Prioritize user privacy and data security in your app. Discuss best practices for data handling, user consent, and security measures to protect user information.

Post

Replies

Boosts

Views

Activity

Device Activity Report incorrect date intervals
Hey, I am experiencing this bug where I ask the device activity report for data within a date range, in daily segments. the device report receives the truncated date range: some date 23:00 -> some other date 23:00. however the async data list returns date ranges of the sort: 22:00 -> 22:00 (of the next day). and sometimes it returns 22:00 -> 23:00 (of the same day), but then the data contained in that range is still relative to tne entire day since the total screen time is greater than an hour. I think that the way date intervals are treated by the device activity report extension contains bugs and is not consistent. Is anyone experiencing similar bugs?
0
0
434
Nov ’23
Endpoint Security Intercept file sending?
The Endpoint Security provides the ES_EVENT_TYPE_AUTH_OPEN event, I can specify that the process intercepts the open specified file es_respond_flags_result(client, msg, 0x0, true);. However, WeChat (the chat app) intercepts the specified file the first time it is sent, and the second time it can be sent successfully, and the peer end can receive the file. I can confirm that es_respond_flags_result(client, msg, 0x0, true); is called. So, which auth event should I use? Thx!
3
0
647
Nov ’23
apple login TypeError
hello. I am using the app with webview. When I log in to Apple, a typeerror appears. How can I solve this? TypeError: this.attr(...).serialize is not a function at u.get (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:691:77511) at t.getValueAndBind (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:145:1485) at e.Compute._on (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:311:3608) at e.Compute.<anonymous> (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:311:2378) at e.Compute._bindsetup (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:145:3277) at e.bindAndSetup [as bind] (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:131:200) at e.Compute.temporarilyBind (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:311:3888) at e.Compute.get (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:311:2827) at Object.u [as compute] (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:117:194) at u.___get (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:59:1930) TypeError: Cannot read properties of undefined (reading 'serialize') at u.inserted (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:691:116897) at HTMLElement.<anonymous> (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:187:673) at HTMLElement.dispatch (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:248:39204) at v.handle (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:248:37199) at Object.trigger (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:248:67752) at Object.trigger (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:224:258) at e.inserted (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:290:412) at t.each.e.fn.<computed> [as append] (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:224:2129) at O.fn.init.<anonymous> (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:248:46985) at W (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:248:28565)
0
0
729
Nov ’23
appleid login TypeError
hello. I am using the app with webview. When I log in to Apple, a typeerror appears. How can I solve this? TypeError: this.attr(...).serialize is not a function at u.get (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:691:77511) at t.getValueAndBind (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:145:1485) at e.Compute._on (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:311:3608) at e.Compute.<anonymous> (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:311:2378) at e.Compute._bindsetup (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:145:3277) at e.bindAndSetup [as bind] (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:131:200) at e.Compute.temporarilyBind (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:311:3888) at e.Compute.get (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:311:2827) at Object.u [as compute] (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:117:194) at u.___get (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:59:1930) TypeError: Cannot read properties of undefined (reading 'serialize') at u.inserted (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:691:116897) at HTMLElement.<anonymous> (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:187:673) at HTMLElement.dispatch (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:248:39204) at v.handle (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:248:37199) at Object.trigger (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:248:67752) at Object.trigger (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:224:258) at e.inserted (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:290:412) at t.each.e.fn.<computed> [as append] (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:224:2129) at O.fn.init.<anonymous> (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:248:46985) at W (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:248:28565)
