Hello,
I'm currently working on a project that requires real-world object recognition and labeling. I understand that due to the security and privacy issues, we are unable to access the vision pro camera feed. Is there any other external way to solve this problem?
Thank you!
General
RSS for tagPrioritize user privacy and data security in your app. Discuss best practices for data handling, user consent, and security measures to protect user information.
Post
Replies
Boosts
Views
Activity
PLATFORM AND VERSION
iOS
Development environment: Xcode Version 16.0 (16A242d), macOS 15.0 (24A335)
Run-time configuration: macOS 15.0 (24A335)
DESCRIPTION OF PROBLEM
macOS Sequoia has new Privacy & Security requirements for local area network access. This causes a call to POSIX socket function 'sendto' to fail immediately with EHOSTUNREACH on the first execution of any app that calls it. That failure occurs even if the socket is set to block for well over the time that it would typically take for the user to click "Allow" when presented with a system dialogue box that requests new permissions for the app.
A test XCode project has been provided that is capable of reproducing the issue (see macOSsocketfail.zip at https://drive.google.com/file/d/14VxkT03ddm48RCXikLHf-aWgdqxwnpAB/view?usp=sharing). It will generate a log file that contains time-stamped messages. They report each step in the creation of a blocking UDP socket – and which system call has failed as a result of which error. The message time stamps demonstrate that macOS has terminated the sendto function call after tens of microseconds, well before the 5 minute timeout on the socket, and that it terminates with errno EHOSTUNREACH. That error is misleading, because the destination is pingable on my setup at the time of execution. The second execution of the app functions without error if "Allow" has been selected during the first run.
This specific macOS behaviour does not appear to be documented anywhere that I have yet encountered; e.g. the sendto man page, the Privacy & Security LAN FAQ, etc. It is, however, highly disruptive to the use of our product, which hinges on LAN access. We have a situation in which a relatively large collection of apps are using the same shared library to manage network access. All of them must now receive manual permission from an administrator to work; but all of them will fail on their first execution. The problem is amplified because our customers use our framework to build their own apps, and not every user is an administrator. In contrast, apps that use our framework would simply work without issue on their first execution when run on macOS versions that precede Sequoia.
We must support our software across multiple platforms, hence the reason that we are using POSIX function calls to implement networking. Unfortunately, the use of an Apple-specific networking API is not a viable solution for us.
How should we mitigate this problem? Is there some way to configure an Xcode project so that the build product will already have Sequoia LAN permissions? I have read about the com.apple.developer.networking.multicast entitlement, but it is unclear whether it will help us, from the material that is available.
STEPS TO REPRODUCE
POSIX function call sequence
For the following, addr has type struct sockaddr_in, and it is set appropriately for binding or broadcasting using standard library macros and functions. &addr is cast to a const struct sockaddr pointer and assigned to saddr.
sock = socket( PF_INET, SOCK_DGRAM , 0 ) ;
bind( sock, saddr, sizeof( addr ) ) ;
r = 1 ; setsockopt( sock, SOL_SOCKET, SO_BROADCAST, &r, sizeof( r ) );
struct timeval timeout = { 300 , 0 }; setsockopt( sock , SOL_SOCKET , SO_RCVTIMEO , &timeout , sizeof( timeout ) );
sendto( sock, msg, strlen( msg ) + 1, 0, saddr , sizeof( addr ) ) ;
Test program, presuming that a device with IP 100.1.1.1 exists on the LAN that the mac is also connected to.
Open Xcode project macOSsocketfail.
Build project.
Execute first run of macOSsocketfail.app.
Click "Allow" when asked for LAN permissions.
Search for macOSsocketfail_log.txt, and make a copy with a distinct name e.g. macOSsocketfail_log_firstrun.txt.
Execute second run of macOSsocketfail.app.
Search for macOSsocketfail_log.txt, and make a copy with a distinct name e.g. macOSsocketfail_log_secondrun.txt.
Examine log files.
