We are having trouble with App Attest when built with different processors. We need to build an IPA to send to our testers. When the app is built using Intel processor, everything works. But when we built using a mac with processor M, them the App Attest process fails. The error occurs in our backend while validating the attesation object. We are doing the validation as stated by this documentation: https://developer.apple.com/documentation/devicecheck/attestation-object-validation-guide The process of validating the Attesation Object fails in the step 4, this one: Obtain the value of the credCert extension with OID 1.2.840.113635.100.8.2, which is a DER-encoded ASN.1 sequence. Decode the sequence and extract the single octet string that it contains. Verify that the string equals nonce. The problem is that the validation fails only when the app is built in a M processor machine. In our server we do (using GO Lang) something like this: if !bytes.Equal(nonce[:], unMarshalledCredCert.Bytes) { // error } unMarshalledCredCert is the nonce extracted from the Attesation Object sent by the mobile application and nonce[:] is the nonce stored in our backend side cache. What can this be?

I'm using CMMotionManager startDeviceMotionUpdatesUsingReferenceFrame: CMAttitudeReferenceFrameXTrueNorthZVertical and have set the NSMotionUsageDescription ("Privacy - Motion Usage Description") property in the info.plist. But I don't see a permissions popup. I also don't see any mention of this in the app's section of the Settings app. When is this usage description string used? I wonder if there is some connection between the motion permission and the location permission, which I also use?

Hello. I’m building an app that would use the Screen Time API to restrict apps on the users phone at set times and also give Device usage reports and analysis to the user. Do I need to request permission from apple to do this? If no, then what applications of the API require getting permission from Apple?

We've encountered an issue with implementing "Sign in with Apple." We've set up an authorization mechanism that returns a JWT, which includes the following fields in the IdTokenPayload: iss, aud, exp, iat, sub, at_hash, email, email_verified, auth_time, and nonce_supported. We tested this using an Apple ID that had not previously been used with our app. At this stage, we expected to receive the user's name, but instead, the relevant fields are returning null values, and all we receive is the email address. Here’s an example of the JWT payload we're receiving: { "iss": "https://appleid.apple.com", "aud": "com.octocrm.webapp", "exp": 1724833875, "iat": 1724747475, "sub": "000335.ad7cef1b0a3c474b842531f95444f2ad.1205", "at_hash": "perz_dvgtpe4cglpuzzj-a", "email": "firma.pl", "email_verified": true, "auth_time": 1724747463, "nonce_supported": true } We were expecting the user's name fields (e.g., name, given_name, family_name) to be populated in the JWT, but instead, they are returning as null. Is there something we're missing in our implementation, or is there a specific condition that needs to be met for these fields to be included? Any guidance on how to resolve this issue would be greatly appreciated.

Hi, Please see TN3159: Migrating Sign in with Apple users for an app transfer for more information on the expected end-to-end app transfer and user migration flow. Additionally, if you'd like for the iCloud and App Store engineering teams to confirm if the errors are related to a revoked authorization to previous users accounts, please submit a report via Feedback Assistant and include the following information: Gathering required information for troubleshooting Sign in with Apple user migration To prevent sending sensitive JSON Web Tokens (JWTs) in plain text, you should create a report in Feedback Assistant to share the details requested below. Additionally, if I determine the error is caused by an internal issue in the operating system or Apple ID servers, the appropriate engineering teams have access to the same information and can communicate with you directly for more information, if needed. Please follow the instructions below to submit your feedback. For issues occurring with your user migration, ensure your feedback contains the following information: the primary App ID and Services ID the client secret for the transferring team (Team A) and the recipient team (Team B) the failing request(s), including all parameter values, and error responses (if applicable) the timestamp of when the issue was reproduced (optional) screenshots or videos of errors and unexpected behaviors (optional) Important: If providing a web service request, please ensure the client secret (JWT) has an extended expiration time (exp) of at least ten (10) business days, so I have enough time to diagnose the issue. Additionally, if your request requires access token or refresh tokens, please provide refresh tokens as they do not have a time-based expiration time; most access tokens have a maximum lifetime of one (1) hour, and will expire before I have a chance to look at the issue. Submitting your feedback Before you submit via Feedback Assistant, please confirm the requested information above (for your native app or web service) is included in your feedback. Failure to provide the requested information will only delay my investigation into the reported issue within your Sign in with Apple client. After your submission to Feedback Assistant is complete, please respond in your existing Developer Forums post with the Feedback ID. Once received, I can begin my investigation and determine if this issue is caused by an error within your client, a configuration issue within your developer account, or an underlying system bug. Cheers, Paris X Pinkney |  WWDR | DTS Engineer

