Hi,
we looking for direct API to detect another apps who sharing screen , because for security reason (banking app) - our app not want to be shared, some hackers use remote desktop solution to stole money, we checked few existing solutions but there are no solution to checking for apps who sharing screen (only), how to resolve that issue?
ps
a) isCapture/scenCaptureState - is more general api and have newest iOS version requirements
b) checking for open scheme used by another apps(LSApplicationQueriesSchemes) - is dedicated for own apps, and require known name of all schemes used by sharing apps.
What is direct solution to resolve that issue?
Prioritize user privacy and data security in your app. Discuss best practices for data handling, user consent, and security measures to protect user information.
Post
Replies
Boosts
Views
Activity
I need to integrate BLE (Bluetooth Low Energy) functionality into an authorization plugin. Specifically, I want to use a beacon to send a notification to the user if the app is not running or has been killed. However, I’ve encountered a significant limitation: Core Bluetooth is not permitted to be used within authorization plugins, whereas the Multipeer Connectivity framework operates without issue which use WiFi.
This has led me to a few questions:
What are the fundamental differences in entitlements or restrictions between Core Bluetooth and the Multipeer Connectivity(WiFi) framework that could explain why Core Bluetooth is disallowed in authorization plugins?
Are there specific technical or security concerns associated with Core Bluetooth that prevent its use in these contexts, while the Multipeer Connectivity framework is allowed?
Given that Google’s Nearby Connections API can work within authorization plugins, could there be any similar approaches or best practices for implementing BLE functionality in scenarios involving authorization plugins? For reference, you can check Google’s Nearby Connections API here: Google Nearby Connections - https://developers.google.com/nearby/connections/swift/get-started
Any insights or suggestions on how to overcome this limitation or alternative approaches to achieve the desired functionality would be greatly appreciated.
Thank you in advance for your help!
We have integrated Login with the Apple ID feature in our iOS App. Whenever a user tries to sign in with Apple ID from within our app, after authorizing the login process we get this error "Something went wrong".
This happens with some iPhones whereas some users work fine without such an issue. At the same time the login with Apple ID in the same app works with some iPhone users without any issue.
This is quite a strange problem and we cannot trace the root cause, if anyone has faced the same issue. Please do let me know.
When we transfer app A to app B, if we transfer the app but don't migrate the user to app B, will the user's previous tokens from app A be invalid? Is this failure real-time or will there be a buffer period to transfer users? If it is a live failure, we want to transfer some users during the transferation process to prevent accidents, and then test them. Is there a way to test it?
I want to modify my security policy from the startup security utility. When I try so to modify the options:
• Allow user management of kernel extensions from identified developers
or
• Allow remote management of kernel extensions and automatic software updates
I get: The operation couldn’t be completed. (SDErrorDomain error 104.)
Trying to install UAD Arrow and need to change the security policy.
Any help will be appreciated.
Apple provides a way for the app developer to migrate app data from previous locations to the Mac App Store app container folder, see Migrating your app’s files to its App Sandbox container.
My question is, it seems this feature only allows us to migrate or move the existing app files into the sandbox folder, however, I'd like to "copy" these files instead of "move" them.
Instead of using the "Move" key in the plist file, I have already tried "Copy" key and it didn't work.
Apple is Delaying the Review of a Critical iOS 17 Vulnerability to Avoid Official Acceptance and Bounty Payment
Hamed Hamedi, a security researcher, has revealed that Apple is prolonging the review process of a serious security vulnerability in the iCloud lock screen, which he discovered in iOS 17. According to Hamedi, he has submitted all the necessary evidence, including multiple videos and detailed explanations, to Apple's security team. However, despite the passage of time and providing precise information, Apple has been stalling the process by asking repetitive questions and requesting additional documentation, effectively delaying the report's resolution.
This security bug allows users to bypass the iCloud lock screen using VoiceOver and a few simple gestures, gaining access to various parts of the device. Despite the fact that all the steps are clearly demonstrated in the submitted videos, Apple has refrained from officially acknowledging the bug and processing the associated bounty.
Hamedi believes the upcoming release of the iPhone 16 and iOS 18 might be the main reason for these delays, as acknowledging the bug could negatively impact the reputation and security of Apple's new products, potentially eroding customer trust. He suspects that Apple is deliberately postponing the case to prevent the public disclosure of the vulnerability right before the launch of its new products.
