I am trying to build an app that blocks access to other apps (Like screentime) through react native. I know that IOS has ScreenTime API which has device activity which has the feather to do that. Is it possible to integrate this into a react native app? I've been looking online but can't find much information or documentation regarding this, but I failed to find much.

I downloaded the ES sys-ext sample project. I built the 'NOTIFY' extension, and I was able to install it. However, it doesn't seem to work (or - it doesn't report anything). This is what I did: I download the project I renamed the bundle IDs I disabled SIP I tried both signing options - let 'Xcode automatically manage signing', and I also tried to use my 'Developer ID' I moved the app to the Applications folder I grant the 'Full Disk Access' permission to the extension I verified that the extension is running I did not get the needed entitlement yet, but since SIP is disabled, I don't think it's a problem I did get the message 'Successfully installed the extension ✅' At the terminal, I tried to capture relevant logs: log stream --style compact --predicate 'sender == "myBundleId"' (I tried it with the app bundleID, and with the extension's bundleId) And yet, 'ps' triggers no logs. *At the Console, I get those messages: "Unsatisfied entitlements: com.apple.developer.endpoint-security.client" Disallowing: myBundleId amfid: Restricted entitlements not validated, bailing out. Error: Error Domain=AppleMobileFileIntegrityError Code=-413 "No matching profile found" UserInfo={NSURL=, unsatisfiedEntitlements=, NSLocalizedDescription=No matching profile found} Any idea where's the problem at?

Using the DeviceActivity framework we are able to display data based on a user's screentime and device usage. With the DeviceActivityFilter property, you can specify the date interval to collect data between. In testing, it seems that data only becomes accessible once the extension has been installed (so the extension isn't reading the screentime data already collected on device). However, once installed, I'm curious how far back you can query data from in the data interval? Opal which uses the Screentime API appears to have a lifetime Screentime metric, so hypothetically it should possible to query data as far back as collection starts. Unless they are getting around the sandbox environment and storing the data somehow. Side note on Opal -- They seem to have a community average of Screentime among people in the same age group. Does anyone know how they are collecting the data for this average? Is it actually using live Screentime data or just aggregating data from other studies?

The video mentioned the following documentations but I can't find them anywhere ( developer.apple.com and Google): App privacy details on the App Store Required reason APIs Privacy-impacting SDKs Does anyone know where they are, or when they will be available? Thanks!

Hi, team. I tried including Privacy Manifest in my sample app and generating a privacy report. But "The archive does not contain any PrivacyInfo.xcprivacy files." error occurred when I tapped "Generate Privacy Report" button on Xcode Organizer. Is there something wrong? Could you tell me how to fix it? Here are screenshots of my Xcode and Xcode Organizer. Thank you.

Hi, I am testing out an update for my app in macOS Sonoma. I first installed the App Store version of my app on the device running macOS Sonoma, and it ran fine. I then installed an updated version of my app through TestFlight (built with macOS Ventura SDK), but when I run this updated version, I get prompted ”MyApp differs from previously opened versions. Are you sure you want to open it?". Why is this happening? Is this warning only because the app is updated through TestFlight, or do I need to do something to prevent this warning from happening when I update my app through the App Store? I see this mentioned in an Apple security update:: App Sandbox now associates your macOS app with its sandbox container using its code signature. The operating system asks the person using your app to grant permission if it tries to access a sandbox container associated with a different app. For more information, see Accessing files from the macOS App Sandbox. My app is already sandboxed, and I'm not trying to access a different app's sandbox container, just my own. For the TestFlight build, it probably also uses the same Release configuration that the App Store build uses. I might have changed my provisioning profiles recently because they expired. Would that affect this and cause a prompt to be showed? Would love to know more about this prompt and how to avoid it. Thanks.

