I have created a sign in with apple feature in my app, users who have logged in using the hide email feature are not receiving the email. I added email source in Configure Sign in with Apple for Email Communication and also added DKIM and SPF, But the mail still doesn't get sent. The domain I use to send emails is iotrust.kr.

Hi, I am developing a background screen recording app and macOS Sequoia is constantly blocking the app after restart with a nag screen "Confirm to continue the screen recording". That's looking insane! I know that the built-in Grab Screenshot app is not requesting any permission and that is an anti-competitive beaviour! I have found inside the compiled code the following plist XML code that disables the software firewall TCC, implemented by Apple. It's undocumented for no reason. Anyone knows how to repeat this unblocking tweak?

Hello! I have a question regarding AVSpeechSynthesizer and privacy concerns. Does the processing in AVSpeechSynthesizer occur on device, or is any part of the audio or text shared with Apple for service improvement or other purposes?

In our App, we store identity in keychain in a specific path var keychain: SecKeychain? let status = SecKeychainCreate(path, UInt32(password.count), password, false, nil, &keychain) guard status == errSecSuccess else { logger.error("Error in creating keychain: \(String(describing: SecCopyErrorMessageString(status, nil)))") throw KeychainError.keychainCreationError } Then later whenever process needs it. it open keychain, import it and uses it. status = SecPKCS12Import(identityData as CFData, [kSecImportExportPassphrase : password, kSecImportExportKeychain: keychain] as CFDictionary, &identityItems) authlog.info("Import status: \(status)") guard status == errSecSuccess else { authlog.error("Error in exporting identity : \(status) \(String(describing:SecCopyErrorMessageString(status, nil)))") throw ClientAuthError.identityFormationError } This worked well till sequoia beta 2. In Sequoia beta 3 and 4, this fails to import with error -25300 : The specified item could not be found in the keychain. one thing I noticed is import succeeds if the keychain is freshly created. when tried to reuse existing keychain it fails in import error. Is this a bug in beta or it any changes made in keychain level by Apple itself. Please help with the solution Log trace: [ 24-07-2024 12:39:15:192 ] [INFO] Challenge delegate received [ 24-07-2024 12:39:15:192 ] [INFO] Client authentication challenge [ 2024-07-24 12:39:15 ] [INFO] retcode of "/bin/chmod -R 777 "/Library/<path>/data/agent-resource"" ::: 0 [ 24-07-2024 12:39:15:237 ] [INFO] Opening keychain... [ 24-07-2024 12:39:15:240 ] [NOTICE] Keychain open status: -25294 [ 24-07-2024 12:39:15:241 ] [ERROR] Keychain error: Optional(The specified keychain could not be found.) [ 24-07-2024 12:39:15:241 ] [INFO] Creating keychain.. [ 24-07-2024 12:39:15:448 ] [INFO] Import status: 0 [ 24-07-2024 12:39:15:448 ] [INFO] Identity: <SecIdentity 0x7ff3ec1f7df0 [0x7ff85540e9a0]> [ 24-07-2024 12:39:15:448 ] [INFO] Credential sent [ 24-07-2024 12:39:15:581 ] [INFO] Upload request completed.. [ 24-07-2024 12:39:15:583 ] [INFO] Status code: 200 [ 25-07-2024 12:24:55:300 ] [INFO] Client authentication challenge [ 25-07-2024 12:24:55:300 ] [INFO] Opening keychain... [ 25-07-2024 12:24:55:305 ] [NOTICE] Keychain open status: 0 [ 25-07-2024 12:24:55:439 ] [INFO] Import status: -25300 [ 25-07-2024 12:24:55:440 ] [ERROR] Error in exporting identity : -25300 Optional(The specified item could not be found in the keychain.) [ 25-07-2024 12:24:55:440 ] [CRITICAL] Error in getting identity: identityFormationError [ 25-07-2024 12:24:55:441 ] [ERROR] Error in obtaining identity [ 25-07-2024 12:24:55:513 ] [INFO] Download request complete... [ 25-07-2024 12:24:55:515 ] [INFO] Status code: 200

Hello, I saw that, in IOS 18 + FaceTime + SharePlay, we can take the control of another device (for support an user for example). I would like to block the use of SharePlay on my application. My application does not include Capabilites "Group Activities", but I do not know whether this is sufficient to block the use of SharePlay. What do you think ? Thanks in advance for your returns.

