Hello, I am trying to enumerate all ways on macOS for launching an application when a user opens a session. Please note i am not looking for a way which requires root or sudo privileges. I have found this: ~/Library/LaunchAgents/ Login Items (in macOS System Settings) But are there others ? Thanks

In our implementation of Platform SSO, we would like to show custom UI in both the beginDeviceRegistration call as well as the beginUserRegistration call. It works fine in the beginDeviceRegistration call when we use presentRegistrationViewController. When we try to apply the same logic in beginUserRegistration, the ViewController's view.window object is nil and thus using it to house our custom UI doesn't work. I'm not sure if this is an implementation flaw on our part or if presentRegistrationViewController is only intended to be used in beginDeviceRegistration. The call is only mentioned in the context of registering devices, which makes us wonder if it is limited to that. Any help would be appreciated!

I created a custom PAM module following this and It works fine with etc/pam.d/sudo but doesn't work with etc/pam.d/authorization and etc/pam.d/login. sudo # sudo: auth account password session auth include sudo_local auth sufficient /usr/local/Cellar/cpam/1.0.0/lib/security/cpam.so auth sufficient pam_smartcard.so auth required pam_opendirectory.so account required pam_permit.so password required pam_deny.so session required pam_permit.so authorization # authorization: auth account auth sufficient /usr/local/Cellar/cpam/1.0.0/lib/security/cpam.so auth optional pam_krb5.so use_first_pass use_kcminit no_auth_ccache auth optional pam_ntlm.so use_first_pass auth sufficient pam_smartcard.so use_first_pass account required pam_opendirectory.so Is it even allowed to add a custom PAM to \etc\pam.d\login or etc\pam.d\authorization ? Is it possible to create a mechanism with custom logic and replace it with<string>builtin:authenticate,privileged</string> in system.login.console authorization right ? Note: I have also tried moving the .so file to /usr/lib/pam but it failed even after disabling SIP.

Hello, It is possible to restrict Documents folder access with TCC. But when an applications shows a standard "file open" dialog, it is possible to access this directory to open a file. macOS allows file access in this case because it is an intentional action from user. So i suppose there is a kind of whitelist for all files path opened through "file open" dialog. I would like to know how i can access this whitelist and how i can remove entries. Thanks

I have a customer who wants to protect the REST API of their app with a private certificate. They would then distribute the client certificate to the authorized users. Their app would not work unless the client certificate is already installed on the user's phone before they run the app. I have never done this before. Is it possible to install a client certificate on an iPhone without running an app, for example if it were sent in an email message? And if it is possible, is App Review going to let such an app into the app store? Thanks, Frank

Hello Geeks, After testing our iOS app using MobSF, the report highlighted that the binary has Runpath Search Path (@rpath) set. In certain cases an attacker can abuse this feature to run arbitrary executable for code execution and privilege escalation.

 The Runpath Search Path directs the dynamic linker to search for dynamic libraries (dylibs) in a specified order of paths, similar to how Unix searches for binaries in $PATH. However, this setup introduces a vulnerability wherein an attacker could place a malicious dylib in one of the initial paths, thereby hijacking the legitimate library sought by the linker.

 Despite attempting to manually strip the binary following instructions from https://inesmartins.github.io/mobsf-ipa-binary-analysis-step-by-step/index.html, the same warnings persist in the report. We urgently seek assistance in resolving this issue and eagerly await your response.

This page indicates https://support.apple.com/en-in/guide/deployment/dep0a2cb7686/web that some usage of fdesetup command line tool is deprecated such as turning on FV using username/password. However, I don't see any proper information about which options from the fdesetup tool are deprecated and which are still valid? Any pointers for that? Thanks, N

I'm noticing a trend in 'foreign' home security products that they want to combination of QR code scanning, and home router connections for 'Easy Setups'. The iOS apps that have to be used with these products require the user to enter their home WiFi password directly into the app. Such apps also commonly request location data. If unencrypted router passwords, and the Location data of the router are being captured and sent back to the manufacturer, this would be very very bad. Of the few things I've put on the App Store, Apple went through my code with a fine tooth comb looking for things that went against their protocols and had to do multiple revisions to bring them in line. Although frustrating at the time, I was pleased to know this kind of screening happened. I've heard Apple won't allow apps to do key logging/capture. Fantastic. Is the the handling of our home network credentials also heavily scrutinised before thing are allowed on the Apple Store?

