_users_into_your_team#3559300
We successfully transferred the remaining users using the same script and procedure.
Even when repeated multiple times, the error consistently occurs with the same users.
Based on this situation, we believe that the error may be caused by user-related factor.
Specifically, we would like to understand the potential causes of request errors other than the reasons listed below. The only user-related cause, ‘The user has revoked authorization for the client,’ is not relevant to this case, as it pertains to an error when issuing the transfer identifier. (not exchanging)
https://developer.apple.com/documentation/technotes/tn3107-resolving-sign-in-with-apple-response-errors#Possible-reasons-for-invalid-request-errors
Details of the request content are documented in FB14898615. Although we submitted feedback from the account after the transfer, we have not received a response for over a week, so we are reaching out here as well.
[Similar problem]
https://developer.apple.com/forums/thread/761968
General
RSS for tagPrioritize user privacy and data security in your app. Discuss best practices for data handling, user consent, and security measures to protect user information.
Post
Replies
Boosts
Views
Activity
I am in the process of creating a multiplatform app with a shared code base using swiftUI for iOS and mac. This app has a widget extension target for both iOS and mac and a helper app for mac only. I am trying to share data and userdefaults between the main app and the widget extension for ios, and for the mac share data between the main app, widget extension and the helper app.
I have setup an app group container to share data between all targets. However this is only working on iOS. The app group capability is not extended to macOS.
I have been researching for weeks now and all the answers I can find are for if the macOS were a different target, which would entail me having the macos group container prefixed with my team identifier.
With a multiplatform app, the main app simply won't let me prefix the group container with my team identifier. Which unfortunately xcode prevents me from doing for a multiplatform app.
I have no idea of how to solve this issue and any help will be appreciated.
The user migration API (https://appleid.apple.com/auth/usermigrationinfo) is inconsistent when we call it with the correct parameters and tokens to retrieve new user subs/emails for users made under a previous Entity before completing an Entity Transfer:
65% of our requests return with no new sub or email and we receive an {'error': 'invalid_request', 'email_verified': False} response back from the API when sending it our transfer subs.
34% of our requests succeed in getting a sub but no new private relay email from the same API with the same parameters- isn't it always supposed to return an email?
1% of our requests successfully responded with a new sub and private relay email.
We know it is not from anything in the request expiring because we regenerate the secrets, access_tokens, and transfer subs before making each request. All the other parameters are exactly the same as the successful API calls.
I can respond over email with more app/team-specific details or our request code. Thanks!
How to install root trusted certificate via SSH ?
I already read that SecTrustSettingsSetTrustSettings requires user interaction.
That mean that it requires user login and password be entered.
But is it possible to move that authetification to command line, outside UI session?
I made a sample tool that try to do this.
https://github.com/DanilKorotenko/certificateTool
Accordingly to the documentation:
https://developer.apple.com/library/archive/documentation/Security/Conceptual/authorization_concepts/02authconcepts/authconcepts.html#//apple_ref/doc/uid/TP30000995-CH205-CJBJBGAA
If the timeout attribute is missing, the credential can be used to grant the right as long as the login session lasts, unless the credential is explicitly destroyed.
When I call function AuthorizationCopyRights,
I create a shared credential (login+password).
Authorization rule com.apple.trust-settings.admin does not have timeout attribute.
security authorizationdb read com.apple.trust-settings.admin
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>For modifying Trust Settings in the Admin domain. Requires entitlement or admin authentication.</string>
<key>created</key>
<real>745942864.47938299</real>
<key>k-of-n</key>
<integer>1</integer>
<key>modified</key>
<real>745942864.47938299</real>
<key>rule</key>
<array>
<string>entitled</string>
<string>authenticate-admin</string>
</array>
<key>version</key>
<integer>1</integer>
</dict>
</plist>
But. If read authd log, when running this tool, in logs we can read this:
default 18:28:43.117724+0300 authd Validating shared credential trustadmin (707) for authenticate-admin (engine 396)
default 18:28:43.117733+0300 authd credential 707 expired '0.136439 > 0' (does NOT satisfy rule) (engine 396)
It says that our credential is expired.