0
0
626
Nov ’23
Passkey - associated domains error only for app store reviewers
We recently shipped option to sign up/in using passkeys. Everything was working as expected and we didn't have any issues with passing app store review process. Recently, when submitting new build with not passkey related updates, we got rejected due to the error, which apple reviewer faced during passkey creation. From our logs we can see that issue is about Associated Domains and webcredentials configuration: The operation couldn’t be completed. Application with identifier X is not associated with domain Y. The thing is that it is configured properly. AASA file is returned properly both from our server and from apple's CDN. Feature is 100% working on all our testing devices and we never got this error reported from any user. The only issue about that is received from reviewer device, which is iPad Air 5th generation on iOS 17.1.1 I was trying to reproduce the error in many ways, but I wasn't able to. Is it possible that the error is faced only by apple reviewers due to some specific environment setup they use? Or maybe TestFlight installs manage AASA files checking in some different way? I found something about that in one thread on apple developer forum: https://developer.apple.com/forums/thread/108339 but not sure if it can be related. Any help/guidance will be very appreciated, thanks!
1
0
871
Nov ’23
Why doesnt Apple allow BE BS flags to be false in AutoFill credential provider's attestation response?
It appears that for a successful registration of a passkey to a relying party using passkey autofill provider, the BE BS bits/flags in the attestation response need to be set to true. Please refer FLAGS byte of authData field part of attestationObject mentioned here - https://www.w3.org/TR/webauthn-2/#sctn-attestation. If those flags are set to false, the RP rejects saying - "The operation either timed out or was not allowed. See: https://www.w3.org/TR/webauthn-2/#sctn-privacy-considerations-client." What are the implications of having those flags set to true? Does it make the generated passkey syncable across devices using same apple id? If yes, is there at all anyway possible by which a generated passkey can be made device bound, basically can be generated and used only on a single iPhone/iOS device? Also, is there a plan to ever make those flags to be set to false in a future iOS release? Also, what does it mean in the credential provider popup where it says - "Available where is installed." in the below screenshot?
2
0
958
Nov ’23
Privacy icon
How do i get rid of the screen recording or mic usage privacy icon from the menubar its very annoying and its there alot even though its not even being used by anything it is an empty dropdown Image
1
0
415
Nov ’23
Feasibility of Unique Biometric Assignments in an App
Hi everyone, I'm looking into adding unique biometric authentication (fingerprints only) to a mobile app I'm developing. Is it possible to assign and recognize individual biometric data for a unique scan for the app? I'm interested in the technical feasibility, any notable security concerns, and would appreciate any insights or experiences you might have on this topic. Imagine logging into your phone or laptop using your thumbprint, and then, with the same device, accessing a specific app solely with your pinky finger's biometric data. This dual-layer security approach leverages different fingerprints for device and app access, enhancing user-specific authentication Thanks in advance for your help!
1
0
636
Nov ’23
Secure Enclave From Lock Screen.
Hello everyone! I'm currently working on implementing a Secure Enclave to encrypt data from the Login Screen with my application. I've followed the guidelines outlined in the developer documentation, which you can find here: Secure Enclave Documentation. Despite following the documentation, I'm encountering issues with creating a key pair to encrypt data. I would appreciate any suggestions for necessary changes or additional permissions that might be required to address these challenges. Thanks!
1
0
377
Nov ’23
PrivacyInfo.xcprivacy Not Enforcing Domain Restrictions
Hello Apple Developer Community, I am reaching out to seek some assistance with an issue I've encountered related to user privacy settings in my app. Despite configuring the PrivacyInfo.xcprivacy file to disallow tracking and including specific domains within the Privacy Tracking Domains, I am observing that URLs containing these restricted domains are still being displayed within a webView in my app. Here are some specifics of the issue: The behavior occurs in both the iOS 17.1.1 simulator and on physical devices. I've double-checked the setup to ensure it aligns with the official documentation and expected privacy restrictions. I'm hopeful that someone in the community or from the Apple team can shed light on the matter. Why might the specified domains not be blocked as per the privacy settings? Any insights or guidance on resolving this would be greatly appreciated as it's crucial for maintaining the privacy standards of our app. Thank you for your time and help. Best regards,
1
0
714
Nov ’23
Device Activity Report View Size and Background
