Dear Apple Team,
I hope this message finds you well.
Recently, while exploring Apple’s open-source resources, I came across some files that appear to contain sensitive information, including private keys. I wanted to reach out to clarify whether these files are intentionally made publicly available or if they might be exposed due to a potential misconfiguration.
Understanding the nature of these files is important, and I would appreciate any guidance you can provide regarding their accessibility and any necessary steps that should be taken to address this matter.
Thank you for your attention to this issue. I look forward to your response.
Prioritize user privacy and data security in your app. Discuss best practices for data handling, user consent, and security measures to protect user information.
Post
Replies
Boosts
Views
Activity
Hello there, we have implemented the Apple sign in our site, everything is working good except from two edge cases when the JWT returned by Apple sign in does not contain the user email, these cases are:
When users choose Hide My Email when creating their account and later manually change their settings and turning off the email forwarding (Tested).
For Apple at Work & School users. i.e. younger students may not have an email address. According to Apple docs, email could be empty for Sign in with Apple at Work & School users (Not tested).
The problem is that we use the email to confirm the user authentication, but when the email is not present in the JWT, our system won't be able to find the registered user.
We're currently working on a workaround for this, but we would like to confirm that these edge cases are known by apple and also ask some questions:
Is it correct to say that: Turning off the email forwarding will cause that Apple's identity token (JWT) does not include the user's email address?
Apple at Work & School users: is there a way to identify that someone is using this type of account?
Is there any other known edge case when the email could be empty in the JWT?
Thanks in advance!
Under iOS 18.0.1, I can't do any development that uses HTTPS, because I can't authorize my generated certificates on my phone. This was not a problem in the past.
Normally you AirDrop a root certificate authority to your phone, install the "profile" for it, and then trust it in Settings / General / About / Certificate Trust Authority. Then you can connect to another server on your network that's using the accompanying certificates.
But after sucessfully installing two profiles on my phone, neither shows up in Certificate Trust Authority. Anybody else seeing this?
This problem, in combo with this one (which prevents running on my Mac as an iPad app) has completely halted my project.
I've found reports of this problem that blamed an empty "common name" field in the certs, but that field is populated in both of these.
Good day. As part of a business unit separation, we are required to have our product with a different name, bundle IDs and certificates than our current configuration.
The product contains network extensions and requires Full Disk Access. We distribute this product to our customers who either support MDM or not.
I know from previous experience that a product can be transferred to a different account, which is something we could do only for some parts of our product (only a couple of Bundle IDs).
My question is what's the best way to do this. I can imagine that having a scripted scenario where the other business unit's product is removed from customers and ours is installed, in a different folder.
The main issue I can foresee is that because our architecture uses several network extensions that are installed as plugins (bad design I know), we would be asking the users for authorisation, again, to use those extensions, plus full disk access.
What options do I have?
Hi I am currently developping the "Sign in with apple" feature.
We set up everything according to the documentation :
https://developer.apple.com/help/account/configure-app-capabilities/configure-private-email-relay-service
When trying to send an email from one of the registered communication emails (that is SPF and DKIM Authentication compliant) the emails are still ending up in the spam box.
If it can help the received email address (that is hidden) is a gmail.
I can not catch what is missing/wrong on our side.
In the FAQ about Local Network, a lot of topics are covered but, unless I missed something, I didn't see the topic of MDMs being covered.
[Q] Could the FAQ be updated to cover whether it is possible to grant this Local Network permission through a configuration profile?
The answer, based on google searches and different forums, seems to be a negative. It seems a bit strange considering that this feature has been available on iOS for at least 3 years.
Anyway, even if it is not possible, it would be useful to add in the FAQ that this is not possible.
I want to install a driver package without internet access and the installation fail. This I think it is due to it need internet to check for signature with Apple Server.
The workaround is to disable System Integrity Protection, but I do not have the administrator password to disable it.
How to install a driver and allow a driver to run without internet access and administrator account? This driver is develop by ourself but how to by pass the code signing and security check for others to use this driver on their Mac PC?
Currently I am following
https://developer.apple.com/documentation/systemextensions/ossystemextensionrequest/activationrequest(forextensionwithidentifier:queue:)
to activate the system extension
If the extension is inactive, the system may need to prompt the user for approval. Which others API can I use which do not need prompt user for approval?