But it should not be expired because the rule does not have timeout.
In summary, accordingly to documentation, SecTrustSettingsSetTrustSettings should not require authentification, when calling process is running as root. Because, com.apple.trust-settings.admin right rule does not have timeout, and since that root authetification on process call will create shared credential which SecTrustSettingsSetTrustSettings will use.
But in reality the behavior is different.
I found, that on some other macs, that tool works as expected. It adds trust certificate silently.
May be there is some special condition for exactly this roght? May be there is some special preferences, flags or environment variables?
Steps To Reproduce
Change this constants in code before build.
const char *userLogin = "your-adminuser";
const char *userPass = "your-password";
const char *certificateName = "your-certificateFileName";
You may use testCertificate, or create our own.
Build project.
Connect to localhost by ssh
ssh <youruser>@localhost
Go to build folder.
sudo ./certificateTool
Actual result:
The tool returns:
SecTrustSettingsSetTrustSettings failure. Error: -60007
That means that user interaction is required.
Expected result:
User interaction does not required.
Hello, I'm developing an SDK that will allow iOS devices (iOS 13+) to connect to AWS IoT Core using Native C. The endpoint requires a mutual TLS handshake to connect. I have been able to successfully import a Certificate and Private Key into the keychain and generate a SecIdentityRef that combines the cert/key pair which I believe is necessary to establish a TCP TLS nw_connection.
I've searched around and while I can find the individual pieces related to creating a TLS connection, I can't seem to find any that show how things go together.
The goal would be to use
nw_connection_create(endpoint, parameters);
to establish a TLS connection.
This is currently how I am creating the parameters for this connection.
transport_ctx->secitem_identity is where the SecIdentityRef is kept.
nw_parameters_create_secure_tcp(
// nw_parameters_configure_protocol_block_t for configure_tls
^(nw_protocol_options_t tls_options) {
sec_protocol_options_t sec_options = nw_tls_copy_sec_protocol_options(tls_options);
// Set the minimum TLS version to TLS 1.2
sec_protocol_options_set_min_tls_protocol_version(sec_options, tls_protocol_version_TLSv12);
// Set the maximum TLS version to TLS 1.3
sec_protocol_options_set_max_tls_protocol_version(sec_options, tls_protocol_version_TLSv13);
sec_protocol_options_set_local_identity(sec_options, transport_ctx->secitem_identity);
},
// nw_parameters_configure_protocol_block_t for configure_tcp
// This is also manually set with a code block but not relevant to this q.
NW_PARAMETERS_DEFAULT_CONFIGURATION);
My question is whether or not I'm even on the right track with attempting to use these functions to setup the TLS options associated with the parameters? The sec_protocol_options_set_local_identity appears to be listed under "Security legacy reference" in the apple dev docs: https://developer.apple.com/documentation/security/sec_protocol_options_set_local_identity(_:_:)?language=objc
And the surrounding documentation related to using TLS with a network connection feels sparse at best.
Follow up question is whether there is any documentation or reading material available for setting up TLS with a TCP socket connection. I'd love to not have to take up time asking these questions if there's somewhere I can just learn it.
Thanks!
In AuthorizationServices support for displayName exists in:
class ASAuthorizationSecurityKeyPublicKeyCredentialProvider func createCredentialRegistrationRequest( challenge: Data, displayName: String, name: String, userID: Data ) -> ASAuthorizationSecurityKeyPublicKeyCredentialRegistrationRequest
but is not supported in the corresponding class:
class ASAuthorizationPlatformPublicKeyCredentialProvider func createCredentialRegistrationRequest( challenge: Data, name: String, userID: Data ) -> ASAuthorizationPlatformPublicKeyCredentialRegistrationRequest
I was under the impression that this should be supported in public key credential registration?
I've created a p256 ec key in the SE, stored it in the keychain, and have a X.509 certificate for that key, now I want to create and store a SecIdentity item in the keychain on iOS. SecIdentityCreateWithCertificate is available on macOS only., so that is not an option. How am I supposed to create a SecIdentity without having that call available?