Apple's delay in addressing such serious security issues raises important questions about the company's priorities in safeguarding user security and maintaining transparency in handling critical problems. It remains unclear what decision Apple will ultimately make regarding this case, but the delays have already sparked significant concern among security experts.
https://www.instagram.com/p/C_iZGUJK6ok/?igsh=MTlnMnQ0bGswM2cyYQ==
In macOS Sequoia, I want to open programmatically the Local Network pane in Settings > Privacy & Security. But I can't find the pane ID.
Does chaging TeamID, also chages identifierForVendor?
Halo, I want to ask, i have an application. I get keychain value from i click apps launch but this case after i launch my apps keychain failed retrieve and my apps can't access this value after that the value change to nil. How to solve this problem ?
Is it possible to run multiple instance of an app at the same time such that each instance is running in its own sandbox environment? For eg- Each app should have it's own ~/Library and other shared directories. Maybe something like chroot, but I am not sure it would be possible.
And by sandbox I really mean isolation, not necessarily macOS App Sandbox.
I am unable to create SecKey from serverPublic key. I get the below error
Error Domain=NSOSStatusErrorDomain Code=-50 "EC public key creation from data failed" UserInfo={numberOfErrorsDeep=0, NSDescription=EC public key creation from data failed}
My code looks like this so far. Not sure what is going wrong.
let attributes: [String: Any] = [
kSecAttrKeyType as String: kSecAttrKeyTypeEC,
kSecAttrKeyClass as String: kSecAttrKeyClassPublic,
kSecAttrKeySizeInBits as String: 256
]
let serverPublicKey = "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEGcpMOdqpgCt3Lhvy8pqBcPgQdKcj646CqJWArdcvkaTZfIGADRsk6TkKuvcHVE+excJ2fKlZDLLRt1vy8n7xww=="
guard let serverPublicKeyData = Data(base64Encoded: serverPublicKey) else { return }
var error: Unmanaged<CFError>?
guard let serverPublickeySec = SecKeyCreateWithData(serverPublicKeyData as CFData, attributes as CFDictionary, &error) else {
throw error!.takeRetainedValue() as Error
}
Hello. I recently transferred an app from my dev account to a different one. I'm trying to follow these instructions to generate transfer IDs, and am stuck on Step 1 (creating an access token).
I keep getting {'error': 'invalid_client'}. Here's the python script I'm using to generate the access token:
TEAM_ID = "..."
KEY_ID = "..."
KEY_FILE = "key.p8"
CLIENT_ID = "com.myapp.bundle"
def get_access_token() -> str:
client_secret = get_client_secret()
print(f"client secret: {client_secret}")
url = "https://appleid.apple.com/auth/token"
req_headers = {"Content-Type": "application/x-www-form-urlencoded"}
data = {
"grant_type": "client_credentials",
"scope": "user.migration",
"client_id": CLIENT_ID,
"client_secret": client_secret,
}
response = requests.post(url, headers=req_headers, data=data)
json = response.json()
return json["access_token"]
def get_client_secret() -> str:
payload = {
"iss": TEAM_ID,
"iat": int(time.time()),
"exp": int(time.time() + 86400 * 7), # 7 days
"aud": "https://appleid.apple.com",
"sub": CLIENT_ID,
}
key = open(KEY_FILE, "r").read()
print(f"Key: {key}")
headers = {"alg": "ES256", "kid": KEY_ID}
return jwt.encode(payload, key, algorithm="ES256", headers=headers)
print(get_access_token())
The app was transferred about 2 weeks ago, so well within the 60 day period. And the script actually briefly got an access token for about 30 minutes yesterday, but is no longer working.
Any ideas? Thanks in advance.
Hey all, I'm encountering persistent issues while attempting to migrate users for an app transfer using Sign In with Apple. I hope to get some insights or solutions from those who might have faced similar challenges.
Context: We're transferring an app from one developer account to another. The app previously only had Sign In with Apple configured for iOS, not for web. We're now trying to set up the user migration process as part of the transfer.