Hello macOS gurus, I am writing an AUv3 plug-in and wanted to add support for additional formats such as CLAP and VST3. These plug-ins must reside in an appropriate folder /Library/Audio/Plug-Ins/ or ~/Library/Audio/Plug-Ins/. The typical way these are delivered is with old school installers. I have been experimenting with delivering theses formats in a sandboxed app. I was using the com.apple.security.temporary-exception.files.absolute-path.read-write entitlement to place a symlink in the system folder that points to my CLAP and VST3 plug-ins in the bundle. Everything was working very nicely until I realize that on my Mac I had changed the permissions on these folders from to The problem is that when the folder has the original system permissions, my attempt to place the symlink fails, even with the temporary exception entitlement. Here's the code I'm using with systemPath = "/Library/Audio/Plug-Ins/VST3/" static func symlinkToBundle(fileName: String, fileExt: String, from systemPath: String) throws { guard let bundlePath = Bundle.main.resourcePath?.appending("/\(fileName).\(fileExt)") else { print("File not in bundle") } let fileManager = FileManager.default do { try fileManager.createSymbolicLink(atPath: systemPath, withDestinationPath: bundlePath) } catch { print(error.localizedDescription) } } So the question is ... Is there a way to reliably place this symlink in /Library/... from a sandboxed app using the temporary exception entitlements? I understand there will probably be issues with App Review but for now I am just trying to explore my options. Thanks.

Hi there, I'm having some trouble with getting a OAuth Authorization Code redirect with a custom scheme to work with ASWebAuthenticationSession. I am trying to build an app that integrates with an authentication provider, in which I have configured like this: Callback URL: myapp://auth In my iOS app, I have define this as a custom scheme in my info.plist file. <dict> <key>CFBundleURLTypes</key> <array> <dict> <key>CFBundleTypeRole</key> <string>Editor</string> <key>CFBundleURLName</key> <string>com.abc.def</string> <key>CFBundleURLSchemes</key> <array> <string>myapp</string> </array> </dict> <dict/> </array> </dict> Excuse the messy-ish code below, but I just want to see this work. import SwiftUI @main struct MyApp: App { var body: some Scene { WindowGroup { AContentView() .onOpenURL { url in print("Received URL in onOpenURL: \(url)") Self.handleURL(url) } } } static func handleURL(_ url: URL) { print("Handled URL: \(url)") } } import AuthenticationServices struct AContentView: View { @Bindable var viewModel = SomeViewModel() @State private var authSession: ASWebAuthenticationSession? @State private var presentationContextProvider = PresentationContextProvider() var body: some View { VStack { Button(action: doIt) { Text("Authenticate") } } } func doIt() { Task { @MainActor in await viewModel.onLaunchAsync() // this asynchronously gets some stuff that is used to build `viewModel.loginUrl` authenticate() } } func authenticate() { let authURL = viewModel.loginUrl! // Replace with your auth URL let callbackURLScheme = "myapp" authSession = ASWebAuthenticationSession(url: authURL, callback: .customScheme(callbackURLScheme)) { callbackURL, error in if let error = error { print("Authentication error: \(error.localizedDescription)") return } guard let callbackURL = callbackURL else { print("No callback URL") return } print("Callback URL: \(callbackURL)") MyApp.handleURL(callbackURL) } authSession?.presentationContextProvider = presentationContextProvider authSession?.start() } } class PresentationContextProvider: NSObject, ASWebAuthenticationPresentationContextProviding { func presentationAnchor(for session: ASWebAuthenticationSession) -> ASPresentationAnchor { return UIApplication.shared.windows.first! } } I'm running Proxyman, and can see the calls the iOS app makes. When I click the "authenticate" button, I get the expected request to open Safari, and login to a web form provided by an authentication provider. Next, I am redirected to a "choose consents" page, where I can choose scopes. Finally, on this page, I click "Allow" at the bottom of this list of scopes, but instead of being 'sent' back to the app, the redirect doesn't work. The final API call the web screen makes is to a /consent endpoint which replies with an HTTP 302, and a Location header as below: Location: myapp://auth#code=<something>. This doesn't close the window, either in a simulator or a real device. I can verify that my scheme is working correctly, as if I manually in Safari browse to myapp://auth#code=1234 it asks me if I want to open in my app, and I can see my print firing off. Am I missing something? What am I doing wrong here? While I could implement this myself using WKWebView / WKNavigationDelegate to intercept the new location, see if its my custom scheme, and then close it out, that seems hacky, and AFAIK ASWebAuthenticationSession should support my use-case. Many thanks!