I'm working on a Passkey Provider and I'm trying to limit my extension to already existing credentials added via ASCredentialIdentityStore. So if a browser calls navigator.credentials.get without any allowedCredentials, I want to reject that request and if navigator.credentails.get contain an allowedCredentials list, and the allowedCredentials are in my internal store, then I process the challenge. The problem I'm seeing is that allowedCredentials is empty whether I pass allowedCredentials to navigator.credentials.get or not. Is there any way to troubleshoot this?

I'm writing an app that uses on-device voice to text for recognising scientific terms. It works fine on my phone but now in beta my first tester cannot make it work. All the permission requests are working: p&s Mic and Speech Recognition are both now enabled on the target device where the user granted the app permission. Is there something else I'm missing? Incidentally, both my phone, the target phone and my XCode are fully up to date. Thanks.

On macOS OS updates/reboot, CryptoTokenKit extension doesn't get loaded automatically when the system boots back. It needs another reboot to get the extension loaded and working. After update: % security list-smartcards <No smart cards> .. and there is a crash for authorizationhosthelper.arm64 in keychain layer Thread 2 Crashed:: Dispatch queue: com.apple.security.keychain-cache-queue 0 libdispatch.dylib 0x18e2e499c dispatch_channel_cancel + 12 1 Security 0x1914ccfd0 invocation function for block in Security::KeychainCore::StorageManager::tickleKeychain(Security::KeychainCore::KeychainImpl*) + 44 2 libdispatch.dylib 0x18e2ce3e8 _dispatch_client_callout + 20 3 libdispatch.dylib 0x18e2d18ec _dispatch_continuation_pop + 600 4 libdispatch.dylib 0x18e2e57f0 _dispatch_source_latch_and_call + 420 5 libdispatch.dylib 0x18e2e43b4 _dispatch_source_invoke + 832 6 libdispatch.dylib 0x18e2d5898 _dispatch_lane_serial_drain + 368 7 libdispatch.dylib 0x18e2d6544 _dispatch_lane_invoke + 380 8 libdispatch.dylib 0x18e2e12d0 _dispatch_root_queue_drain_deferred_wlh + 288 9 libdispatch.dylib 0x18e2e0b44 _dispatch_workloop_worker_thread + 404 10 libsystem_pthread.dylib 0x18e47b00c _pthread_wqthread + 288 11 libsystem_pthread.dylib 0x18e479d28 start_wqthread + 8 Opening the parent app bundle as a Login item does not help. A reboot sometimes fixes it but this happens frequently and causes lot of enterprise endpoints not able to authenticate. After reboot: % security list-smartcards com.foo.tech.mac-device-check.SecureEnclaveTokenExtension:700D6B7E8943B529569D9CC81AC6F930 Please provide and prioritize a permanent fix/workaround for this issue. We have already reported this issue with crash and sysdiagnose logs in FB13622281 earlier this year.