As of Xcode 15, Apple supports adding Privacy Manifests to SDKs. We develop an SDK that consists of several components (frameworks) for which we would like to add a Privacy Manifest. That works fine for our local builds, but we distribute our SDK via CocoaPods, which generates a single framework with the sources of all our components. This single framework currently does not have a Privacy Manifest. How would we be able to provide Privacy Manifests when using CocoaPods for distribution?

I've just been looking at this list of APIs for which we will be soon be required to declare a "required reason" in the app's privacy manifest: https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api One of the listed functions is stat(). The rationale seems to be that a malicious app can use stat to get the timestamps of files outside the app container, thereby "fingerprinting" the device. The allowed reasons that we can declare are : To get timestamps that are displayed to the user. To get timestamps of files that are within the app's container. To get timestamps of files that the user has granted access to. I am concerned that this does not include many of the legitimate non-timestamp uses of stat(). For example, it can be used simply to test if a file exists, or to test whether a path refers to a file or a directory, or to check if two paths refer to the same file (e.g. via different symlinks), or to get the size of a file. Some of these things can be achieved in other ways; for example, I can check if a file exists by trying to open() it and checking for an error, and I can get the file size by opening it and calling lseek(SEEK_END). Maybe I can check if two paths are equivalent by using readlink() to form canonical paths for both and comparing them. But I bet there are other things that can't be done. I could probably fix all of my code to not call stat() for non-timestamp reasons in a few hours. It would be more difficult to fix the various open-source libraries that I use. What do you think we should all be doing?: "File a bug" asking for an additional reason for using stat(), i.e. to get non-timestamp information about files in the app's container. Deliberately mis-read allowed reason C617.1, "to access the timestamps of files inside the app container", as " to access the timestamps and other metadata of files inside the app container", and declare that in the privacy manifest. Change code to not call stat(). Any other suggestions? P.S. I guess that libc++ std::filesystem calls stat(). What is the status of using that? The std::filesystem functions that access file timestamps are not listed on the page linked above. If I call std::exists() to check if a file exists, and assuming that is implemented using stat(), will that trigger the new filter?

I've set up a privacy manifest file in my SDK, which I'm developing in Xcode 15 beta 4, and built an xcframework. I verified that PrivacyInfo.xcprivacy exists in the xcframework. In state verifying the existence of PrivacyInfo.xcprivacy in xcframework, I incorporated the built xcframework into a test app for operation check, created an archive, and outputted a report from "Generate Privacy Report". Despite having a privacy manifest file set up in the test app, when I checked the report, I was able to confirm the contents of the test app's privacy manifest file but not the contents of the privacy manifest file I configured in the SDK. I understand that the SDK's privacy manifest file is merged with and outputted from the privacy manifest file of a project that incorporates the SDK. Am I mistaken?

Hey! Reading through the documentation about Privacy Manifest I got a bit confused about the requirement about having Privacy Manifest files for both the 'main' app and for SDKs from inside the 'main' app (that uses the SDKs). Let's say I have the following scenario: MyApp includes SDKs via CocoaPods and SPM. The SDKs that I include in MyApp are using 'Required Reason APIs' and let's say that they do collect some data about the user or the device. Let's also assume that 'MyApp' also uses the same 'Required Reason APIs' (or more of them) as in the SDKs and also that MyApp collects data about the user/device. For this case: do I need to have a Privacy Manifest for both MyApp and each of the SDKs or is it enough to have just a 'main' Privacy Manifest file declared directly in MyApp's files?

Hi everyone. I trying to implement some drag and drop functionality together with SwiftData. That requires my model to conform Transferable. And Transferable requires to conform Codable. My code doesn't compile with this error: Type 'Item' does not conform to protocol 'Decodable/Encodable'. The error appears right after I add @Model macro. Is there a solution or a workaround? Here's my code: @Model final class Item: Transferable, Codable { let createdAt: Date static var transferRepresentation: some TransferRepresentation { CodableRepresentation(contentType: .myCustomType) } init() { self.createdAt = .now } } extension UTType { static let myCustomType = UTType(exportedAs: "com.olexgreen.mytype") } Thank you very much