Hi, I'm trying to achieve the following OpenSSL workflow in Swift. I have this intermediate certificate from Let's encrypt and I want to extract the public key from it and then hash it with SHA-256 and finally encide it in base64. The OpenSSL commands that achieve this look like this: openssl x509 -in isrgrootx1.pem -pubkey -noout > publickey.pem openssl rsa -pubin -in publickey.pem -outform der | openssl dgst -sha256 -binary | openssl enc -base64 I've tried Security, CommonCrypto, CryptoKit frameworks with no success. I was able to get the public key out of the certificate but its PEM representation seems to slightly differ from what I get with OpenSSL. At the beginning of the public jet, the OpenSSL version has a string that is not present on what I get with Swift but the rest is the same. This is the Swift code to use: import Foundation import Security import CommonCrypto // Step 1: Extract public key from the certificate func extractPublicKey(from certificate: SecCertificate) -> SecKey? { // Extract public key from the certificate var publicKey: SecKey? if let publicKeyRef = SecCertificateCopyKey(certificate) { publicKey = publicKeyRef } return publicKey } // Step 2: Calculate SHA-256 hash of the public key func calculateSHA256(of data: Data) -> Data { var hash = [UInt8](repeating: 0, count: Int(CC_SHA256_DIGEST_LENGTH)) data.withUnsafeBytes { _ = CC_SHA256($0.baseAddress, CC_LONG(data.count), &hash) } return Data(hash) } // Step 3: Encode data as base64 func base64EncodedString(from data: Data) -> String { return data.base64EncodedString() } // Step 4: Main function to perform all steps func processCertificate(certificate: SecCertificate) { // Step 1: Extract public key guard let publicKey = extractPublicKey(from: certificate) else { return } // Step 2: Export public key as data guard let publicKeyData = SecKeyCopyExternalRepresentation(publicKey, nil) as Data? else { print("Failed to export public key data") return } // Step 3: Calculate SHA-256 hash of the public key let sha256Hash = calculateSHA256(of: publicKeyData) // Step 4: Encode SHA-256 hash as base64 let base64EncodedHash = base64EncodedString(from: sha256Hash) print("SHA-256 hash of public key (base64 encoded): \(base64EncodedHash)") } This is the Public Key I get with OpenSSL: -----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAregkc/QUN/ObnitXKByHvty33ziQjG485legePd1wqL+9Wpu9gBPKNveaIZsRJO2sWP9FBJrvx/S6jGbIX7RMzy6SPXded+zuP8S8SGaS8GKhnFpSmZmbI9+PHC/rSkiBvPkwOaAruJLj7eZfpQDn9NHl3yZSCNT6DiuTwpvgy7RSVeMgHS22i/QOI17A3AhG3XyMDz6j67d2mOr6xZPwo4RS37PC+j/tXcu9LJ7SuBMEiUMcI0DKaDhUyTsE9nuGb8Qs0qMP4mjYVHerIcHlPRjcewu4m9bmIHhiVw0eWx27zuQYnnm26SaLybF0BDhDt7ZEI4W+7f3qPfH5QIHmI82CJXn4jeWDTZ1nvsOcrEdm7wD+UkF2IHdBbQq1kHprAF2lQoP2N/VvRIfNS8oF2zSmMGoCWR3bkc3us6sWV5onX9y1onFBkEpPlk+3Sb1JMkRp1qjTEAfRqGZtac6UW6GO559cqcSBXhZ7T5ReBULA4+N0C8Fsj57ShxLcwUS/Mbq4FATfEOTdLPKdOeOHwEI0DDUW3E2tAe6wTAwXEi3gjuYpn1giqKjKYLMur2DBBuigwNBodYF8RvCtvCofIY7RqhIKojcdpp2vx9qpT0Zj+s482TeyCsNCij/99viFULUItAnXeF5/hjncIitTubZizrG3SdRbv+8ZPUzQ08CAwEAAQ== -----END PUBLIC KEY----- and this is what I get with Swift: -----BEGIN PUBLIC KEY----- MIICCgKCAgEAregkc/QUN/ObnitXKByHvty33ziQjG485legePd1wqL+9Wpu9gBPKNveaIZsRJO2sWP9FBJrvx/S6jGbIX7RMzy6SPXded+zuP8S8SGaS8GKhnFpSmZmbI9+PHC/rSkiBvPkwOaAruJLj7eZfpQDn9NHl3yZSCNT6DiuTwpvgy7RSVeMgHS22i/QOI17A3AhG3XyMDz6j67d2mOr6xZPwo4RS37PC+j/tXcu9LJ7SuBMEiUMcI0DKaDhUyTsE9nuGb8Qs0qMP4mjYVHerIcHlPRjcewu4m9bmIHhiVw0eWx27zuQYnnm26SaLybF0BDhDt7ZEI4W+7f3qPfH5QIHmI82CJXn4jeWDTZ1nvsOcrEdm7wD+UkF2IHdBbQq1kHprAF2lQoP2N/VvRIfNS8oF2zSmMGoCWR3bkc3us6sWV5onX9y1onFBkEpPlk+3Sb1JMkRp1qjTEAfRqGZtac6UW6GO559cqcSBXhZ7T5ReBULA4+N0C8Fsj57ShxLcwUS/Mbq4FATfEOTdLPKdOeOHwEI0DDUW3E2tAe6wTAwXEi3gjuYpn1giqKjKYLMur2DBBuigwNBodYF8RvCtvCofIY7RqhIKojcdpp2vx9qpT0Zj+s482TeyCsNCij/99viFULUItAnXeF5/hjncIitTubZizrG3SdRbv+8ZPUzQ08CAwEAAQ== -----END PUBLIC KEY----- Interestingly, if I use the Swift version of the Public Key I get and then run the second command I still get the correct final result. Unfortunately in Swift I don't get the correct final result. I suspect it must be something about headers since I was able to get the correct output on OpenSSL with the public key I got using the Swift. Any ideas?