The first run log file will contain the following messages (time stamping will naturally differ):
1727710614.064009: Running udptest
1727710614.064015: Creating socket
1727710614.064030: Bind socket to port: 4000
1727710614.064061: Enable socket broadcast
1727710614.064064: Set socket timeout to 300.000000sec
1727710614.064067: Attempt to send blocking UDP connection packet to 100.1.1.1:589
1727710614.064124: sendto: No route to host
Error during call to sendto: errno is EHOSTUNREACH: No route to host
The second run log file will record a different outcome:
1727713660.733431: Running udptest
1727713660.733436: Creating socket
1727713660.733451: Bind socket to port: 4000
1727713660.733476: Enable socket broadcast
1727713660.733479: Set socket timeout to 300.000000sec
1727713660.733482: Attempt to send blocking UDP connection packet to 100.1.1.1:589
1727713660.733540: Ran to completion with no error detected
Note that each line of the log files begins with a timestamp. The unit is seconds, and the resolution is to the nearest microsecond. Time values are obtained using gettimeofday().
RELEVANT LINKS
https://developer.apple.com/forums/thread/663858
https://forums.developer.apple.com/forums/thread/757824
https://developer.apple.com/forums/thread/760964
https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_developer_networking_multicast/
https://developer.apple.com/forums/thread/657887
https://developer.apple.com/forums/thread/655920
I have a macOS app in production, supporting all macOS versions since 10.15 (Catalina) thru Sequoia. One aspect of the app's functionality is to screen capture the entire screen, including all windows.
Starting with Sequoia, my users are receiving a scary system alert saying:
"SomeApp" is requesting to bypass the system private window picker and directly access your screen and audio. This will allow SomeApp to record your screen and system audio, including personal or sensitive information that may be visible or audible.
I have several questions and concerns about this alert. First of all, as a developer, this is frustrating, as I am using documented, long-standing system APIs, and made no change to my code to cause this warning. Second, nothing in my app records audio in any fashion, and yet the user is made to think I am trying to furtively bypass security controls to record audio, which is absolutely false. The alert seems to be due to the screen capture feature, which is one of the main features of the app, which the user explicitly requests and grants permission for.
But to get to the point of the question: is there any definitive documentation anywhere describing exactly which API's trigger this alert? I can't find first-party information from Apple, so I'm kind of guessing in the dark.
Searching the internet for all the info I can find (mostly from blog posts of developers and beta-testers), it seemed like the culprit in my code was probably a call to CGWindowListCreateImage, so I spent some time forking the code paths in my app (since I still support back to 10.15) to use the more modern ScreenCaptureKit APIs on systems that support it. But the alert is still appearing, despite not calling into that API at all.
Is there a way of calling the modern ScreenCaptureKit APIs that also triggers this alert? As an example, I'm using a snippet like this to get the shareable displays I need
do {
try await SCShareableContent.excludingDesktopWindows(
false,
onScreenWindowsOnly: false
)
return true
} catch {
return false
}
is it possible that this code is triggering the alert because I'm not excluding desktop windows and asking for all windows?
to sum up, I (and I'm guessing others) could really use some definitive guidelines on exactly which APIs trigger this alert, so that we can migrate and avoid them if possible. can anyone provide any guidance on this? Thanks in advance!
So I’m (extremely) new to developing for iOS, and I’m looking to implement the “Sign in With Apple“ feature for an application that interacts with a server I’ve built. Following the guide I’m able to get a user’s email and name. When I send that information to my server to create a user account, do I need to do anything else (like validating that the email is actually associated with an Apple account or that the user actually owns it, etc)? I looked at the Sign in With Apple from the web article and it doesn’t seem like it’s relevant to my use case. Is it standard practice to just trust the client in the iOS world?
The peripheral is initiating a passkey entry mechanism, IOS device is getting a pop up to enter the passkey but the WatchOS device is not displaying any pop-up.
Is there anything to be enabled from the watch side?