From this document Note : You only need to supply NSPrivacyAccessedAPITypes for apps and third-party SDKs on iOS, iPadOS, tvOS, visionOS, and watchOS. From this video iOS 17 automatically blocks connections to tracking domains that have been specified in any privacy manifest included in your app It seems iOS needs NSPrivacyTrackingDomains to block connections when user has NOT provided tracking permission. But the document says only needs NSPrivacyAccessedAPITypes to supply. As a SDK(for iOS) developer, I would like to know which keys to provide for Privacy Manifest. Also, I made an app including xcprivacy to test NSPrivacyTrackingDomains to block connections but it connected to the domain. Is this feature already available in Xcode15 beta 5 (iOS 17 beta 5)?

At present, we have been receiving numerous reports from customers who integrate our SDK who have been encountering the failures (errSecItemNotFound) while trying to retrieve a key using SecItemCopyMatching. We are raising this query we are still in the midst of properly reproducing this issue though it has been reported to occur in several devices during the OS upgrade to the iOS 17 betas. This issue is still occurring in the latest iOS 17 beta 7. This issue was not present in previous iOS version. At present, we are of the conclusion that this issue is occurring randomly amongst devices that upgraded to the iOS 17 betas and it is not limited to older devices. What we believe is occurring is that: A key is created and stored into Keychain using SecItemAdd. The same key is queried at a later timepoint but encounters the error errSecItemNotFound. Our SDK then attempts to regenerate a new key for the same label and attribute to store it using SecItemAdd, but the system then reports errSecDuplicateItem at the key already exists. The workaround here includes a manual deletion of the said key. This issue seems to occur only during an OS upgrade to the iOS17 betas with the likelihood that the key was already present in Keychain prior to the upgrade. I share below the snippet relating to how this said key is generated, stored and retrieved. // Initial key is added // A random data of 32 bytes length is generated CFDataRef dataRef = <32bytes of data>; *attr = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); BREAK_IF_NULL(*attr); CFDictionarySetValue(*attr, kSecClass, kSecClassGenericPassword); CFStringRef aKey = CFStringCreateWithCString(kCFAllocatorDefault, "KEY_ACCOUNT", kCFStringEncodingUTF8); CFDictionaryAddValue(*attr, kSecAttrAccount, aKey); CFDictionarySetValue(*attr, kSecReturnData, kCFBooleanFalse); CFDictionarySetValue(*attr, kSecAttrAccessible, kSecAttrAccessibleAfterFirstUnlock); label = CFStringCreateWithFormat(NULL, NULL, CFSTR("A_LABEL")); CFDictionarySetValue(attr, kSecAttrService, label); CFDictionarySetValue(attr, kSecValueData, dataRef); SecItemAdd(attr); // Query for retrieval of key label = CFStringCreateWithFormat(NULL, NULL, CFSTR("A_LABEL")); CFDictionarySetValue(attributes, kSecAttrService, label); CFDictionarySetValue(attributes, kSecReturnData, kCFBooleanTrue); CFDictionarySetValue(attributes, kSecMatchLimit, limit); CFDictionarySetValue(attributes, kSecReturnAttributes, returnAttributes); osStatus = SecItemCopyMatching(attributes, result); if (errSecItemNotFound == osStatus) { } Please do let me know if more information could be useful. At present, we have ensured that the key generated are well-within the size limits and is stored simply as a kSecClassGenericPassword with limited access control to the key. Additionally, the query used was intended to be generalised to avoid encountering such occurrences.