Beside in order to validate the code signing, it need to communicate with Apple server which required internet access. Any method to by pass this validation?
Hello,
I started looking to implement SSO with Apple on my website using this tutorial : https://developers.appcharge.com/docs/apple-sso-login
However, when going to https://developer.apple.com/account/resources/identifiers/list
to generate a new Key, i'm getting the error :
"Unable to find a team with the given Team ID 'XXXXXXXX' to which you belong. Please contact Apple Developer Program Support".
It was a breeze to implement Google SSO, but not for Apple.
I can't find much help online, could you guide me ?
Regards
I have implemented Sign in with Apple on website one weeks ago, and it work perfectly.
However, recently we start to receive invalid_grant with no error description while token validation, however the same client secret works on IOS app without issue....
in ios app site , we used bundle id for client_id.
in web site , we used service id for client_id;
I try to create a new privateKey for web site and add redirect_uri params to /auth/token, but still error....
I tested it like this,
i got authorization code using Service ID
i tried authorization code with Service ID using browser :
successfully got the code
and requested access_token immately
2 and then, i tried validate the authorization grant code to obtain tokens
curl like this
curl -X POST https://appleid.apple.com/auth/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "client_id=my_service_id" \
-d "client_secret=my_client_secret" \
-d "code=sent_from_frontend" \
-d "grant_type=authorization_code" \
-d "redirect_uri=my_redirect_uri"
then get fail and no error_description error_code is 400
invalid_grant
is not invalid_client error, and client secret is not expired too
My decoded token looks like the following :
{
"alg": "ES256",
"typ": "JWT",
"kid": "my_kid"
}
{
"aud": "https://appleid.apple.com",
"sub": "my_service_id",
"iss": "team_id",
"exp": 1744012650,
"iat": 1728460650
}
When we develop 'Sign in with Apple' function on our app, we visited https://appleid.apple.com to verify the account. However, appleid.apple.com is mapped to an American IP, and it is not suitable for our app which is operated in China. I wonder whether there is a China Mainland IP available for the verification? Thanks very much.
We have a Web server for Apple Pass and we received a complaint from a user because the Pass is being deleted every few days from the Apple Wallet App and the user had to reinstall the pass every time.
Upon checking our server logs we found DELETE (unregister) requests that were not initiated by the user.
Here are some (there are more) of those logs (I replaced some details with * for privacy):
From July
[29/Jul/2024:23:06:30 +0000] "DELETE /apple_wallet/v1/devices/****/registrations/pass.com..*/** HTTP/1.1" 200 31 "-" "passd/1.0 CFNetwork/1496.0.7 Darwin/23.5.0"
From August
[17/Aug/2024:22:51:33 +0000] "DELETE /apple_wallet/v1/devices/****/registrations/pass.com..*/** HTTP/1.1" 200 31 "-" "passd/1.0 CFNetwork/1498.700.2 Darwin/23.6.0"
From September
[08/Sep/2024:23:32:11 +0000] "DELETE /apple_wallet/v1/devices/****/registrations/pass.com...*/** HTTP/1.1" 200 31 "-" "passd/1.0 CFNetwork/1498.700.2 Darwin/23.6.0"
Other information for this specific user/device:
Phone 14 Pro Max - iOS 17.6
User has few other passes installed but none has disappeared only our issued pass.
We are hoping to get some help from Apple to figure out why the DELETE request is being sent out to our server without being initiated by the user.
I have already filed a ticket to Apple with Case-ID: 9315232
But I haven't gotten any feedback after a few weeks and some follow ups.
I have read that iOS data protection ensures most of the files to be stored encrypted. However, I saw someone insisting (elcomsoft blog) very few files are not encrypted. Are app’s cache files or tmp files not stored encrypted? For example, are safari history.db file and cache files stored in the flash encrypted?
Hi,
I'm currently in the middle of debugging between my macOS and server for implementing Platform SSO.
As part of the debug process, I sometimes want to restart the whole process, which means to get into the beginDeviceRegisteration method again.
I noticed that even if I push the Repair button in the user (under settings) it will go again and again into the beginUserRegistration, but it will not go again to the device registration.
Is there an option to reset the Platform SSO device registration? (already tried Repair, remove MDM profile of the PSSO etc.)
I am currently implementing an authentication function using ASWebAuthenticationSession to log in with my Instagram account.