In our App, we store identity in keychain in a specific path
var keychain: SecKeychain?
let status = SecKeychainCreate(path, UInt32(password.count), password, false, nil, &keychain)
guard status == errSecSuccess else {
logger.error("Error in creating keychain: \(String(describing: SecCopyErrorMessageString(status, nil)))")
throw KeychainError.keychainCreationError
}
Then later whenever process needs it. it open keychain, import it and uses it.
status = SecPKCS12Import(identityData as CFData, [kSecImportExportPassphrase : password, kSecImportExportKeychain: keychain] as CFDictionary, &identityItems)
authlog.info("Import status: \(status)")
guard status == errSecSuccess else {
authlog.error("Error in exporting identity : \(status) \(String(describing:SecCopyErrorMessageString(status, nil)))")
throw ClientAuthError.identityFormationError
}
This worked well till sequoia beta 2.
In Sequoia beta 3 and 4, this fails to import with error -25300 : The specified item could not be found in the keychain.
one thing I noticed is import succeeds if the keychain is freshly created.
when tried to reuse existing keychain it fails in import error.
Is this a bug in beta or it any changes made in keychain level by Apple itself.
Please help with the solution
Log trace:
[ 24-07-2024 12:39:15:192 ] [INFO] Challenge delegate received [ 24-07-2024 12:39:15:192 ] [INFO] Client authentication challenge [ 2024-07-24 12:39:15 ] [INFO] retcode of "/bin/chmod -R 777 "/Library/<path>/data/agent-resource"" ::: 0 [ 24-07-2024 12:39:15:237 ] [INFO] Opening keychain... [ 24-07-2024 12:39:15:240 ] [NOTICE] Keychain open status: -25294 [ 24-07-2024 12:39:15:241 ] [ERROR] Keychain error: Optional(The specified keychain could not be found.) [ 24-07-2024 12:39:15:241 ] [INFO] Creating keychain.. [ 24-07-2024 12:39:15:448 ] [INFO] Import status: 0 [ 24-07-2024 12:39:15:448 ] [INFO] Identity: <SecIdentity 0x7ff3ec1f7df0 [0x7ff85540e9a0]> [ 24-07-2024 12:39:15:448 ] [INFO] Credential sent [ 24-07-2024 12:39:15:581 ] [INFO] Upload request completed.. [ 24-07-2024 12:39:15:583 ] [INFO] Status code: 200
[ 25-07-2024 12:24:55:300 ] [INFO] Client authentication challenge [ 25-07-2024 12:24:55:300 ] [INFO] Opening keychain... [ 25-07-2024 12:24:55:305 ] [NOTICE] Keychain open status: 0 [ 25-07-2024 12:24:55:439 ] [INFO] Import status: -25300 [ 25-07-2024 12:24:55:440 ] [ERROR] Error in exporting identity : -25300 Optional(The specified item could not be found in the keychain.) [ 25-07-2024 12:24:55:440 ] [CRITICAL] Error in getting identity: identityFormationError [ 25-07-2024 12:24:55:441 ] [ERROR] Error in obtaining identity [ 25-07-2024 12:24:55:513 ] [INFO] Download request complete... [ 25-07-2024 12:24:55:515 ] [INFO] Status code: 200
We have been using the LAContext's evaluation policy for the past couple of years without any major issues. However, since last week (September 26), we have seen a spike in error events, indicating:
json
Copy code
{
"NSDebugDescription": "Caller is not running foreground.",
"NSLocalizedDescription": "User interaction required."
}
We haven't made any code changes in the last couple of months. Is there any update regarding local authentication from Apple's side?
Our company was re-formed under a new name. Rather than rename the organization on the App Store, we were advised by support to create a new organization and then transfer the app to that organization, which we have done.
Our app implements Apple Authentication. We did not not migrate the users of the app (as instructed here: https://developer.apple.com/documentation/sign_in_with_apple/transferring_your_apps_and_users_to_another_team)
Is it possible to now migrate the users, after the app has been transferred? Our attempt to get an authorization token with scope "user.migration" results in HTTP error 400 with body: "invalid_client".
Hello there,
I have been facing an issue with apple sign in on react native app.
I have been able to get the authorization and all codes in frontend part.
The issue is on backend that is in php.