Hi Folks, I have a need to create and store a 256 bit symmetric key that I use to encrypt and decrypt data stored on disk. There is also a need to continue to do this both in the backgroud and in the application extensions. As far as I know, SE does not work with symmetric key, but there is an option to encrypt the symmetric key with an SE-protected asymmetric key. The question arises, how is this different from just storing the key in Keychain, since I can't take advantage of SE's main advantage of not storing the key in memory, even for a short time. (Anyway, I can't not store the key in memory anyway, because the key is used by a third-party framework.) Should I also use SE for this purpose, decrypt my symmetric key, give the symmetric key to the framework for a short time and then zeroize it?

I just updated to Sonoma on a Mac Mini that runs all my ad-hoc DIY home automations, and I have a bunch of custom self-made tools for triggering automations based in part on the state of reminders in the Reminders app. All of that stopped working immediately after the update. It took me a day to update my code for the new location of the sqlite reminders files and I made the changes to get my scripts working again, however one remaining problem is that I run an fswatch from node-red to monitor the database for changes to trigger my automations. Eventually, with help from stack and perlmonks, I found out that even though the permissions on the full path (via my home directory/Library) to the files is r*x to me and the node-red executable is running as me, I get an Operation not permitted error when I just try lsing the directories leading to the sqlite files. I read elsewhere that this sort of problem can be solved by granting full disk access to the executables(/processes) that are getting the Operation not permitted errors. However, I tried this, yet I still get the same error. Do I need to reboot? Is there some sort of documentation for casual users like myself that just code for themselves that can answer questions like this? The more aggressive Apple gets with security, the safer users are, but the more headaches and bewilderment it causes people like me.

Hi, Is there some reference documentation about the properties of a CryptoKit SecureEnclave PrivateKey and its properties? Concretely, these are some of the questions that I wanted to find a (documented) answer on: Who can use a SecureEnclave.P256.*.PrivateKey if they have access to the dataRepresentation? I expect that the private key is bound to the specific secure enclave processor, but it also seems to be bound for the user that created the key (from observation by creating a PrivateKey without any access control). What if there's a restore from backup of the machine, will the private key still be usable? What does a SecureEnclave.P256.*.PrivateKey's dataRepresentation include? From observation, I'm assuming the dataRepresentation is a signed/encrypted blob that includes a unique ID (no 2 keys are the same), the access control settings (biometry required, passcode required, ...), some sort of version of the biometry (so it is be invalidated when the biometry changes). Is there anything else? I'm not interested in the actual encoding (which I understand is undocumented), but want to get an idea of what properties are included in the representation and e.g. can't change in the future. Answers to these questions could e.g. help make a decision how secure the private key's dataRepresentation needs to be kept (e.g. if it can only be used by myself, and i'm sure it will only ever be valid with the access control flags its representation contains, I could decide it's ok to have this key be in a public place) I tried looking for answers in some pieces of documentation, but couldn't immediately find the details I was looking for: The CryptoKit SecureEnclave documentation The Secure Enclave article The Protecting keys with the Secure Enclave article thanks! Remko