This is an addended post referring to me getting bounced from Bank of America and account shut down and forced to firmware wipe etc my devices due to ‘account takeover’ from ‘malware’ as their crowdstrike or whatever prob read api or ip irregularity? They wouldn’t say, bye this happened to 4 other similar accounts in 6 months. I don’t use proxy or remote etc but the log below apparently reveals some kind of strange activity- I’m not smart enough to put it all together, much appreciated folks!!! terminusd-471.140.5 pid 674 built on Jun 29 2024 06:58:06, iphoneOS 21G80 "iPhone", packet logging disabled Companion link is currently enabled on this device 23:35:36.2420 : time of this status dump --------- NRD Local Device Database Status (0 devices) --------- --------- Director status --------- Name: Link Director Enabled: YES Fixed Interface mode: NO Thermal watcher registered: NO Thermal Pressure: Nominal SOCKS port: 62742 SOCKS server: (null) FD Usage: { NETPOLICY = 2; Total = 6; VNODE = 4; } Unlocked data protection: ClassA --------- Manager status --------- Name: Policy Session Manager Policy Session: { priority = control1 policies = {} } Installed policies: { "NRLinkDirector-Drop" = ( 1 ); } Name: Link Manager - Bluetooth LinkManager type: Bluetooth State: Ready [] Links: {( )} Pipes: {( )} Peripherals: (null) connectPeripheral invoked: (null) CentralMgr: (null) PeripheralMgr: (null) currentAdvertisementState: Idle currentAdvertisementRate: Default BT connection state: (null) Name: Link Manager - WiFi LinkManager type: WiFi State: Ready Links: {( )} WiFi Interface: en0 (index 22) AWDL Interface: (null) (index 0) WiFi Available: NO WiFi WoW Enabled: NO WiFi Client Type: 0 Local WiFi Endpoint: (null) Local WiFi Signature: (null) Remote WiFi Endpoints: { } Remote WiFi Signature: (null) Remote AWDL EndpointDict: { } Available IPv4 addresses: ( ) Available IPv6 addresses: ( ) Available AWDL addresses: ( ) Prefer WiFi asserts: 0 Cleared Prefer WiFi asserts: 0 ---- NRIKEv2Listener ---- IKEv2 Listener: (null) Registered links: (null) Orphaned Device Monitor Connections: {( )} Orphaned Device Preferences Connections: {( )} Ephemeral Device Connections: {( Sent from my iPhone