How app knows that Require Face ID is enable for them?
How app knows that they active after successfully authenticate by iOS 18 Require Face ID feature?
If any app implement any Extension(In my case Action Extension and Autofill Credential provider) then how they extension knows that they active after successfully authenticate by iOS 18 Require Face ID feature?
is there any app notification or any api to help me out?
Everytime for any website/app we found empty serviceIdentifier in func prepareOneTimeCodeCredentialList(for serviceIdentifiers: [ASCredentialServiceIdentifier])
which cause we are unable to filter item as per domain or URL.
I'm using the same code to authenticate using passkeys on iOS and macOS. On iOS (simulator, on-device, and deployed with TestFlight), I have no issues registering or authenticating with a passkey. On macOS using Catalyst, when I attempt to authenticate with a passkey (ASAuthorizationController#performRequests), I see the following error:
Error Domain=com.apple.AuthenticationServices.AuthorizationError Code=1004 "Application with identifier TEAMID.com.bundle is not associated with domain bundle.com" UserInfo={NSLocalizedFailureReason=Application with identifier TEAMID.com.bundle is not associated with domain bundle.com}
I've double-checked my apple-app-site-association file is being served from the associated domain, and I've double-checked that the Apple CDN is also returning that same association file with webcredentials for my team/bundle.
Any ideas why it would succeed in iOS environments but fail under macOS with Catalyst?
macOS popup a dialog "Allow App to find devices on local networks?" to ask Local Network permission. I would like to analyze when it popup and how it impacts my app user scenario. But this dialog only popup when Local Network privacy list not contain this app, once user pressed allow / don't allow, it won't popup again.
System Settings UI does not support removing Local Network permission, so I tried this command but not working.
tccutil reset All
There is also a post mentions that it does not work:
https://developer.apple.com/forums/thread/757949
Is there a way to remove this privacy settings? I don't want to reinstall macOS to test it.
I've tried getting LAContext and checking it, but it says it canEvaluatePolicy returns false for any biometric policy.
We use ASWebAuthenticationSession in our app to perform SAML auth on iOS devices. It works fine with Safari. However, if we config other browsers, such as Chrome, as a default browser on iOS device, ASWebAuthenticationSession still load Safari in embedded window and auth cookies is only stored in Safari. Can ASWebAuthenticationSession work with default browser on iOS similar as it works on MacOS?
Thanks,
Ying
I'm developing an SDK that will allow iOS devices (iOS 13+) to connect to AWS IoT Core using Native C. The endpoint requires a mutual TLS handshake to connect. I have been able to successfully import a Certificate and Private Key into the keychain but am unable to generate a SecIdentityRef from them for use in setting up a nw_protocol_options_t. I've looked through other forum posts and have been unable to figure out what's going on (Some are from 5+ years ago and maybe things have changed since then).