I have set kCGWindowSharingState to none for my app. Even though the sharing state is none, I am still able to record my app's content using the native screen recording app and third-party apps. My App window detaills: { kCGWindowAlpha = 1; kCGWindowBounds = { Height = 700; Width = 1000; X = 1956; Y = 105; }; kCGWindowIsOnscreen = 1; kCGWindowLayer = 0; kCGWindowMemoryUsage = 2176; kCGWindowName = "Create and Sell Online Training Programs - TrainerCentral"; kCGWindowNumber = 13352; kCGWindowOwnerName = TrainerCentral; kCGWindowOwnerPID = 95409; kCGWindowSharingState = 0; kCGWindowStoreType = 1; }

I'm encountering an issue related to PCSC (PC/SC) smart card interactions on macOS 14 that I haven't experienced on earlier versions of macOS. When sending an APDU command to generate a key pair on a smart card: On macOS 12: The operation works as expected. On macOS 14: The card responds with an error 66 02. Are there any any changes to PCSC implementation in macOS 14 that might affect smart card operations?

Hello, I made a game (RPG) and I would like to add an option to unlock custom sprite/skin for characters. This option is not essential to use the app. That is the system that I want to make for this unlock option : A link in the app send the player on a website. The custom sprite could be unlocked by looking around 20 pages on a website (with contains advertising). At the pages number 20, a code is displayed and the player can use it in the app. (Page 1 send to page 2, page 2 to page 3... until page 20) Is it allowed? An other question about advertising for children. I read the guidelines, some rules are specific for children. Some data couldn't be collected. What is the age exact for those rules please? Thank you

I am implementing Sign In With Apple for a web app, and am having trouble with signing in on an iOS device. I manually create the Auth URL, of the format: https://appleid.apple.com/auth/authorize?response_type=code&state={STATE}&client_id={MY_CLIENT_ID}&redirect_uri={MY_REDIRECT_URI}&scope=openid+name+email&response_mode=form_post When a user clicks the Sign In link on desktop, it brings me to the screen shown below. After entering your Apple ID and password, a login event with a code is sent to my backend/Redirect URI. Everything works as expected and the user is logged in successfully. On iOS (I've tested in both Chrome and Safari for iPhone), clicking the link gives me the following popup. Hitting continue appears to complete the login process, but nothing happens. No code is sent to my Redirect URI, and the user is not logged in. It seems like Apple is just "swallowing" this login and not sending the appropriate request to my Redirect URI. What is happening? How can I fix this?

Is there a way for an app to interact with the new iOS 18 feature "Locked/Hidden Apps"? In our apps we prompt our users for biometric authentication ourselves and found that locking an app seems to interfere with that.