We are firstly validating our identity token phone generated, and then we are creating a client secret and then trying to fetch the user info the issue relies in the api call of getAppleUser($authorizationCode, $clientId, $clientSecret);: function below where we are recieving error like:
{"error":"invalid_grant","error_description":"client_id mismatch. The code was not issued to com.marchup.prod.AppSSO."}
public function appleAuth($identityToken,$authorizationCode)
{
if (!$identityToken || !$authorizationCode) {
return $this->returnError(400,'Missing identity token or authorization code');
}
try {
// Validate identity token
$decodedToken = $this->validateAppleToken($identityToken);
// Generate client secret
$teamId = isset(Yii::$app->params['apple-auth']['teamId'])?Yii::$app->params['apple-auth']['teamId']:'';
$clientId = isset(Yii::$app->params['apple-auth']['clientId'])?Yii::$app->params['apple-auth']['clientId']:'';
$keyId = isset(Yii::$app->params['apple-auth']['keyId'])?Yii::$app->params['apple-auth']['keyId']:'';
$privateKey = isset(Yii::$app->params['apple-auth']['privateKey'])?Yii::$app->params['apple-auth']['privateKey']:'';
$clientSecret = $this->generateClientSecret($teamId, $clientId, $keyId, $privateKey);
// Get user info from Apple
$appleUser = $this->getAppleUser($authorizationCode, $clientId, $clientSecret);
// Verify the authorization code is valid
if (!isset($appleUser['id_token'])) {
throw new \Exception('Invalid authorization code');
}
// Extract user info from the identity token
$userId = $decodedToken->sub;
$email = $decodedToken->email ?? '';
// login or signup code need to know about object definition to add login and signup logic
return $this->returnSuccess('Request successful',200,[
'userId' => $userId, 'email' => $email
]);
} catch (\Exception $e) {
// Handle errors
Yii::error('Error on apple login '.$e->getMessage());
return $this->returnError(500,'Server Error');
}
}
**This function is where i am creating a clientSecret as per apples guidelines:
**
function createClientSecret($teamId, $clientId, $keyId, $privateKey) {
// $key = file_get_contents($privateKeyPath);
$key=$privateKey;
$headers = [
'kid' => $keyId,
'alg' => 'ES256'
];
$claims = [
'iss' => $teamId,
'iat' => time(),
'exp' => time() + 86400 * 180,
'aud' => 'https://appleid.apple.com',
'sub' => $clientId
];
return JWT::encode($claims, $key, 'ES256', $headers['kid']);
}
**This is the validate Apple Token that is not giving me error:
**
function validateAppleToken($identityToken) {
$client = new Client();
$response = $client->get('https://appleid.apple.com/auth/keys');
$keys = json_decode($response->getBody(), true)['keys'];
$header = JWT::urlsafeB64Decode(explode('.', $identityToken)[0]);
$headerData = json_decode($header, true);
$kid = $headerData['kid'];
$publicKey = null;
foreach ($keys as $key) {
if ($key['kid'] === $kid) {
$publicKey = JWK::parseKey($key);
break;
}
}
if (!$publicKey) {
throw new \Exception('Public key not found');
}
try {
$decoded = JWT::decode($identityToken, $publicKey, ['RS256']);
return $decoded;
} catch (\Exception $e) {
throw new \Exception('Token validation failed: ' . $e->getMessage());
}
}
The response i got was :
{
aud: "com.abc"
auth_time: 1718017883
c_hash: "HSNFJSBdut5vk84QyK0xHA"
exp: 1718104283
iat: 1718017883
iss: "https://appleid.apple.com"
nonce:"2878cd1ac1fa121f75250f453edaac47365f5144f2e605e8b526a29cb62c83da"
nonce_supported: true
sub: "001703.2a52ec72cb874a93986522fa35742bd4.1219"
}
After that we are mainly getting error as
{"error":"invalid_grant","error_description":"client_id mismatch. The code was not issued to com.marchup.prod.AppSSO."}
in this function:
function getAppleUser($authorizationCode, $clientId, $clientSecret) {
try {
$client = new Client();
$response = $client->post('https://appleid.apple.com/auth/token', [
'form_params' => [
'client_id' => $clientId,
'client_secret' => $clientSecret,
'code' => $authorizationCode,
'grant_type' => 'authorization_code'
]
]);
if ($response->getStatusCode() !== 200) {
throw new \Exception('Failed to get user information from Apple. Status code: ' . $response->getStatusCode());
}
$data = json_decode($response->getBody(), true);
// Check if the response contains the expected data
if (!isset($data['access_token']) || !isset($data['id_token'])) {
throw new \Exception('Invalid response from Apple. Missing access token or ID token.');
}
// Return the decoded data
return $data;
} catch (\Exception $e) {
// Log any other unexpected errors
Yii::error('Unexpected error: ' . $e->getMessage());
// Re-throw the exception to propagate it further
throw $e;
}
}
Assumptions: bundleId = com.marchup
serviceId i created as client_id= com.marchup.prod.AppSSO
team ID= as usual
keyId= is the id i created in apple developer consonsole.