I set a custom scheme for the callbackURLScheme, but
In the Instagram redirect URL
I was told I can't use a custom scheme.
What should I do with the callbackURLScheme of the ASWebAuthenticationSession in this case?
I heard and read in reddit and GitHub about that UIDevice.current.identifierForVendor.uuidString is restricted according to privacy. Its better use DeviceCheck API or create my own UUID. So is it correct? If its so please can you share apple privacy update about this?
I'm currently implementing a function in SwiftUI to log in with my Instagram account.
It's not working, I'm creating a Firebase Auth function and it comes back to the redirect URL.
This may happen if browser sessionStorage is inaccessible or accidentally cleared. This may happen if browser sessionStorage is inaccessible or accidentally cleared.
I get this error.
I can't implement it. I have tried various methods, but all have failed.
If anyone knows how to do this, please help.
import SwiftUI
import AuthenticationServices
import FirebaseAuth
struct InstagramLoginView: View {
var body: some View {
VStack {
Text("Login with Instagram") // タイトル
Button(action: {
// ボタンが押された時にInstagramのログイン処理を開始
InstagramLoginHelper().startInstagramLogin()
}) {
Text("Login with Instagram")
.padding()
.background(Color.blue)
.foregroundColor(.white)
.cornerRadius(8)
}
}
}
}
class InstagramLoginHelper: NSObject, ASWebAuthenticationPresentationContextProviding {
func startInstagramLogin() {
let clientID = "XXXXXXXXXXXX"
let redirectURI = "https://XXXXXXXXXXX.firebaseapp.com/__/auth/handler"
let authURL = "https://api.instagram.com/oauth/authorize?client_id=\(clientID)&redirect_uri=\(redirectURI)&scope=user_profile,user_media&response_type=code"
let schem = "XXXXXXXXXXXX"
if let url = URL(string: authURL) {
let session = ASWebAuthenticationSession(url: url, callbackURLScheme: schem) { callbackURL, error in
if let error = error {
print("Error during authentication: \(error.localizedDescription)")
return
}
if let callbackURL = callbackURL, let code = URLComponents(string: callbackURL.absoluteString)?.queryItems?.first(where: { $0.name == "code" })?.value {
// 認証コードを使ってFirebaseでログインする
self.loginWithInstagram(authCode: code)
}
}
session.presentationContextProvider = self
session.start()
}
}
func loginWithInstagram(authCode: String) {
// Firebaseのauthインスタンスを取得
let auth = Auth.auth()
// InstagramのOAuthプロバイダを使用する
let provider = OAuthProvider(providerID: "instagram.com")
// Instagramの認証コードを使って、プロバイダの認証資格情報を生成
provider.getCredentialWith(nil) { credential, error in
if let error = error {
print("Error during authentication: \(error.localizedDescription)")
return
}
if let credential = credential {
// Firebaseにログイン
auth.signIn(with: credential) { authResult, error in
if let error = error {
print("Error during Firebase authentication: \(error.localizedDescription)")
} else {
print("Successfully authenticated with Firebase.")
}
}
}
}
}
// ASWebAuthenticationPresentationContextProvidingの実装
func presentationAnchor(for session: ASWebAuthenticationSession) -> ASPresentationAnchor {
return UIApplication.shared.windows.first { $0.isKeyWindow } ?? ASPresentationAnchor()
}
}
#Preview {
InstagramLoginView()
}
Hello,
I would like to secure the exchanges between my application and my webservices to make sure requests are only made by an authentic application.
By searching the internet I discovered that App Attest from Device Check framework exists but it looks like there are some limitation about it :
App Attest doesn't work on most App Extensions (like Share extension)
We are limited by the requests count made to the App Attest webservice (only when generating the Apple certificate, one time by device / application).
The problem is I need this security on my app extension because I have a Share extension sending e-mails.
Do you have advice to secure the exchanges between my app and my webservices ?
I am currently using the ability to log in with my Instagram account using ASWebAuthenticationSession and it is not working!
I filled in the URL directly and there was no problem on the web, but when I run it in SwiftUI in Xcode, it doesn't work and
Error: The operation couldn’t be completed. (com.apple.AuthenticationServices.WebAuthenticationSession error 2.)
I get this error.
I was told that I need a custom scheme to return to mobile, but the Instagram redirect URL says no custom scheme.
What should I do?
IDs and URLs are placed under assumption.
