I'm working on an app that uses CommonCrypto. The app works perfectly well in my own computer, but when using the very same exe build in another computer it "quit unexpectedly". Suspecting that the issue could be on the said module, I commented out the few lines that requires the module and problem solved!. Now, as I need to use the module at the very beginning of the app, to perform certain security operations, I'm wondering what could I do to assure the module is included in the build, so the app may work in any other computer as well. This sounds weird, because I would had assumed either that the module was to be included in the build or if not, an error claiming the lack of it should have been produced. (within Xcode) what setting should I change when build the app for use in other computers, so to assure the operations that requires this module can be completed? Although this may not be relevant, I'm using swift 5, Xcode 15 (latest versions) and Sonoma 14.2.1

Hi, We are a fraud detection and prevention company. We provide SDKs to customers to integrate with their applications. I wanted to clarify if we are required to provide the data collection details in the manifest files same question for the system APIs the reasons mentioned for the system APIs don't fit with our use case, how can we get the custom reasons added in case we need to mention those in the manifest.

Добрый день! Я создал аккаунт на Alibaba.com с помощью AppleID, при регистрации был выдан подменный адрес почты @privaterelay.appleid.com, при попытке подтвердить почту, письма не пересылаются на мою основную почту.

After a pen test it has been suggested we use kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly for keychain accessibility. It is currently using kSecAttrAccessibleAfterFirstUnlockValue We only store name, email, sms etc in our keychain but I've been asked to explore how much effort this would be My initial concern is what happens to users without a passcode? Is there a way to enforce this for users with a passcode but fallback to something else for other users? Thanks

Hey everyone, Was having a look into this article posted by Apple. I noticed that one of the SDKs I use - FirebaseMessaging - is included on that list. Having a look into the SDK's repository, I noticed that the Firebase team is already addressing the issue, as this PR shows. But, if you look at that SDK's PrivacyInfo.xcprivacy file, the NSPrivacyAccessedAPITypes property has no value associated with it. Apple clearly states that APIs that use required reason APIs are the ones that need to be updated until Sprint 2024. FirebaseMessaging looks like it doesn't, so why is it included on that list? Looking forward to your feedback.

Hi. My team is still using GLKit. I have no choice but to keep using it to support non-iOS products as well. (We don't have many developers.) While researching 'Privacy Manifest', I found out that the third party library needs to add 'PrivacyInfo'. I confirmed on Xcode that GLKit is Apple SDKs. Does this mean it's not a third party library? Is using GLKit not related to 'Privacy Manifest'?

I had a couple of questions someone could help me with, as I’m trying to do a little research for my team before they do a bunch of coding. We’re building an anywhere-to-anywhere encrypted file transfer app and wrestling currently with our share functionality. Currently, our users log into their app on their phone, and: within the application use a file picker to select files/photos and then select a destination that they pick from a permission-ed list. However, we really would like to also add the workflow where the user opens the photos or files app, finds a picture/file and then uses the share functionality to pass the object into the application, then The application launches, allowing the user to log into the app, then they pick from a list of permission-ed drop targets within the app and send the object In doing some research this morning regarding sharing files/pictures within our application, I found this thread Eskimo had more or less advised against what we intended to do: https://developer.apple.com/forums/thread/114485 We don’t want to save session tokens because of security concerns; we’re concerned primarily with third-party actors (governments primarily) having access to encryption keys. Is there a best-practice way for my team to open the app we're building and then passing the files/photos into our application? Does anyone have any advice on how to securely launch the application and pass the file/pic into the app given the constraints? Thanks!

I am trying to communicate with a Java server over TCP, but I'm having issues trying to make the data secure in transit using RSA and AES. The server creates an AES key, encodes it in utf8, and sends it to the IOS Client, where it should be decoded back into a byte array as a Data object. Then, Using the Cryptokit framework, I try to create a SecKey object from it. I am stumped when trying to do so, though: func createSecKeyFromAESKeyData(aesKeyData: Data) -> SecKey? { // Define the key attributes let keyAttributes: [CFString: Any] = [ kSecAttrKeyClass: kSecAttrKeyClassSymmetric, kSecAttrKeySizeInBits: 128, kSecAttrIsPermanent: false ] // Convert the AES key data into a SecKey object var error: Unmanaged<CFError>? guard let key = SecKeyCreateWithData(aesKeyData as CFData, keyAttributes as CFDictionary, &error) else { if let error = error { print("Error creating SecKey: \(error.takeRetainedValue() as Error)") } else { print("Unknown error creating SecKey") } return nil } return key } Despite setting up my key attribute dictionary with the correct information (AES_128_GCM_SHA256, 128 bits, impermanent) based on how I generate it in the Java code, I keep getting a runtime error at the SecKeyCreateWithData call stating "Unsupported symmetric key type: 4865". I am unsure what this means and how to fix it as there doesn't seem to be any information on it online. If it helps, the Java code is using AES GCM with no padding, and we have confirmed that the data being sent is indeed 128 bits. How can I take this byte array and create a SecKey from it properly so we can pass secure data? Similarly, I have also tried using RSA encryption for some data, but with this method, I generate the key pair on the iOS client and send the parts of the public key to the Java server where it (seemingly correctly) created the cipher from the passed data. However, trying to send anything encrypted back resulted in "RSAdecrypt wrong input (err -27)" when decrypting: func decryptAESKey(encryptedKeyData: Data, privateKey: SecKey) -> Data? { // Decrypt the received AES key using the private key var error: Unmanaged<CFError>? guard let decryptedKeyData = SecKeyCreateDecryptedData(privateKey, .rsaEncryptionOAEPSHA256, encryptedKeyData as CFData, &error) as Data? else { print("Error decrypting AES key:", error!.takeRetainedValue() as Error) return nil } return decryptedKeyData } Any assistance in figuring out how to properly use SecKeys in these ways would be greatly appreciated. Additionally, the relevant Java code can be provided if necessary.