Current Setup:
Old App Bundle ID: old.bundle.id24
Old Team ID: 123456789
New Team ID: 234567890
Issue:
When attempting to generate transfer identifiers for our users, we're encountering an "invalid_client" error. Here's what we've observed:
Using old_client_id = 'old.bundle.id24': Successfully generates an access token but fails at the user migration info step with an "invalid_client" error.
Using old_client_id = 'old.bundle.id' (without '24'): Fails to generate an access token with an "invalid_client" error.
Simplified script I am using
old_client_id = 'old.bundle.id24'
old_team_id = '123456789'
new_team_id = '234567890'
# JWT Payload for client secret
jwt_payload = {
'iss': old_team_id,
'iat': int(time.time()),
'exp': int(time.time()) + 15552000, # 180 days
'aud': 'https://appleid.apple.com',
'sub': f'{old_team_id}.{old_client_id}'
}
# Generate client secret
client_secret = jwt.encode(jwt_payload, private_key, algorithm='ES256', headers={'kid': key_id, 'alg': 'ES256'})
# Request access token
token_response = requests.post('https://appleid.apple.com/auth/token',
data={
'grant_type': 'client_credentials',
'scope': 'user.migration',
'client_id': old_client_id,
'client_secret': client_secret
},
headers={'Content-Type': 'application/x-www-form-urlencoded'}
)
# If successful, proceed to user migration info request
if token_response.status_code == 200:
access_token = token_response.json()['access_token']
migration_response = requests.post('https://appleid.apple.com/auth/usermigrationinfo',
data={
'sub': user_sub,
'target': new_team_id,
'client_id': old_client_id,
'client_secret': client_secret
},
headers={
'Authorization': f'Bearer {access_token}',
'Content-Type': 'application/x-www-form-urlencoded'
}
)
# This is where we get the "invalid_client" error
print(migration_response.status_code, migration_response.text)
What we've tried:
Verified all IDs (client ID, team ID, key ID) match between our code and the Apple Developer portal.
Ensured the JWT is correctly signed with the ES256 algorithm.
Checked that the client secret hasn't expired.
Verified the content type is set correctly for all requests.
Waited 72h+ since the key was first generated.
Questions:
Could the lack of web configuration in the original app be causing this issue? If so, how can we rectify this post-transfer?
Is there a specific way to handle migrations for apps that were only configured for iOS Sign In with Apple?
Are there any known issues or additional steps required when the old and new bundle IDs differ slightly (e.g., with/without '24' at the end)?
How can we further diagnose the root cause of this "invalid_client" error, given that it occurs at different stages depending on the client ID used?
Any insights, suggestions, or solutions would be greatly appreciated - I really don't know what to try at this point... Thank you in advance for your help!
Hey all,
I'm encountering persistent issues while attempting to migrate users for an app transfer using Sign In with Apple. I hope to get some insights or solutions from those who might have faced similar challenges.
Context:
We're transferring an app from one developer account to another.
The app previously only had Sign In with Apple configured for iOS, not for web.
We're now trying to set up the user migration process as part of the transfer.
Current Setup:
Old App Bundle ID: old.bundle.id24
Old Team ID: 123456789
New Team ID: 234567890
Issue:
When attempting to generate transfer identifiers for our users, we're encountering an "invalid_client" error. Here's what we've observed:
Using old_client_id = 'old.bundle.id24': Successfully generates an access token but fails at the user migration info step with an "invalid_client" error.
Using old_client_id = 'old.bundle.id' (without '24'): Fails to generate an access token with an "invalid_client" error.
Simplified script I am using
old_client_id = 'old.bundle.id24'
old_team_id = '123456789'
new_team_id = '234567890'
# JWT Payload for client secret
jwt_payload = {
'iss': old_team_id,
'iat': int(time.time()),
'exp': int(time.time()) + 15552000, # 180 days
'aud': 'https://appleid.apple.com',
'sub': f'{old_team_id}.{old_client_id}'
}
# Generate client secret
client_secret = jwt.encode(jwt_payload, private_key, algorithm='ES256', headers={'kid': key_id, 'alg': 'ES256'})
# Request access token
token_response = requests.post('https://appleid.apple.com/auth/token',
data={
'grant_type': 'client_credentials',
'scope': 'user.migration',
'client_id': old_client_id,
'client_secret': client_secret
},
headers={'Content-Type': 'application/x-www-form-urlencoded'}
)
# If successful, proceed to user migration info request
if token_response.status_code == 200:
access_token = token_response.json()['access_token']
migration_response = requests.post('https://appleid.apple.com/auth/usermigrationinfo',
data={
'sub': user_sub,
'target': new_team_id,
'client_id': old_client_id,
'client_secret': client_secret
},
headers={
'Authorization': f'Bearer {access_token}',
'Content-Type': 'application/x-www-form-urlencoded'
}
)
# This is where we get the "invalid_client" error
print(migration_response.status_code, migration_response.text)
What we've tried:
Verified all IDs (client ID, team ID, key ID) match between our code and the Apple Developer portal.
