In my project, I am using a third-party SDK called "SwiftyJSON" which is not maintained or updated since April 2019. So in such cases where the third-party SDKs are not updated with a PrivacyInfo.xcprivacy will it affect the app release in Appstore or in such cases is there any way to bypass non-maintained SDK?

Hi, I'm looking for best practices for unlocking TouchID in a Mac app when using canEvaluatePolicy. Documentation says: Biometric authentication will get locked after 5 unsuccessful attempts. After that, users have to unlock it by entering their account password. The password can be entered either at login window or in the preference sheets or even in application by the means of LAPolicyDeviceOwnerAuthentication. The system unlock is preferred user experience because we generaly don't want users to enter their account password at application's request. So if we shouldn't manage Mac's password in the app, how to invite user to unlock ? Explaining he must lock/unlock the session or open any preference panel isn't a fluent experience and would definitely seems weird. I tried adding an 'Unlock' button in an alert and locking the screen automatically but this raises extras complexities: pmset can put the screen to sleep but won't lock in case of grace period sending an cmd-ctl-Q AppleEvent to System Events could fit but it depends on user acceptance for AEs and fails when System Events isn't running. Any ideas ?

The type of the email_verified (standard) claim is STRING. According to the specification [1] it should be BOOLEAN. Current Example Returned by Apple: "email_verified": "true" OpenID Standard Should Ve: "email_verified": true [1]openid.net/specs/openid-connect-core-1_0.html#StandardClaims

Hello, I am going to use endpoint security framework in my application. Unfortunately, I have not found any clear cut explanation about how to use endpoint security in multithread applications. Can we say the handler block (es_handler_block_t), which is the parameter of es_new_client(), is running in separate thread? Does es_new_client() create new thread? Should I synchronize a handler block and the code which calls es_delete_client()? Should I protect the handler block by mutex? Thank you in advance.

Apple will enforce Privacy Manifest starting this spring. Apple said it would inform you through e-mail before then. I think a lot of developers should have already received mail. But it's harder to find mail-related content than I thought. Has anyone received an email? If so, what is it about??

Hi everyone, We are building an application on macOS (and iOS) that can install client certificates for mTLS handshake. This part is working great and the certificates are imported into login keychain. The problem comes when a user tries to use those certificates from the browser. Then he is presented with the Keychain access dialog to be able to use the private key from the installed certificate. We would like to hide this dialog so that the user flow is as streamlined as possible. We succeeded in hiding the Keychain dialog in Safari by importing the private key with a flag that allows all applications access to it. This is enough for Safari since Apple applications are part of the key's partition list by default. This, however, doesn't work for, e.g., Chrome. We've experimented with calling the security set-key-partition-list command, but that still requires the Keychain password (shows the dialog) and it seems impossible to select just our private key with it. So my question is, how can we hide the Keychain dialog when using our certificate from Chrome? Would maybe working with the Objective-C methods SecKeychainItemSetAccess or the newer SecItemUpdate allow us to set the partition-list without a Keychain dialog window? Is there another option that doesn't set the key partition list? Best regards, Marek Vinkler

If my app utilizes ASWebAuthenticationSession or SFSafariViewController, do I need to add all potential tracking domains that users may access within the session? There is virtually no way to limit the URLs or domains that users can access within the ASWebAuthenticationSession or SFSafariViewController, so how can I know all the potential domains?

If someone in Apple WWDR sees this, please take the feedback to heart and report it up the chain: When you announce that a technology is being deprecated — such as CGDisplayStream — and also publish WWDC sessions about the intended replacement — ScreenCaptureKit — then you also need to give third-party developers a clear deadline by which this technology will be deprecated so that they can plan engineering efforts around implementing the new feature, and have ample time to communicate this to their customers. If it's important for third-party developers to get on board with this change, you should use every available means to communicate this to them, including multiple email alerts to their registered email address. Additionally, if you plan to make a BREAKING change in a framework that results in a wildly different user experience, you should probably hold that off until the summer release for the next major OS. What you should definitely NOT do is roll out a new privacy prompt in a mid-year release of macOS; or give your developers, customers, and AppleSeed program participants zero advance notice that this alert is coming, ignore your own Human Interface Guidelines when designing said prompt, and perform no user experience design testing (aka "putting on your customer hat") during a presumed internal alpha testing cycle to refine the experience and still find the most effective and least annoying way to present this additional prompt and spur change with your third-party developers. Oh, wait, you've done exactly all those things the wrong way with respect to ScreenCaptureKit. Right now, a host of Apple device administrators and client platform engineers are sending mountains of feedback to you, and they're also scrambling to contact third-party developers to let them know this is coming. Most of the vendors being discussed in private forums are said to be caught off guard by this change. We anticipate that users are not going to like this, and there is no way we can manage it with MDM or configuration profiles. In short, the current experience is a ghastly mess. WE, the administrators, will get blamed for this, not the third-party developers. WE will have to explain to our leadership why this experience is terrible and cannot be managed. Engineers need deadlines to help plan their work and prioritize tasks. In this case, vendors have had no firm deadline for this effort. There's already precedence for Apple announcing estimated deadlines for deprecations and feature removals. You do your developers and customers a great disservice by not communicating schedules to them. Please do better. P.S.: Feedback filed as FB13619326.