I keep getting these CAPTCHA messages with an I IP address and a site link and there are many files on my phone which I don’t understand As I try to navigate sites, I get a CAPTCHA message of different types. With IP addresses and URLs. IP address: 2a04:4e41:62::9ce7:d3c7 Time: 2024-08-23T06:27:11Z URL: https://www.google.com/search?q=com.apple.os.update-E308CACB9FB73322E7681CC9DAFA19CF788DA2672BFBE91158D3C85061851851%40%2Fdev%2Fdisk1s1+on+%2F+(apfs%2C+sealed%2C+local%2C+nosuid%2C+read-only%2C+journaled%2C+noatime)+devfs+on+%2Fdev+(devfs%2C+local%2C+nosuid%2C+nobrowse)+%2Fdev%2Fdisk1s6+on+%2Fprivate%2Fpreboot+(apfs%2C+local%2C+nosuid%2C+journaled%2C+noatime)+%2Fdev%2Fdisk1s3+on+%2Fprivate%2Fxarts+(apfs%2C+local%2C+nodev%2C+nosuid%2C+journaled%2C+noatime%2C+nobrowse)+%2Fdev%2Fdisk1s2+on+%2Fprivate%2Fvar+(apfs%2C+local%2C+nodev%2C+nosuid%2C+journaled%2C+noatime%2C+protect)+%2Fdev%2Fdisk1s4+on+%2Fprivate%2Fvar%2Fwireless%2Fbaseband_data+(apfs%2C+local%2C+nodev%2C+nosuid%2C+journaled%2C+noatime%2C+nobrowse)+%2Fdev%2Fdisk1s7+on+%2Fprivate%2Fvar%2FMobileSoftwareUpdate+(apfs%2C+local%2C+nodev%2C+nosuid%2C+journaled%2C+noatime%2C+nobrowse)+%2Fdev%2Fdisk1s5+on+%2Fprivate%2Fvar%2Fhardware+(apfs%2C+local%2C+nodev%2C+nosuid%2C+journaled%2C+noatime%2C+nobrowse)+%2Fdev%2Fdisk1s8+on+%2Fprivate%2Fvar%2Fmobile+ (apfs%2C+local%2C+nodev%2C+nosuid%2C+journaled%2C+noatime%2C+protect)&ie=UTF-8&oe=UTF-8&hl=en-us&client=safari q=com.apple.os.update-E308CACB9FB73322E7681CC9DAFA19CF788DA2672BFBE91158D3C85061851851%40%2Fdev%2Fdisk1s1+on+%2F+(apfs%2C+sealed%2C+local%2C+nosuid%2C+read-only%2C+journaled%2C+noatime)+devfs+on+%2Fdev+(devfs%2C+local%2C+nosuid%2C+nobrowse)+%2Fdev%2Fdisk1s 6+on+%2Fprivate%2Fpreboot+ (apfs%2C+local%2C+nosuid%2C+journaled%2C+noatime)+%2Fdev%2Fdisk1s3+on+%2Fprivate%2Fxarts+ (apfs%2C+local%2C+nodev%2C+nosuid%2C+journaled%2C+noatime%2C+nobrowse)+%2Fdev%2Fdisk1s2+on+%2Fprivate%2Fvar+ (apfs%2C+local%2C+nodev%2C+nosuid%2C+journaled%2C+noatime%2C+protect)+%2Fdev%2Fdisk1s4+on+%2Fprivate%2Fvar%2Fwireless%2Fbaseband_data+ (apfs%2C+local%2C+nodev%2C+nosuid%2C+journaled%2C+noatime%2C+nobrowse)+%2Fdev%2Fdisk1s7+on+%2Fprivate%2Fvar%2FMobileSoftwareUpdate+ (apfs%2C+local%2C+nodev%2C+nosuid%2C+journaled%2C+noatime%2C+nobrowse)+%2Fdev%2Fdisk1s5+on+%2Fprivate%2Fvar%2Fhardware+ (apfs%2C+local%2C+nodev%2C+nosuid%2C+journaled%2C+noatime%2C+nobrowse)+%2Fdev%2Fdisk1s8+on+%2Fprivate%2Fvar%2Fmobile+ (apfs%2C+local%2C+nodev%2C+nosuid%2C+journaled%2C+noatime%2C+protect)&ie=UTF-8&oe=UTF-8&hl=en-us&client=safari https://www.google.com/search?q=com.apple.os.update-E308CACB9FB73322E7681CC9DAFA19CF788DA2672BFBE91158D3C85061851851%40%2Fdev%2Fdisk1s1+on+%2F+ apfs%2C+sealed%2C+local%2C+nosuid%2C+read-only%2C+journaled%2C+noatime)+devfs+on+%2Fdev+(devfs%2C+local%2C+nosuid%2C+nobrowse)+%2Fdev%2Fdisk1s6+on+%2Fprivate%2Fpreboot

