Try this: I created it using qrencode as follows: $ qrencode -o qrnz.png 'https://3dmapapp.nz/map?lat=-43.57&lon=170.22&zoom=12' That is a universal link for my app "3D Map New Zealand". On my phone where the app is installed, if I view the code with the camera, it opens the app. Assuming that you're not one of the about 4 people who have ever bought the app, maybe it will open the App Store for you (let me know!).

If you're proposing to make an app for internal use within your lab, then it doesn't need to go through App Review. As @KTRosenberg points out, Apple have said that they are not exposing eye tracking information. But clearly the device does track eyes and some levels of the software have access to that. It may be that access to the eye tracking data is controlled by an "entitlement". It's possible that you may be able to enable this entitlement for your own not-app-reviewed apps. It may even be that they will have a system where you can apply to enable this entitlement for reviewed apps. Or not. If I were you, I'd file a bug asking for access to eye tracking data enabled by an entitlement that you can enable for your own devices.

I think I understand now that QR code services build in extra linking data, so it first routes the deep link to their service site for tracking and analytics purposes. I didn't even know that such (dis)services existed, though I guess it shouldn't surprise me.

Thank you so much for sharing that discovery. I wasted a load of time last week trying to reply to a thread , and this explains why it didn’t work.

I tried to post a further reply last week but the Submit button seemed to be disabled. I've just read this thread, which seems to explain that forum bug: https://developer.apple.com/forums/thread/728466 So here is the post that I tried to send last week, except that I've replaced the string that I'm not allowed to mention with nonsense: I note that none of your regular expressions actually need to be regular expressions, i.e. they are just fixed text strings. For example, where you have "non.sense", I think you only want it to literally match "non.sense", not "non0sense". Since I like a challenge, I've just tried to do this in C++. Using simple string searching for the patterns, I can process a 100 MB file in 0.165 seconds. But if I just replace the date search with a fixed-string regex, the runtime increases to about 3 seconds. (Which I find pretty poor.) It is interesting that this is about the same as the runtime you are seeing. It would not surprise me if Swift and Clang's libc++ share the same (poor) regex implementation.

I am not sure if there is a way to create and delete users programmatically The page that you linked to says: you cannot add or delete them directly. Go to App Store Connect to create a new sandbox tester Apple ID. Do I need to regenerate the JWT token every 30 days? No. Much more frequently. I think the max validity in mist cases is 20 minutes. This is described in the documentation.

That’s not allowed. They will reject the app if they are aware of what you have done.

https://mrmacintosh.com/macos-sonoma-full-installer-database-download-directly-from-apple/ You trust that site? Who owns it? Note to Apple: you not providing a proper installer endangers developers who will end up installing potentially dangerous hacks like this one.

Can you give assurance that the usage in Apple implementations are secure? Read Apple's license agreements - you'll find no assurances about anything, as is the industry norm. I believe the pentester ran a grep command to find which binaries are possibly affected. Right. I guess there's a whole range of people offering these services out there. Some will be e.g. ex-NSA people but you can't afford them. Then there are some kids who run a few greps over your binaries and produce a semi-automatic report. You can afford those but they don't tell you much. Really you need for the people who prepared the report to answer these questions for you, rather than just giving you the output of the grep and sending you here. FWIW, IMO, you should ignore these reports when they are in Apple's code. What is your threat model?

I recommend GeographicLib for this sort of thing. It seems reliable, and if you did find any bugs you have the source so you can fix it yourself.

the links provided directly link to installer files on Apple's swcdn.apple.com website No, it's a link to a site called "mrmacintosh". Maybe that links or redirects or something to Apple when you visit it. Who knows what it links to when I visit it. Maybe it checks my IP address, and sends me the malware if I'm one of the victims that someone is trying to hack. It is very unwise to use things like this - an amazingly dangerous of Apple to make it possible by apparently providing these "secret" installers.

Scott is right. I thunk you misunderstand what weak variables are.

Post the complete email headers here and someone will probably be able to confirm/deny. Remove your own domain name if you like. Important: do not ask Apple Developer Support if it is genuine; do not use the report-fishing email address. The former is unable to correctly identify their own emails, and the latter does nothing at all.

OK. That surprises me. Does this generally work for people? In appleid.apple.com, under "personal information", it shows Country / Region = United Kingdom and Language = English (UK). But on that same page, it shows my birthday in the US format "MonthName DayNumber, Year". Can someone else not in the US check what they see there? I do sometimes change the region setting on a device to US, or somewhere else, for testing, but I guess that is independent of the Apple ID settings, right?

You may need to make changes to your on-device receipt validation, depending on whether your existing validation code will work with the new intermediate certificate or not. If your existing implementation understands the new intermediate certificate, then you have nothing to do. How are you validating the certificate? Are you using e.g. libssl?