Ensured the JWT is correctly signed with the ES256 algorithm.
Checked that the client secret hasn't expired.
Verified the content type is set correctly for all requests.
Waited 72h+ since the key was first generated.
Questions:
Could the lack of web configuration in the original app be causing this issue? If so, how can we rectify this post-transfer?
Is there a specific way to handle migrations for apps that were only configured for iOS Sign In with Apple?
Are there any known issues or additional steps required when the old and new bundle IDs differ slightly (e.g., with/without '24' at the end)?
How can we further diagnose the root cause of this "invalid_client" error, given that it occurs at different stages depending on the client ID used?
Any insights, suggestions, or solutions would be greatly appreciated - I really don't know what to try at this point... Thank you in advance for your help!
"Sign in with Apple" logo - how to make personalized for MacOS using my customized logo for the specific application?
Hello Apple Developer,
I have some questions regarding slow keychain access. We recently launched a product, and users with certain specific device models have reported slow performance. I'm not sure what's causing this issue and would appreciate your help in analyzing it.When using keychain groups, I didn’t specify a group, and on some devices, the queries are particularly slow. I'm unsure of the reason for this.I’m using kSecAttrTokenIDSecureEnclave, and each time I execute SecItemCopyMatching or SecItemDelete, the operation is particularly slow, taking around 2 seconds.It’s strange that when setting the default keychain group (team ID + bundle ID), the access is not slow. However, since the project has enabled the keychain group, if I set a keychain group, I cannot access the data that was stored before setting the keychain group.
Here is a snippet of my code:
NSMutableDictionary *parameters = [[NSMutableDictionary alloc] initWithObjectsAndKeys:(__bridge id)kSecAttrTokenIDSecureEnclave,(__bridge id)kSecAttrTokenID,
(__bridge id)kSecAttrKeyTypeEC,(__bridge id)kSecAttrKeyType,
@256,(__bridge id)kSecAttrKeySizeInBits,
PrivateKeyAttrs,(__bridge id)kSecPrivateKeyAttrs,nil];
privateKey = SecKeyCreateRandomKey((__bridge CFDictionaryRef)parameters, &error);
Here is a search of my code:
SecKeyRef privateKey = NULL;
//CFTypeRef *private = &privateKey;
NSDictionary *query = nil;
query = @{
(__bridge id)kSecClass: (__bridge id)kSecClassKey,
(__bridge id)kSecAttrApplicationTag: serviceID,
(__bridge id)kSecReturnRef: @YES
};
OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)query, (CFTypeRef *)&privateKey);
if (privateKey) {
CFRelease(privateKey);
}
I am trying to understand the mechanics of how iOS/iPadOS apps work on macs with Apple Silicon.
In particular, I'd like to understand the runtime environment of these apps.
I installed one to test it on a mac. I ran codesign --entitlements on a mac, on an iOS app downloaded form the mac app store.
I was very surprised to see the sandbox entitement was NOT present.
On iOS all apps are sandboxed, so I was very surprised to see that the macOS translation was not sandbox. This seems like a significant weakening of the security.
Can anyone shed some light on that?
This is a continuation of
https://developer.apple.com/forums/thread/760861
Still a mixed Qt/C++/ObjC app, developed with Qt Creator.
The gist ist that I can call Sign in With Apple and authorise, but once the Authorisation Window/Panel goes away, the app is blocked.