Similar to this thread. How do we go about testing or triggering the UI for this new iOS/macOS 18 API? https://developer.apple.com/documentation/authenticationservices/ascredentialproviderviewcontroller/prepareinterfaceforuserchoosingtexttoinsert() Thanks!

Hi I want to create secIdentity from certificate &amp; key. I receive certificate from my server and I have private key of that. My certificate is like this -----BEGIN CERTIFICATE-----\nMIIEyTC...jix0=\n-----END CERTIFICATE----- And private key is like this -----BEGIN RSA PRIVATE KEY-----\nMIIEp...5KM=\n-----END RSA PRIVATE KEY-----\n I am trying to create secIdentity by saving certificate and key in keychain, but I am getting -25300 as error. To create the identity my code is like this. func deleteCertificateAndKey(certLabel:String, keyTag:Data) -&gt; Bool { // Query for the certificate let query: [String: Any] = [kSecClass as String: kSecClassCertificate, kSecAttrLabel as String: certLabel] // Attempt to delete the certificate let certificateDeleteStatus = SecItemDelete(query as CFDictionary) print("certificateDeleteStatus: \(certificateDeleteStatus)") // if certificateDeleteStatus == errSecSuccess { // print("Certificate Certificate deleted successfully.") // } else { // print("Failed to delete certificate Certificate. Error: \(certificateDeleteStatus)") // return false // } // // Query for the private key associated with the certificate let keyQuery: [String: Any] = [ kSecClass as String: kSecClassKey, kSecAttrApplicationTag as String: keyTag ] // Attempt to delete the private key let keyDeleteStatus = SecItemDelete(keyQuery as CFDictionary) print("keyDeleteStatus: \(keyDeleteStatus)") // if keyDeleteStatus == errSecSuccess { // print("Private key associated with Key deleted successfully.") // return true // } else { // print("Failed to delete private key for Key. Error: \(keyDeleteStatus)") // return false // } return true; } func stripPemHeaders(_ pemString: String) -&gt; String { var result = pemString // result = result.replacingOccurrences(of: "-----BEGIN RSA PRIVATE KEY-----\n", with: "") result = result.replacingOccurrences(of: "\n-----END RSA PRIVATE KEY-----\n", with: "") // result = result.replacingOccurrences(of: "-----BEGIN CERTIFICATE-----\n", with: "") result = result.replacingOccurrences(of: "\n-----END CERTIFICATE-----", with: "") return result } func loadIdentity(certificate: String, privateKey: String)-&gt; SecIdentity? { let strippedCertificate = stripPemHeaders(certificate) print("strippedCertificate : \(strippedCertificate)") guard let certData = Data(base64Encoded: strippedCertificate, options:NSData.Base64DecodingOptions.ignoreUnknownCharacters) else { print("Unable to decode certificate PEM") return nil } print("certData: \(certData)") // Create certificate object guard let cert = SecCertificateCreateWithData(kCFAllocatorDefault, certData as CFData) else { print("Unable to create certificate") return nil } let addCertQuery: [String: Any] = [kSecClass as String: kSecClassCertificate, kSecValueRef as String: cert, kSecAttrLabel as String: "shahanshahAlam"] let tag = "fedvfdvjjkdf-tag".data(using: .utf8)! _ = deleteCertificateAndKey(certLabel: "shahanshahAlam",keyTag: tag ) // print("deleteStatus finished with status: \(deleteStatus)") let certAddStatus = SecItemAdd(addCertQuery as CFDictionary, nil) print("certAddStatus finished with status: \(certAddStatus)") let strippedPrivateKey = stripPemHeaders(privateKey) print("strippedPrivateKey : \(strippedPrivateKey)") guard let pemKeyData = Data(base64Encoded: strippedPrivateKey, options:NSData.Base64DecodingOptions.ignoreUnknownCharacters) else { print("Error: couldn't parse the privateKeyString, pls check if headers were removed: \(privateKey)") return nil } print("pemKeyData finished with status: \(pemKeyData)") let sizeInBits = pemKeyData.count * 8 let keyDict: [CFString: Any] = [ kSecAttrKeyType: kSecAttrKeyTypeRSA, kSecAttrKeyClass: kSecAttrKeyClassPrivate, kSecAttrKeySizeInBits: NSNumber(value: sizeInBits), kSecReturnPersistentRef: true ] var error: Unmanaged&lt;CFError&gt;? guard let key = SecKeyCreateWithData(pemKeyData as CFData, keyDict as CFDictionary, &amp;error) else { print("Failed creating a Certificate from data \(error.debugDescription)") return nil } let addKeyQuery: [String: Any] = [ kSecClass as String: kSecClassKey, kSecAttrIsPermanent as String: true, kSecValueRef as String: key, kSecAttrApplicationTag as String: tag ] let privKeyAddStatus = SecItemAdd(addKeyQuery as CFDictionary, nil) print("privKeyAddStatus status finished with status: \(privKeyAddStatus)") // query for all avaiable identities let getIdentityQuery = [ kSecClass : kSecClassIdentity, // kSecReturnData : true, // kSecReturnAttributes : true, kSecReturnRef : true, kSecAttrApplicationTag as String: tag, kSecMatchLimit : kSecMatchLimitAll ] as CFDictionary var identityItem: CFTypeRef? let status = SecItemCopyMatching(getIdentityQuery , &amp;identityItem) print("identityItem finished with status: \(String(describing: identityItem))") print("status finished with status: \(status)") guard status == errSecSuccess else { print("Unable to create identity") return nil } return (identityItem as! SecIdentity); } How can I fix that.

UITraitCollection.sceneCaptureState does not work when using iPhone mirroring on iOS 18 beta and MacOS sequoia beta. The path to reproducing this bug is as follows: Set the default language of macOS to Korean Change the default language setting in macOS to English Use the iPhone Mirroring app In situations like this, sceneCaptureState of UITraitCollection.current appears as inactive. This can lead to serious bugs and abuse in many applications listed on the App Store. UITraitCollection.current.sceneCaptureState