In order to use Sign in with Apple, I issued a JWT client according to the instructions and was able to connect without any problems, but suddenly an INVALID_CLIENT error started to occur. The error was resolved by re-obtaining the JWT client token and resetting it. The validity period of the JWT client token is 6 months and it has not expired yet, but I would like to know why I am getting an INVALID_CLIENT error.

I am getting an error "Cannot create a iOS App Development provisioning profile for "TheSwiftUIWay.login". Personal development teams, including "Cyril John", do not support the Sign in with Apple capability" I have created a developer account but I didnt enroll in the developer program. Am I able to use Sign-In with Apple with the free version of the Apple Developer Account? If so, can you please give me some directions on how I can fix this error?

Hello, 3 questions regarding Endpoint Security Framework: Does ESF support tracing the dup2(2) function? There is the ES_EVENT_TYPE_NOTIFY_DUP event, but it seems that it only reports dup(2), not dup2(2)? Does ESF support tracing the dup(2), and close(2) calls, if the file descriptor passed to these functions refer to a pipe handle instead of a file handle? If not, do you have any plans of extending the support for pipes as well? Could the es_event_dup_t structure support reporting which file handle has been duplicated into which value (source file descriptor value, and target file descriptor value)? Currently this structure only supports the "target" file object, without any information which file descriptor has been cloned into which file descriptor, which is not helpful at all. For example, if we open file A and we get fd1, then open the same file A and we get fd2, then perform dup(fd1), then with ESF it seems that it's impossible to tell if we've duplicated fd1 or fd2. Also this model doesn't support dup2(2) usage at all.

Do I have to add the Privacy Manifest file in my SDK if I'm not using any required reason APis and not collecting any data?

Can someone share how secure is the communication between iOS app and its safari mobile extension. Is it encrypted? Are there any references to best practices to follow? If a user has opened multiple tabs and has multiple extensions can there be security issues during their communication like one extension able to read other extensions memory?

Using the Bonjour service requires obtaining local network permissions, but the Bonjour service also scans nearby devices through Bluetooth. Why doesn't Bluetooth permission be required? https://developer.apple.com/library/archive/qa/qa1753/_index.html#apple_ref/doc/uid/DTS40011315/ Did I misunderstand? Is there an issue with the design of iOS here?

Would it be acceptable to include a blank privacy manifest file for a open-source third-party SDK that does not fit any of the Data Types or Required Reason APIs categories? Or would it be better not to include one at all?

Hello, We provide some xcframework for customer, the xcode automatically merge all privacy manifests under the xcframework? If it is a framework, do you need to manually configure the app level privacy manifest ?

Dear Experts, I have App Attest deployed in an app that is currently in TestFlight. Its works OK most of the time. For one particular user, however, attestKey fails with DCErrorInvalidKey for a new key that it has just created. I have some insight into what the app is doing because I send diagnostics to the server. It seems that for this user, the sequence of events is: Initially the app has no key ID saved. The user initiates an action that requires App Attest-signed communication with my server. The app calls generateKey which seems to succeed. The app fetches a challenge from the server. The app calls attestKey. attestKey returns DCErrorInvalidKey. The app doesn't save the key ID persistently, so next time the same thing happens. attestKey really shouldn't fail with the invalid key error for a key that it has just created, should it? What could be going on here?

I have an Endpoint system extension that, in theory, receives XProtect alerts. I regularly see XProtectPluginService starting programs like XProtecteRemediatorSheepSwap on my Mac. I would love to be able to put one or more files/bundles on my Mac that triggers the detectors, so I can see the alerts go from the Endpoint system extension through to the UI. Does Apple have or recommend a way (short of being infected) for triggering the XProtect detectors for testing?

As per the https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_data_use_in_privacy_manifests Mentions that Third-party SDKs need to provide their own privacy manifest files. What about the SDKs which are in-house? Meaning if the application contains the SDKs which are developer within the same company as the application would be treated as Third-party SDKs?

If on iOS an app protects a keychain item with an access control list that specifies .biometryCurrentSet in its SecAccessControlCreateFlags the app loses access to the item if the set of currently enrolled fingers (for Touch ID) or the currently enrolled user (for Face ID) changes - which corresponds to a change of the evaluatedPolicyDomainState. We have users reporting loss of such items even though - as they assure us - they have not touched (no pun intended) anything under "[Touch|Face] ID & Code" in Preferences.app. Is there another reason why an app may lose access to such items?