And the private key is the key inside the private key file.
Can anyone please answer.
What is mismatched here
Hi @everyone, I have set up the proper app id, serviced ID along with return URL, domains and subdomains(Example domains and subdomains: asdfjkl.firebaseapp.com and return URL: https://asdfjkl.firebaseapp.com/__/auth/handler) in developer.apple.com.
And I have created the key as well and added key ID and private key, services ID in firebase apple sign in console as well. But I'm getting Error as "Invalid web redirect url".
I haven't provided the App ID, services ID, firebase project ID, Key secret here as they're confidential. Please let me know if any further details are needed.
On iOS, Sign in with Apple will provide an e-mail address if the user is logging in for the first time. On all subsequent logins, the e-mail address will be missing. However, this can be reset by removing the app from your Apple ID. If you then try to login again, the e-mail dialog will popup again, and the app will receive this e-mail.
On visionOS, however, the latter does not happen. Even if I have removed the app from my Apple ID, the e-mail dialog won't show up again. The only way to resolve this is to reset the visionOS simulator (haven't tried it on a real device).
Summary:
Need help with Certificates, Identifiers and Profiles settings to allow two apps to use Sign in with Apple.
Background:
We have a web application (React, static JavaScript) that allows users to sign in with Apple, Google or Microsoft via OAuth/OIDC.
We are developing a mobile application using React Native and Expo.
Both the web application and the mobile application use the same backend (Django).
For the mobile application, we added Google and Microsoft sign in via the same web-based OAuth/OIDC flow. For Sign in with Apple, we are using the expo-apple-authentication package to get the required native sign in experience.
We have two active app identifiers:
org.terraso.terraso; web app; primary Apple ID
org.terraso.test.Terraso-LandPKS; mobile apple; Group with an existing primary App ID (selected (1), the web app)
We have one services identifier:
org.terraso.app; primary ID is web app (app identifier 1) above; URLs have been configured
We have one app group:
group.org.terraso (seems unused)
On our backend app, we have code:
https://github.com/techmatters/terraso-backend/blob/abc655e83eaca849e2bc24389946cc4f0bcd9d48/terraso_backend/apps/auth/providers.py#L84
and APPLE_CLIENT_ID is set to org.terraso.app (which matches the services identifier above
In my local development environment, I have tried a few different combinations of IDs attempting to get this to work using the iOS simulator:
(i) backend client id: org.terraso.app
mobile app bundle Id: org.terraso.test.Terraso-LandPKS
result: error: jwt.exceptions.InvalidAudienceError: Audience doesn't match
(ii) backend: org.terraso.app
mobile app: org.terraso.app
result: clicking "Sign In" in Apple ID dialog is a no-op (no errors from client or server)
(iii) backend: org.terraso.test.Terraso-LandPKS
mobile app: org.terraso.test.Terraso-LandPKS
result: works (but I can't use that in production, because the client ID is wrong)
How can I configure Sign in with Apple to allow both the web app, the mobile app (and possible additional mobile apps) to work with the same backend?