I have no idea since this is my first implementation.
Should I send the scheme URL from the website to mobile once using Django or something else?
import SwiftUI
import AuthenticationServices
struct InstagramLoginView: View {
@State private var authSession: ASWebAuthenticationSession?
@State private var token: String = ""
@State private var showAlert: Bool = false
@State private var alertMessage: String = ""
var body: some View {
VStack {
Text("Instagram Login")
.font(.largeTitle)
.padding()
Button(action: {
startInstagramLogin()
}) {
Text("Login with Instagram")
.padding()
.background(Color.blue)
.foregroundColor(.white)
.cornerRadius(10)
}
if !token.isEmpty {
Text("Token: \(token)")
.padding()
}
}
.alert(isPresented: $showAlert) {
Alert(title: Text("Error"), message: Text(alertMessage), dismissButton: .default(Text("OK")))
}
}
func startInstagramLogin() {
let clientID = "XXXXXXXXXX" // Instagram client ID
let redirectURI = "https://example.com" // Instagram Redirect URI
guard let authURL = URL(string: "https://api.instagram.com/oauth/authorize?client_id=\(clientID)&redirect_uri=\(redirectURI)&scope=user_profile,user_media&response_type=code") else {
print("Invalid URL")
return
}
authSession = ASWebAuthenticationSession(url: authURL, callbackURLScheme: "customscheme") { callbackURL, error in
if let error = error {
print("Error: \(error.localizedDescription)")
return
}
guard let callbackURL = callbackURL else {
print("Invalid callback URL")
return
}
if let code = URLComponents(string: callbackURL.absoluteString)?.queryItems?.first(where: { $0.name == "code" })?.value {
print("Authorization code: \(code)")
getInstagramAccessToken(authCode: code)
}
}
authSession?.start()
}
func getInstagramAccessToken(authCode: String) {
let tokenURL = "https://api.instagram.com/oauth/access_token"
var request = URLRequest(url: URL(string: tokenURL)!)
request.httpMethod = "POST"
let clientID = "XXXXXXXXXXXX"
let clientSecret = "XXXXXXXXXXXXXX" // Instagram clientSecret
let redirectURI = "https://example.com/"
let params = "client_id=\(clientID)&client_secret=\(clientSecret)&grant_type=authorization_code&redirect_uri=\(redirectURI)&code=\(authCode)"
request.httpBody = params.data(using: .utf8)
request.setValue("application/x-www-form-urlencoded", forHTTPHeaderField: "Content-Type")
URLSession.shared.dataTask(with: request) { data, response, error in
if let error = error {
print("Error: \(error.localizedDescription)")
return
}
guard let data = data else {
print("No data")
return
}
if let jsonResponse = try? JSONSerialization.jsonObject(with: data, options: []) as? [String: Any],
let accessToken = jsonResponse["access_token"] as? String {
print("Access Token: \(accessToken)")
// ここでアクセストークンを使用してInstagram APIにアクセスする
} else {
print("Failed to get access token")
}
}.resume()
}
}
#Preview {
InstagramLoginView()
}
Hello
I have an app that uses the user's Device ID for tracking purposes.
I have since removed all ads and tracking.
I am now in a difficult position because I cannot turn off Device ID Tracking from App Privacy. The current app version has this on and contains the framework for turning it on.
If I try to submit an app without Tracking, it gets rejected with the message "The app uses the AppTrackingTransparency framework, but we are unable to locate the App Tracking Transparency permission request when reviewed on iOS 18.0."
So, I am now stuck.
I cannot turn off Device Tracking in App Privacy because my app previously had tracking.
I cannot remove the framework for Tracking because App Privacy has tracking on.
How can I proceed to remove all tracking traces from my app?
Jake
Hi, I have implemented Sign in with Apple on Android four months ago, and it work perfectly.
We are using React Native with expo, using expo-auth-session and firebase function to get code back to start the token validation process.
However, recently we start to receive invalid_grant with no error description while token validation, however the same client secret works on firestore without issue, which confuses us.
According to https://developer.apple.com/documentation/technotes/tn3107-resolving-sign-in-with-apple-response-errors, the common reasons that I receive invalid_grant are:
The client_id does not match the client for which the code was issued.
The code has expired or has been previously consumed by the validation server.
Is there any way I could differentiate whether is client_secret wrong or the code was used or any other reasons?