I'm following the steps outlined to be able to email users that have used Apple Sign-in that is listed here and I have a green check for SPF status. I used my email <my_email_here>@gmail.com, but when I try to send an email from the email address configured to the private relay email I don't see my test email coming through. I also tried sending an email from a non configured email and I don't back any sort of error message, not sure if I should though. Is there a delay in how quickly the email is received?

Vision Pro is getting MDM support, which is good for companies that want to bring them into the enterprise, but security needs to be addressed. Does anyone know what cryptographic module VisionOS uses? I didn't see any info here: https://support.apple.com/en-us/103688 or https://support.apple.com/guide/certifications/welcome/web

I have verified a PIN in a smart card and I'd like to delete this internal state of the card. Unfortunately, the card doesn't support this with a dedicated command, which is why I'd like to reset the card (cold/warm reset as described in PC/SC, for example). The CryptoTokenKit documentation doesn't seem to have an API for that. Does anyone have an idea how to implement this? Note, that if the smart card is not reset and does not support logout, then the card is permanently in an authenticated state so that related keys can be misused by any other CTK session or even via the PC/SC interface.

When performing biometric authentication, some times we are getting these kind of errors when i try to sign the data with private key that we get it from keychain. I was searching for document related to this but i could not.Can someone help me on this? Error message and error code Remote alert invalidated -4 UI canceled by system -4 unable to sign digest -3 Canceled by another authentication -4 Caller is not running foreground -1004 Caller moved to background -4 No identities are enrolled  -7 User has denied the use of biometry for this app -1018 Application retry limit exceeded -1 Face ID interlocked -8 Biometry lost -4 match failed -1 // To get signed data using private key SecKeyRef privateKeyReferences = [self getPrivateKey:keyNames]; if(!privateKeyReferences) { NSLog(@"Error retrieving private key"); return nil; } NSError *error; NSData *signature = CFBridgingRelease(SecKeyCreateSignature(privateKeyReferences, kSecKeyAlgorithmECDSASignatureMessageX962SHA256, (CFDataRef) data, (void *)&error)); if(!signature) { NSString *errorMessage = [NSString stringWithFormat:@"Error signing data %@.", error]; NSLog(@"%@", errorMessage); return nil; } return signature;

Problem Situation User membership withdrawal request → revoke API call It always returns status code 200, but once out of 5~10, it remains an app linked to the user's Apple ID. Re-request user Apple login → Email is returned as null Currently, the only solution is for users to manually delete apps linked to their Apple ID. Email sent when re-requesting Apple login When the above problem occurs, even if the Revoke API is called multiple times, the app linked to the user's Apple ID is not deleted, and when requesting Refresh Token validation, it has already expired. Releated Issues https://forums.developer.apple.com/forums/thread/707181