We want to display our application name should be suggested on wifi network which are insecure. Similar like following: Please suggest, which class or extension we can use for achieve this.

Running through the tutorial on how to sign data using security.framework, I was trying to understand the format Apple is using & wanting for signatures (as this isn't documented anywhere): https://developer.apple.com/documentation/security/certificate_key_and_trust_services/keys/signing_and_verifying?language=objc I've learned the format of the signatures are just ASN.1 objects, with EC signatures being a sequence of the R and S coordinates as ASN.1 integers. However, I am noticing when using SecKeyCreateSignature that either the R or S value will always be prepended with an extra byte. For example: 30 45 02 20 66 B7 4C FB FC A0 26 E9 42 50 E8 B4 E3 A2 99 F1 8B A6 93 31 33 E8 7B 6F 95 D7 28 77 52 41 CC 28 02 21 00 E2 01 CB A1 4C AD 42 20 A2 ^^ why is this here? 66 A5 94 F7 B2 2F 96 13 A8 C5 8B 35 C8 D5 72 A0 3D 41 81 90 3D 5A 91 This is a ASN.1 sequence, first is a 32-byte integer and second is a 33-byte integer. Why is that 00 byte being prepended to the integer? Why is it sometimes the R and sometimes the S? Removing it causes SecKeyVerifySignature to fail, so obviously it's required, but I need to know the logic here as I'm having to hand-craft these ASN.1 objects as all I have are the raw R and S values.

Hello, I recently ran a virus/malware scan on my dev machine using ClamAV, this was run via macOS Terminal using the 'clamscan' function. Everything came back okay except a keylogger in the ProVideo Framework for physical iOS Test Devices. Please see below for 'clamscan' output: /Users/username/Library/Developer/Xcode/iOS DeviceSupport/iPad8,11 17.4 (21E219)/Symbols/System/Library/PrivateFrameworks/ProVideo.framework/ProVideo: Unix.Keylogger.Macos-10023932-0 FOUND My understanding is that '/Library/Developer/Xcode/iOS DeviceSupport/' is where Xcode keeps the files related to physical test devices that are required for debug. There were 3 Instances of this keylogger, all of which corresponded to physical devices I own and iOS Versions that I have installed / were installed. Can anyone verify if 'Unix.Keylogger.Macos-10023932-0' is a valid file that ClamAV is incorrectly detecting as malicious? If it is a valid debug file provided by Apple, it seems strange that it's located in the ProVideo Framework. I couldn't find any documentation online about this so any information would be appreciated. At this stage I have deleted the contents of '/Library/Developer/Xcode/iOS DeviceSupport/', my understanding is that these symbols are only transferred to the system when I test software via Xcode on a physical device and will not reproduce until I do that again. To me it's unclear if perhaps this keylogger is present on my iOS Device and is being transferred to the Mac via Xcode? Or somehow it is just appearing in this folder? Thanks!