After prepping the raw data for the cert and key into expected formats I import the certificate:
const void *add_keys[] = {
kSecClass,
kSecAttrLabel,
kSecAttrSerialNumber,
kSecValueData,
kSecReturnRef };
const void *add_values[] = {
kSecClassCertificate,
label,
serial_data,
cert_data,
kCFBooleanTrue };
attributes = CFDictionaryCreate(
cf_alloc,
add_keys,
add_values,
5,
&kCFTypeDictionaryKeyCallBacks,
&kCFTypeDictionaryValueCallBacks);
status = SecItemAdd(attributes, (CFTypeRef *)out_certificate);
Next I import the private key:
const void *add_keys[] = {
kSecClass,
kSecAttrKeyClass,
kSecAttrKeyType,
kSecAttrApplicationLabel,
kSecAttrLabel,
kSecValueData,
kSecReturnRef };
const void *add_values[] = {
kSecClassKey,
kSecAttrKeyClassPrivate,
key_type,
application_label,
label,
key_data,
kCFBooleanTrue };
attributes = CFDictionaryCreate(
cf_alloc,
add_keys,
add_values,
7,
&kCFTypeDictionaryKeyCallBacks,
&kCFTypeDictionaryValueCallBacks);
status = SecItemAdd(attributes, (CFTypeRef *)out_private_key);
The full code handles duplicate items in which case attributes are updated. Following the successful import of the cert and key to the keychain, I attempt to retrieve the identity with the following:
SecIdentityRef identity = NULL;
CFDictionaryRef query = NULL;
const void *query_keys[] = {
kSecClass,
kSecReturnRef,
// kSecAttrSerialNumber,
// kSecAttrLabel
kSecMatchLimit
};
const void *query_values[] = {
kSecClassIdentity,
kCFBooleanTrue,
// cert_serial_data,
// cert_label_ref
kSecMatchLimitAll
};
query = CFDictionaryCreate(
cf_alloc,
query_keys,
query_values,
3,
&kCFTypeDictionaryKeyCallBacks,
&kCFTypeDictionaryValueCallBacks);
OSStatus identity_status = SecItemCopyMatching(query, (CFTypeRef *)&identity);
I have attempted using various search parameters related to the label and the serial of the certificate. Based on other forum post suggestions I have also tried expanding the search to kSecMatchLimitAll to get back ANY stored kSecClassIdentity and all variations returned OSStatus of -25300 (errSecItemNotFound). Once I am able to retrieve the SecIdentityRef, my understanding is that I can add it to the following during creation of the socket:
nw_protocol_options_t tls_options = nw_tls_create_options();
sec_protocol_options_t sec_options = nw_tls_copy_sec_protocol_options(tls_options);
sec_protocol_options_set_min_tls_protocol_version(sec_options, tls_protocol_version_TLSv12);
sec_protocol_options_set_max_tls_protocol_version(sec_options, tls_protocol_version_TLSv13);
sec_protocol_options_set_local_identity(sec_options, SecIdentityRef);
Am I missing some step that is required to create an identity from the certificate and private key? I have tested the cert/key pair and they connect properly when using the old deprecated SecItemImport and SecIdentityCreateWithCertificate (on our old macOS only implementation).
I will continue to dig through Apple documentation as well as more forum posts but I feel like I'm hitting a wall and missing something very obvious as this seems like a very common networking task. Thanks!
The provided links below are to the full code related to the work in progress iOS import functions:
Link to import function https://github.com/awslabs/aws-c-io/blob/cad8639ef0ea08ba3cc74b72cfc1c9866adbb7e5/source/darwin/darwin_pki_utils.c#L735
Link to private key import: https://github.com/awslabs/aws-c-io/blob/cad8639ef0ea08ba3cc74b72cfc1c9866adbb7e5/source/darwin/darwin_pki_utils.c#L561
Link to certificate import: https://github.com/awslabs/aws-c-io/blob/cad8639ef0ea08ba3cc74b72cfc1c9866adbb7e5/source/darwin/darwin_pki_utils.c#L398
We are having trouble with App Attest when built with different processors. We need to build an IPA to send to our testers. When the app is built using Intel processor, everything works. But when we built using a mac with processor M, them the App Attest process fails.
The error occurs in our backend while validating the attesation object. We are doing the validation as stated by this documentation: https://developer.apple.com/documentation/devicecheck/attestation-object-validation-guide
The process of validating the Attesation Object fails in the step 4, this one:
Obtain the value of the credCert extension with OID 1.2.840.113635.100.8.2, which is a DER-encoded ASN.1 sequence. Decode the sequence and extract the single octet string that it contains. Verify that the string equals nonce.
The problem is that the validation fails only when the app is built in a M processor machine.
In our server we do (using GO Lang) something like this:
if !bytes.Equal(nonce[:], unMarshalledCredCert.Bytes) {
// error
}
unMarshalledCredCert is the nonce extracted from the Attesation Object sent by the mobile application and nonce[:] is the nonce stored in our backend side cache.
What can this be?
I'm using CMMotionManager startDeviceMotionUpdatesUsingReferenceFrame: CMAttitudeReferenceFrameXTrueNorthZVertical and have set the NSMotionUsageDescription ("Privacy - Motion Usage Description") property in the info.plist. But I don't see a permissions popup.