Hi, I encounter a problem about the permission using Flutter. I already add the following items in iOS/Runner/Info.plist <key>NSCameraUsageDescription</key> <string>We need access to your camera to take photos.</string> <key>NSLocationAlwaysAndWhenInUseUsageDescription</key> <string>We need to access your current location for manage the dispatching routing.</string> <key>NSLocationWhenInUseUsageDescription</key> <string>We need to access your current location for manage the dispatching routing.</string> <key>NSMicrophoneUsageDescription</key> <string>We need access your microphone to talk to driver.</string> <key>NSPhotoLibraryUsageDescription</key> <string>For uploading driver's report including dispatch and clock in/out</string> And call this in my code: Map<Permission, PermissionStatus> statuses = await [ Permission.camera, Permission.locationWhenInUse, Permission.locationAlways, Permission.microphone, ].request(); But why there is no any dialog asking for permission and when going to settings-> "App name", and there are no items in "Allow {App Name} to Access" for setting permission manually. Can anyone help me? Thanks a lot. Here is the information of flutter doctor ``[✓] Flutter (Channel stable, 3.10.6, on macOS 13.6.4 22G513 darwin-x64, locale zh-Hant-TW) [✗] Android toolchain - develop for Android devices ✗ Unable to locate Android SDK. Install Android Studio from: https://developer.android.com/studio/index.html On first launch it will assist you in installing the Android SDK components. (or visit https://flutter.dev/docs/get-started/install/macos#android-setup for detailed instructions). If the Android SDK has been installed to a custom location, please use `flutter config --android-sdk` to update to that location. [✓] Xcode - develop for iOS and macOS (Xcode 15.2) [✗] Chrome - develop for the web (Cannot find Chrome executable at /Applications/Google Chrome.app/Contents/MacOS/Google Chrome) ! Cannot find Chrome. Try setting CHROME_EXECUTABLE to a Chrome executable. [!] Android Studio (not installed) [✓] VS Code (version 1.62.0) [✓] VS Code (version 1.86.1) [✓] Connected device (2 available) [✓] Network resources``

I recently inherited a project to port an app bundle to arm64, and some of the design decisions in the app bundle are undocumented. I'd like to structure the bundle as canonically as possible, to minimize future problems as much as possible. In particular, there are two areas where I would like some clarification. I have read all of eskimo's guides (what a godsend!), but have not been able to find an explanation for these yet. We have some helper executables that allow us to run jobs in the background, etc... Historically, these have always been in Contents/Resources, for some reason; that seems to be a bad idea. I have seen conflicting advice suggesting to use Helpers or just MacOS. What are the advantages or disadvantages of using each folder? Would dumping all the executables in MacOS be an adequate solution and, if not, why should I use Helpers? Our app contains "compiled extensions" in Contents/SharedSupport, which consist of small intel-based apps (with their own app bundle) that our app can interact with. They are supposed to be a demo of extensions that the users could code and compile themselves, thus justifying their location. Should these be signed in any special way? Our app used to employ the --deep flag for code signing, but following eskimo's guidelines I have removed that, and it is not clear to me how these should be signed. Thank you.

Hi! I am trying to make a UI Testing target in Xcode for my Application (Client). It works with Keychain items that are created during installation, so in order to mock this installation behavior I am creating the items like this: security add-generic-password -U -D "[item_kind]" -a "[account]" -l "[label]" -s [service] -w "[value]" -T path/to/UITest-runner.app -T path/to/Client-app.app However, during UI Testing, the application is still prompted to access or modify the Keychain Items as seen in the bottom half of this screenshot: These application paths have been obtained by the find terminal command inside DerivedData/.../Build/Products/... so they are the correct paths (which is also proven I guess by the fact that the apps are correctly listed in the ACL window of Keychain Access as seen on the top half of the screenshot). I also tried using the -A option instead of -T but the result is exactly the same. Why doesn't this approach work during UI Testing? I am using the same approach in my installation script for the real application installation process with the -T parameters and there is no issue in that case. This issue kills my UI Tests because I am constantly prompted when I want to read of modify the contents of these Keychain Items.

I understand that the passkey is stored on iCloud Keychain. That means you need an Apple ID account. Can I use passkey without Apple ID account? I checked on the simulator and even though I don't need to log in to my Apple ID account, I can still use the passkey. Please help me. Thank you.

for ios sdk, only NSPrivacyAccessedAPITypes is required? Note You only need to supply NSPrivacyAccessedAPITypes for apps and third-party SDKs on iOS, iPadOS, tvOS, visionOS, and watchOS. https://developer.apple.com/documentation/bundleresources/privacy_manifest_files?language=objc

i have a code only static library framework and added PrivacyInfo.xcprivacy file inside. because there are no resources required in runtime, app using that framework can build without embedding. finally there are no PrivacyInfo.xcprivacy file in app bundle. is this correct intended operation? some steps to propagate and merge static framework's privacy manifest to app's privacy manifest not needed?

Hi, I've implemented the Privacy Manifest in my app and specified my tracking domain as required, setting NSPrivacyTracking to true and listing my domain under NSPrivacyTrackingDomains However, on iOS17 when I decline the App Tracking Transparency (ATT) request, the specified tracking domain isn't blocked by iOS, contrary to my expectations. Shouldn't Apple's framework automatically block the domain and indicate this action in Instruments, allowing developers to verify the domain is indeed blocked when tracking is denied? <key>NSPrivacyTracking</key> <true/> <key>NSPrivacyTrackingDomains</key> <array> <string>traking.example.com</string> </array>