Hi, I'm wondering if we'd want to improve the clarity of the Apple Platform Security guide (dated 2022) on the iOS app security model (page 99), as edits might have lost the intended structure of the sentence (although I might be reading it wrong). Current text: At runtime, code signature checks that all executable memory pages are made as they are loaded to help ensure that an app hasn’t been modified since it was installed or last updated. Possible rephrasing: At runtime, iOS checks code signature on all executable memory pages as they are loaded to help ensure that an app hasn’t been modified since it was installed or last updated.

get the password from keychain, encountered an exception， password lost and the reason of the exception is Error Domain=com.samsoffes.sskeychain Code=-25300 ", I want to know why this happens and the possibility of it

I'm exploring options for sharing a keychain item between a plug-in and a standalone application. Despite my efforts, I haven't found a straightforward method to accomplish this. Can anyone provide guidance on enabling keychain sharing between these components?

I have a .p12 file which contains two certificates, but no identities. When attempting to use SecPKCS12Import against it it returns a success code, but the CFArray is empty: func testParsingCert() throws { let bundle = Bundle(for: Self.self) let certificateURL = bundle.url(forResource: TestConstants.SERVER_CERTIFICATE_NAME, withExtension: TestConstants.CERTIFICATE_FILE_EXTENSION)! let certificateData = try! Data(contentsOf: certificateURL) var importResult: CFArray? = nil let err = SecPKCS12Import( certificateData as NSData, [kSecImportExportPassphrase as String: TestConstants.DEFAULT_CERT_PASSWORD] as NSDictionary, &importResult ) guard err == errSecSuccess else { throw NSError(domain: NSOSStatusErrorDomain, code: Int(err), userInfo: nil) } let identityDictionaries = importResult as! [[String:Any]] var chain: CFArray chain = identityDictionaries[0][kSecImportItemCertChain as String] as! CFArray print(chain) } Above code fails with Test Case '-[TAKTrackerTests.CertificateSigningRequestTests testParsingCert]' started. Swift/ContiguousArrayBuffer.swift:600: Fatal error: Index out of range as the identityDictionaries result contains no results (nor does importResult) The specific use case for this is that users can do Certificate Enrollment against a server with a self-signed certificate, so they need to be able to upload the trust store prior to connecting for identities.

Hi, I have met with a rather interesting phenomenon today and I couldn't figure out the reason. As part of a script, I import certificates and for that I create a designated keychain: security create-keychain -p "" $KEYCHAIN_NAME.keychain-db This has so far been creating the keychain at the expected location, Users/my-user/Library/Keychains/$KEYCHAIN_NAME.keychain-db. However, I have noticed that since yesterday, my script has been failing with a security: SecKeychainCreate XXXXXXXXX.keychain-db: UNIX[Permission denied] error. I kept investigating and noticed that the same script as given above, now tries to create the keychain on the /Library/Keychains/$KEYCHAIN_NAME.keychain-db path (the same path where System.keychain is located). I confirmed this in two ways: running the command with sudo no longer resulted in above UNIX error, instead created it next to the System keychain. locally, I tried to create a keychain with an absolute path, like this: security create-keychain -p 1234 "/Library/Keychains/new.keychain" and got back the same UNIX[Permission denied] error. I tried to poke around in the man page for security and search online, but found nothing that would mention the default path changing for the security command (because it must be some setting for security, given that a simple XXXX.keychain would be created at ~/Library/Keychain/***.keychain, whichever folder I execute the command from. Thanks in advance for any advice!

I have an app that creates a private key in the secure enclave with a unique alias. It is created with the kSecAttrTokenIDSecureEnclave flag. According to the docs, such private keys should never leave the enclave under any circumstances and definitely not restored on new devices. After migrating to a new iPhone 15 the app does not offer to create a new private key in the enclave, but rather it is able to find the unique alias of the private key in the new phone. i.e. as if it found the private key on the new phone's secure enclave I believe (/hope) that in practice the object I get in the new iPhone from SecItemCopyMatching is not usable. I assume this is a bug that should be fixed by apple? How can I detect that this SecItemCopyMatching result is stale so I can ignore it and prompt the user to create a new keypair on the secure enclave? Thanks