Do I need to us app groups? When do you use app groups vs "group with an existing primary apple id"?
Hello,
The issues we previously identified still need your attention.
If you have any questions, we are here to help. Reply to this message in App Store Connect and let us know.
Review Environment
Submission ID: 00fc9b08-3da8-4b89-8810-740174730062
Review date: April 21, 2024
Version reviewed: 1.0
Guideline 3.2.1 - Business - Other Business Model Issues - Acceptable
Your app provides financial services but does not meet all the requirements for apps providing these services. Specifically:
The app must be published under a seller and company name that is associated with the organization or company providing the services. In this case, your app must be published under a seller name and company name that reflects the Askmefund name.
The account that submits the app must be enrolled in the Apple Developer Program as an organization, and not as an individual.
These requirements give App Store users confidence that apps offering financial services are qualified to provide these services and will responsibly manage their data.
Please provide ownership documentation or modify the vendor seller name.
Please Help me.
Hi
We getting error in
Apple Sign In "Sign-Up not completed", Apple sign in working fine for old Apps and old Bundle ids, But it's not working in new Apps and new Bundle ids
We checked with other Apple Developer team accounts Apple Sign In is working on the same source code. But my Team account is getting an error.
We enabled signing capabilities and added Sign in with Apple and we added Provisioning profile certificate also , but I am still getting the same error.
I'm setting up 'Sign in with Apple ID,' and the signup process is running smoothly. Users are redirected to the Apple login page, where they grant permission to share their email and name, followed by a callback. However, a problem occurs with users who are already registered. Ideally, for these users, the process should simply verify their credentials without asking for additional permissions, since the app is already authorized to access their email and name. But, they are being asked again for these permissions after logging in, suggesting they are creating the account in the app again. How can I indicate in the authorization request that a user has already been authorized so that the permissions screen doesn't reappear? Other providers handle this by adding the parameter 'prompt=none' to the request.
I'm working on implementing Apple Sign In in an Angular application. I've successfully obtained the 'id_token', but I've noticed that the user's name is missing . I'm uncertain whether Apple provides the user's name in the 'id_token'. If it does, I'd like to know the steps to retrieve it correctly.
Hi,
We did all the configuration as requested in documentation for Apple SignIn, Sign In from app is happening properly but when we are trying to verify token with Backend. We are getting below Error from Service
{ "error": "invalid_grant", "error_description": "The code has expired or has been revoked." }
Are we missing anything?
Trying to implement sign in with apple for a web app project that does not have an associated mobile app.
Do I really need an app ID in this situation as there's no option to proceed without selecting one?
Good day folks,
We have a workflow setup where a new Sign in with Apple user registers (first SIWA login where user can pick name and show/hide email), and the server-side code obtains a refresh token from SIWA REST API. That refresh token is stored internally against the user's profile in the DB for future use.
Whenever user account is deleted from server-side, we use that refresh token to revoke Sign in with Apple (so that the user would need to go through registration flow rather than sign in- where they have an option to specify name and show/hide email).
That has been working beautifully until we have added an AppClip to the app. The code which obtains the refresh token "respects" the correct bundle ID for the main app / app clip, and everything seems to work. Both of Apple's APIs return OK codes. In fact, we even get the email from Apple when token is revoked which reads "APP_NAME has revoked your Sign in with Apple account. Next time you use Sign in with Apple to sign in to your onUgo Access account, you will have to share your name and email again".
Problem is- it doesn't. SIWA still offers to "sign in" as if account is still linked, and the app still shows up as "App using Sign in with Apple" in iPhone settings. What's even more mysterious is that you can't delete/revoke/"Stop using Apple ID" on that SIWA link with the app from iPhone settings too! It seems to work, but the app never goes away from the list, as if it fails silently.
Could anyone please help shed some light on this?
Hello, we use apple ID as a sign-up/log-in method, when we released our appstore version, did the switch from beta to market app. Our bundle ids have changed, now we are wondering that is there any way to help users to reach their old accounts using the market app with a different bundle id or any smart idea to approach to to this problem