Recently our Sign In with Apple integration has been affected by an inconsistency in Apple token response, where the email_verified attributed has a false value in the response but inside the id_token payload the email_verifiedattribute is set to true (the correct value), our integration has been working as expected until recently and haven't found an official announcement on this change. When making a call to https://appleid.apple.com/auth/token to exchange a code for a token using curl -v POST "https://appleid.apple.com/auth/token" \ -H 'content-type: application/x-www-form-urlencoded' \ -d 'client_id=CLIENT_ID' \ -d 'client_secret=CLIENT_SECRET' \ -d 'code=CODE' \ -d 'grant_type=authorization_code' \ -d 'redirect_uri=REDIRECT_URI' We're getting the following response where email_verified is set to false { "access_token": "XXXXXXX", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "XXXXXXX", "id_token": "XXXXXX", "email_verified": false } But by inspecting the id_token payload the email_verified attribute has the correct value: true { "iss": "https://appleid.apple.com", "aud": "xxxxx", "exp": 1724433090, "iat": 1724346690, "sub": "xxxxxxxxx", "at_hash": "xxxxxxxxxxx", "email": "my-apple-id@gmail.com", "email_verified": true, "auth_time": 1724346672, "nonce_supported": true } I'd like to know the reason for this inconsistency, or if it is an issue and is under the Apple team's radar.

Hi, I’ve had a a rough month with bank of america shuttering my online profile and account because of suspected Device Malware- account takeover it says, and I lost admin privileges to my primary email and Amazon account as well. Figured iOS was unbreachable. I’ve had some odd things happening- remotecloudiu or something caught and stopped in lockdown, and in MC meta showing mdm migration and hidden profiles. Device flickers and crash error 308 repeatedly shows. Avg 40 gb mobile data but last month showed 350 gb. Need some help with analytics or direction. Payload manifest: bplist00)_OrderedProfiles^HiddenProfiles i_8com.apple.ATT_NR_US.f7eb2f44-daOe-11eb-8349-f45c89abb0d9 mc meta: bplist00Ô_LastMDMMigratedBuild_LastMigratedBuild_&StopFilteringGrandfatheredRestrictions_ AllowedGrandfatheredRestrictionsU21G93Ñ possible unauth mdm? Sorry I’m clueless!!!

When using the Cape App, the Hidden Apps Folder Displaying In App Library. The folder should not be visited be when apps are hidden.

I'm running a launch agent in a CI node. The agent is responsible for launching CI build/test jobs. The agent, being the responsible process, has been granted kTCCServiceScreenCapture permission. With this in place I can run /usr/sbin/screencapture during CI test jobs, archiving the visual state of the CI machine if a test fails, which makes it easier to diagnose why the test failed. However with macOS 15 I get weekly/monthly notifications about the agent being able to record the screen. The general advice for this is that apps should migrate to ScreenCaptureKit, but I'm using a built in tool in macOS, /usr/sbin/screencapture, so how am I supposed to deal with that?

I would like to implement a feature in the prepareInterfaceForExtensionConfiguration function of the AutoFillCredentialProvider extension that returns to the main app. Since the extension prohibits the use of openURL from sharedApplication, can I use the openURL function of NSExtensionContext through UIResponder? Would this violate Apple’s regulations? private func openContainerApp() { let scheme = "momoshare://" let url: URL = URL(string: scheme)! let context = NSExtensionContext() context.open(url, completionHandler: nil) var responder = self as UIResponder? let selectorOpenURL = sel_registerName("openURL:") while (responder != nil) { if responder!.responds(to: selectorOpenURL) { responder!.perform(selectorOpenURL, with: url) break } responder = responder?.next } }

Hi, In our application, apple users have option to hide their email and continue with proxy email that apple provides to use our application feature. But we noticed that apple account created with gmail is having an issue where the email that we send from our apps is going to spam folder in gmail. All the other email domains used is working fine. Is anyone facing/faced this issue, please suggest a possible solution Thanks JM

Hello! I am storing an auth token and other details in the device keychain. I want to implement actionable push notifications that makes a network call using the stored auth token. The keychain settings I am using are a combination of: ksecattraccessiblewhenpasscodesetthisdeviceonly kSecAccessControlBiometryAny Whenever I try to access the auth token that is stored, it throws me an error saying "User Interaction required" Is there any way I can trigger a face-id check after clicking a push notification action so that I don't have to change the security settings? Or just use LAContext as soon as I receive a notification?