Hello! I am a new developer and am attempting to use Apple's Device Activity API. However, I am struggling with the View of the Device Activity Report. For one, the view stretches to fill all available space instead of simply being the size of its content. Secondly, the background color seems fixed and I can't figure out how to remove it. The Screen Time API demo video shows this Device Activity API used with a clear background, so I know it is possible, I just can't figure out how to do it as it seems to be built into the Device Activity Report itself. Does anyone have any ideas? I'll attach a photo to show you what I mean. The black box is the Device Activity Report that I am trying to edit. Thank you for your help!
7
1
1.4k
Dec ’23
Signature malleability check for PassKey (iCloud Keychain)
Hi everyone, I'm working on the verification of the PassKey signature for the integration of PassKey into our product. I've implemented the verification of P256 signature and it's correctly verifying the passkey signature. However, I want to know if Apple's Passkey signature is doing a malleability check (if the signature's S value is <= N / 2). If this is the case for Apple's passkey, I'm planning to also include this in the service for the signature verification to ensure a higher security level from the Passkey. Can anyone please help to answer this question? I checked documentation and many articles but this wasn't stated in the documents. Thank you for your answer in advance.
0
0
352
Dec ’23
Secure XPC service call
I would like to develop a macOS application in Swift. This application will consist of 2 programs: a main program to be run by the user (standard account) and another one that will run with root privileges. The second program will only be invoked to perform privileged tasks. Running the main program under root permanently would be too risky. XPC will be used to trigger calls from the main program to the privileged program. How can I secure the privileged program to ensure that the calling program is indeed my main program and not another unauthorized program?
1
0
635
Dec ’23
endpoint security app crash
I have implemented an app to monitor computer events according to ESF framework, but a crash will appear, and the crash content is Time Awake Since Boot: 800000 seconds Time Since Wake: 2594 seconds System Integrity Protection: enabled Crashed Thread: 0 Exception Type: EXC_CRASH (SIGKILL) Exception Codes: 0x0000000000000000, 0x0000000000000000 Exception Note: EXC_CORPSE_NOTIFY Termination Reason: Namespace ENDPOINTSECURITY, Code 2 I can't find it. Why is this happening. Can you tell me under what circumstances such a crash would occur.
2
0
660
Dec ’23
Describing use of required reason API - stat()
Hi, I am preparing privacy info manifest for my application. I am using stat to read not timestamp data from file. I wonder how in this case should I specify this info in the API usage? Should it be specified at all(since stat() is listed only in File Timestamp API)? Or maybe you can add stat to Disk space APIs and add one more reason there? Here is similar thread about this and nothing emerged so creating this to increase visibility of the problem: https://developer.apple.com/forums/thread/734750 Best regards, Konrad
1
0
567
Dec ’23
Registrazione affidabile
Buongiorno, che tipo di accesso sicuro e che testimonia l'autenticità di un utente, è possibile usare ? E' possibile far inviare dall'utente che si vuol registrare, una foto di un suo documento di identità ed anche con la face authentication ? E' possibile usare lo SPID ? Grazie molto. Firenze Web Division.
0
0
455
Dec ’23
Hooks with mandatory access control framework
Hello, I've come across information regarding macOS endpoint protection software: It seems Apple no longer allows them to create kernel extensions. It seems that endpoint software should now function with MACF by implementing hooks from userland. Does this mean the Endpoint Security Framework will soon become deprecated? I'm currently searching for a sample source code for MACF hooks, but I haven't found anything in the Apple developer documentation. Thanks
1
0
820
Dec ’23
Apple Sign In for Web
Hello, I have created a Swift app which has Apple Sign In integrated with it. We now want to add Apple Sign In to a web app but can't seem to find enough documentation on how to do this. We have followed the instructions at https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_js/configuring_your_webpage_for_sign_in_with_apple and have ended up with a script like so: <head> <meta name="appleid-signin-client-id" content="colourworker.SPAD"> <meta name="appleid-signin-scope" content="name email"> <meta name="appleid-signin-redirect-uri" content="https://colourworker.com/apps/photofolia/applesignedin.html"> <meta name="appleid-signin-state" content="init"> <meta name="appleid-signin-nonce" content="NONCE"> <meta name="appleid-signin-use-popup" content="true"> </head> <body> <h1>Sign in with Apple</h1> <div id="appleid-signin" data-color="black" data-border="true" data-type="sign in"></div> <script type="text/javascript" src="https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js"></script> </head> </html> But have we populated the client-id, state, and NONCE correctly? When clicking on the Sign In with Apple button we get the error in this screenshot: I look forward to hearing from someone. Kind regards, Miguel
1
0
881
Dec ’23