I also don't see any mention of this in the app's section of the Settings app.
When is this usage description string used?
I wonder if there is some connection between the motion permission and the location permission, which I also use?
Hello. I’m building an app that would use the Screen Time API to restrict apps on the users phone at set times and also give Device usage reports and analysis to the user. Do I need to request permission from apple to do this? If no, then what applications of the API require getting permission from Apple?
We've encountered an issue with implementing "Sign in with Apple." We've set up an authorization mechanism that returns a JWT, which includes the following fields in the IdTokenPayload: iss, aud, exp, iat, sub, at_hash, email, email_verified, auth_time, and nonce_supported.
We tested this using an Apple ID that had not previously been used with our app. At this stage, we expected to receive the user's name, but instead, the relevant fields are returning null values, and all we receive is the email address.
Here’s an example of the JWT payload we're receiving:
{
"iss": "https://appleid.apple.com",
"aud": "com.octocrm.webapp",
"exp": 1724833875,
"iat": 1724747475,
"sub": "000335.ad7cef1b0a3c474b842531f95444f2ad.1205",
"at_hash": "perz_dvgtpe4cglpuzzj-a",
"email": "firma.pl",
"email_verified": true,
"auth_time": 1724747463,
"nonce_supported": true
}
We were expecting the user's name fields (e.g., name, given_name, family_name) to be populated in the JWT, but instead, they are returning as null. Is there something we're missing in our implementation, or is there a specific condition that needs to be met for these fields to be included? Any guidance on how to resolve this issue would be greatly appreciated.
Hi,
Please see TN3159: Migrating Sign in with Apple users for an app transfer for more information on the expected end-to-end app transfer and user migration flow.
Additionally, if you'd like for the iCloud and App Store engineering teams to confirm if the errors are related to a revoked authorization to previous users accounts, please submit a report via Feedback Assistant and include the following information:
Gathering required information for troubleshooting Sign in with Apple user migration
To prevent sending sensitive JSON Web Tokens (JWTs) in plain text, you should create a report in Feedback Assistant to share the details requested below. Additionally, if I determine the error is caused by an internal issue in the operating system or Apple ID servers, the appropriate engineering teams have access to the same information and can communicate with you directly for more information, if needed. Please follow the instructions below to submit your feedback.
For issues occurring with your user migration, ensure your feedback contains the following information:
the primary App ID and Services ID
the client secret for the transferring team (Team A) and the recipient team (Team B)
the failing request(s), including all parameter values, and error responses (if applicable)
the timestamp of when the issue was reproduced (optional)
screenshots or videos of errors and unexpected behaviors (optional)
Important: If providing a web service request, please ensure the client secret (JWT) has an extended expiration time (exp) of at least ten (10) business days, so I have enough time to diagnose the issue. Additionally, if your request requires access token or refresh tokens, please provide refresh tokens as they do not have a time-based expiration time; most access tokens have a maximum lifetime of one (1) hour, and will expire before I have a chance to look at the issue.
Submitting your feedback
Before you submit via Feedback Assistant, please confirm the requested information above (for your native app or web service) is included in your feedback. Failure to provide the requested information will only delay my investigation into the reported issue within your Sign in with Apple client.
After your submission to Feedback Assistant is complete, please respond in your existing Developer Forums post with the Feedback ID. Once received, I can begin my investigation and determine if this issue is caused by an error within your client, a configuration issue within your developer account, or an underlying system bug.
Cheers,
Paris X Pinkney | WWDR | DTS Engineer
I'm working on a Passkey Provider and I'm trying to limit my extension to already existing credentials added via ASCredentialIdentityStore.
So if a browser calls navigator.credentials.get without any allowedCredentials, I want to reject that request and if navigator.credentails.get contain an allowedCredentials list, and the allowedCredentials are in my internal store, then I process the challenge.
The problem I'm seeing is that allowedCredentials is empty whether I pass allowedCredentials to navigator.credentials.get or not. Is there any way to troubleshoot this?