Hi, I'm getting 400 Missing or badly formatted authorization token everytime I call the following API from my local Server ( I tried calling this API from my app itself as well) curl --location 'https://api.development.devicecheck.apple.com/v1/query_two_bits' \ --header 'Authorization: Bearer <<JWT-token>>' \ --header 'Content-Type: application/json' \ --data '{ "device_token": Token_fetched_from_Device_Check, "transaction_id":"c6bdb659-0ee6-443d-88cb-a8f036dfc551", "timestamp": 1721300244267 }' "device_token" - I have generated from DeviceCheck framework JWT-token - I generated using key from .p8 file generated from Apple developer portal, keyId of the same and the team Id ( I have individual account) IMP Points- I have created this .p8 file from apple developer account, and I did enable Device check option while creating the key. I also tried calling this API after 7 hours ( and more then that as well) of creating key from the developer portal as I have read somewhere that the key gets activated after few hours. I understand (again read somewhere) that the token created by DeviceCheck framework has some expiration time so I tried with freshly created token several times as well. This is how I'm generating token using DeviceCheck - if curDevice.isSupported{ DCDevice.current.generateToken { (data, error) in if let data = data { } } } JWT token generation - func createJWTToken(privateKey: String, keyID: String, teamID: String) -> String? { // Set up the JWT header var jwtHeader = Header() jwtHeader.kid = keyID // Set up the JWT claims let jwtClaims = MyClaims(iss: teamID, iat: Date()) // Create the JWT var jwt = JWT(header: jwtHeader, claims: jwtClaims) // Convert the private key to Data guard let privateKeyData = Data(base64Encoded: privateKey) else { print("Invalid private key") return nil } // Sign the JWT let jwtSigner = JWTSigner.es256(privateKey: privateKeyData) do { let signedJWT = try jwt.sign(using: jwtSigner) return signedJWT } catch { print("Failed to sign JWT: \(error)") return nil } } But no luck, please suggest something. any sort of help is much appreciated. Thank you

Hello fellow developers, I am currently developing an iOS app and we are planning to update the content of our subscription plans. In light of these changes, I would like to seek advice on the best practices for notifying users and obtaining their consent for the updated plans. Additionally, I would like to understand how to notify users about these changes via email and whether this can be managed through platform. Email Notification: • Is there any support from platform to notify users via email about subscription plan changes? • What are the best practices and considerations for notifying users about plan changes through email from a developer’s perspective? I am aiming to implement these changes smoothly and transparently for our users. If anyone has experience with similar scenarios or knows of useful resources, your guidance would be greatly appreciated. Thank you for your time and insights. Best regards,

Hello, I am browsing with Safari. A website asks me to access my microphone (it is a Safari prompt dialog, not a system dialog). I am answering "yes, you can access to my microphone". Everything works fine, my microphone is allowed. Now, i am going to macOS system settings, in "Privacy & Security" section. I open "Microphone" sub section: And i don't see any entry for Safari. My question is ... Why ? Safari is accessing to my microphone at this moment and i don't see any grant information about this in system settings... Maybe apple allows his own softwares but this is not good for security... I hope it is not the same behaviour for full disk access grant... Thanks

Hi, my app ScreenFloat can capture screenshots and record the screen (along with system- and microphone audio). It does this in an XPC service. On macOS Sequoia b1-3, recording does not work anymore (although permissions are granted to the app in System Preferences > Privacy & Security). Instead, I keep getting an error that my XPC service can access this computer's screen and audio. (of course, that's the point!) First of all, the screen is locked when the warning appears, clicks anywhere on the screen are not recognized. I have to hit Escape (or wait about a minute, at which point it resolves itself), to be able to click anywhere. Clicking on Continue To Allow doesn't do anything, either. The warning just re-appears every time. Do I need to add a new entitlement to my main app or the XPC service, or any new NSUsage strings to the InfoPlist.strings? How can I resolve this? Thank you, Matthias

Hello, I show Google AdMob ads in my app so I needed to add Google consent management platform prompt provided by Google (documentation can be found here https://support.google.com/admob/answer/13554116). But at the same time, Apple wants me to use their prompt using the AppTrackingTransparency framework and remove the "custom" one (one from Google). Does anyone know how I could resolve that? Is the only way to resolve that to show a prompt using the AppTrackingTransparency framework first and once a user accepts that, show the one from Google CMP? Apple rejected my app update because of this, giving the following reason: "The app does not use App Tracking Transparency to request the user's permission before collecting data used to track them. Instead, the app displays a custom prompt that requests the user to allow tracking. Apps need to receive the user’s permission through the AppTrackingTransparency framework before collecting data used to track them. Requesting permission with a custom prompt is not appropriate.".