PBSigninWithApple:: PBSigninWithApple()
{
myImpl = [[PBSigninWithApple alloc] initWithOwner:this];
}
- (id)initWithOwner:(PBSigninWithApple *) owner {
self = [super init];
myOwnerSIWA = owner;
ASAuthorizationAppleIDProvider *appleIDProvider = [ASAuthorizationAppleIDProvider new];
ASAuthorizationAppleIDRequest *request = appleIDProvider.createRequest;
request.requestedScopes = @[ASAuthorizationScopeFullName, ASAuthorizationScopeEmail];
ASAuthorizationController *controller = [[ASAuthorizationController alloc] initWithAuthorizationRequests:@[request]];
controller.presentationContextProvider = self;
controller.delegate = self;
[controller performRequests];
return self;
}
The code example above is obviously reduced, but the real things works. I get the Sign in With Apple window and can authorise by TouchId.
The didCompleteWithAuthorization and didCompleteWithError methods also work, emitting the the idendityToken to the calling superclass works, the authorisation window goes away - but not really. The calling QT app is semi-blocked. I can close windows ny using the Escape key, but any clicking just gives the dreaded beep and nothing happens. So I assume that we didn‘t tear down everything and that the anchor or whatever still has to focus.
- (void)authorizationController:(ASAuthorizationController *)controller didCompleteWithAuthorization:(ASAuthorization *)authorization API_AVAILABLE(macos(10.15)) {
if ([authorization.credential isKindOfClass:[ASAuthorizationAppleIDCredential class]]) {
ASAuthorizationAppleIDCredential *appleIDCredential = authorization.credential;
NSString *user = appleIDCredential.user;
NSData *identityToken = appleIDCredential.identityToken;
NSData *authorizationCode = appleIDCredential.authorizationCode;
emit myOwnerSIWA->accessCodeReceived(identityToken);
}
[[NSNotificationCenter defaultCenter]
removeObserver:self
name:ASAuthorizationAppleIDProviderCredentialRevokedNotification
object:nil];
[myAnker close];
[self release];
}
- (void)authorizationController:(ASAuthorizationController *)controller didCompleteWithError:(ASAuthorization *)authorization API_AVAILABLE(macos(10.15)) {
emit myOwnerSIWA->accessCodeReceived(QString(""));
[[NSNotificationCenter defaultCenter]
removeObserver:self name:ASAuthorizationAppleIDProviderCredentialRevokedNotification
object:nil];
}
-(ASPresentationAnchor)presentationAnchorForAuthorizationController:(ASAuthorizationController *)controller API_AVAILABLE(macos(10.15)) {
NSRect frame = NSMakeRect(30, 30, 230, 230);
NSUInteger windowStyle = NSWindowStyleMaskTitled | NSWindowStyleMaskClosable | NSWindowStyleMaskResizable | NSWindowStyleMaskFullSizeContentView;
NSWindow* window = [[[NSWindow alloc] initWithContentRect:frame
styleMask:windowStyle
backing:NSBackingStoreBuffered
defer:NO] autorelease];
window.minSize = CGSizeMake(200, 100);
window.releasedWhenClosed = TRUE;
myAnker = window;
return window;
}
We did an app transfer in mid-August as part of our process to incorporate the business.
We have approximately 100,000 users who have logged in with their Apple IDs, and as part of the transfer process, we followed the documentation below to transfer the account information.
https://developer.apple.com/documentation/sign_in_with_apple/bringing_new_apps_and_users_into_your_team
During the identifier exchange process, an invalid_request error occurred for approximately 10,000 users.
https://developer.apple.com/documentation/sign_in_with_apple/bringing_new_apps_and_users_into_your_team#3559300
We successfully transferred the remaining users using the same script and procedure.
Even when repeated multiple times, the error consistently occurs with the same users.
Based on this situation, we believe that the error may be caused by user-related factor.
Specifically, we would like to understand the potential causes of request errors other than the reasons listed below. The only user-related cause, ‘The user has revoked authorization for the client,’ is not relevant to this case, as it pertains to an error when issuing the transfer identifier. (not exchanging)
https://developer.apple.com/documentation/technotes/tn3107-resolving-sign-in-with-apple-response-errors#Possible-reasons-for-invalid-request-errors
Details of the request content are documented in FB14898615. Although we submitted feedback from the account after the transfer, we have not received a response for over a week, so we are reaching out here as well.
[Similar problem]
https://developer.apple.com/forums/thread/761968