We are trying to support Passkey Management in our app with the latest iOS 17 Passkey Autofill. During this process, we have a few doubts and queries: First, we have configured the AutoFill extension for external passkey management Next we used the 'prepareInterface(forPasskeyRegistration:' delegate for passkey generation We are facing an issue on creating the attestationObject for ‘ASPasskeyRegistrationCredential’. Here, we’re not sure if we need to create the attestationObject [if so any documentation or help regarding this] or is there any API to get the attestationObject which we are missing. override func prepareInterface(forPasskeyRegistration registrationRequest: ASCredentialRequest) { let request = registrationRequest as! ASPasskeyCredentialRequest let passkeyRegistration = ASPasskeyRegistrationCredential(relyingParty: request.credentialIdentity.serviceIdentifier.identifier, clientDataHash: request.clientDataHash, credentialID: Data(UUID().uuidString.utf8), attestationObject: "????") extensionContext.completeRegistrationRequest(using: passkeyRegistration) } Even we have tried passing the hardcoded attestationObject[we used the existing attestationObject received using icloud keychain] , still we got empty ‘ClientDataJSON’ on ‘authorizationController(controller:’ delegate.

On Sonoma beta 7, if system.login.screensaver is updated to use “authenticate-session-owner-or-admin”, and then Lock Screen is not hiding the macOS Desktop. Step1. Update system.login.screensaver authorizationdb rule to use “authenticate-session-owner-or-admin”( to get old SFAutorizationPluginView at Lock Screen ). Step 2. Once the rule is in place after logout and login, now click on Apple icon and select “Lock Screen”. Even after selecting Lock Screen, complete macOS Desktop is visible with no control for the user to unlock the screen. To gain access we have to restart the MAC.

Does the passkey created using third party provider model get synced to iCloud Keychain? If yes, can we avoid that using the attestation object somehow to have it ties to the device where it was created? Being new to this domain, I am not sure if I am asking a right question.

Our authorization plugin implements a custom window using SFAuthorizationPluginView and needs to make web connections to do validations. We have not been able to get it to work using the native MacOS system APIs, such as NSURLSession or NSURLConnection when loaded from the lock screen. The same connection code works both in an independent executable, in a login plugin, and in the authentication plugin itself when it loads us from the elevate system privileges window. If we use libcurl it works correctly in all points, but we need to use the system APIs because we use third-party components that use them. The error it provides is "NSURLErrorDomain Code=-1202" MoreErrorInfo.log Analyzing the traces of the process that is responsible for loading our "SecurityAgentHelper" plugin, we have seen that the handshake of the certificates is not completed (logs attached). SecurityAgentHelper.logs We have verified that the problem extends from Catalina to Monterey. How can we solve the problem? Is it necessary to do something special?

Hi guys, has anyone seen this issue? When installing an application, which requires Full Disk Access (kTCCServiceSystemPolicyAllFiles), user enables this feature, but after reboot, OS automatically turns it off. Filed feedback in case it's a new issue. Any idea how to fix it? Any workaround to keep Full Disk Access enabled? Thanks.

I am having trouble creating a CSR to renew a SecIdentity whose private SecKey is stored in slot 9d of a smartcard. For slot 9a, I am able to accomplish this by way of SecKeyCreateSignature using CertificateSigningRequest from a gently-modified fork of swift-certificates/swift-crypto to sort out all the details. But for the SecKey associated with slot 9d, the Security framework instantly returns an "algorithm not supported by the key" error when I call SecKeyCreateSignature, without even prompting for a PIN. I believe the difference is that kSecAttrCanSign is true for slot 9a but false for slot 9d. The value makes some sense for day-to-day usage because this identity is usually not used for signing, but if we are to occasionally sign a CSR for this key an exception would need to be made. Is there any way to basically force this exception with the Security framework? Again the actual private key material is not available so the only access as far as I'm aware is via the enumerated SecKey reference. Is there any way to SecKeyCreateWithData a secondary reference to the same underlying (but unexportable!) key but with allowed-usage attributes of my own choosing?

Hello, I've been going through Apple's documentation on describing the use of required reason APIs in the privacy manifest file, and I have a question about handling APIs from third-party SDKs. If we've already integrated the manifest file provided by the third-party SDK into our project, do we still need to list the reasons for the APIs from the third-party SDK in our app's manifest file?