I am trying to use SecItemUpdate in order to change the kSecAttrAccessControl value on a private key protected by the Secure Enclave as well as an .applicationPassword - which I want to change. I have been unsuccessful getting the query and attributesToUpdate dictionaries right though, with SecItemUpdate returning either errSecParam, errSecNoSuchAttr or errSecAuthFailed. Am I on the right track here or am I trying to do something that is not possible?

I noticed that the numbers given for the individual states do not add up; i.e. if I add everything other than "Received by APNs" I get what amounts to ~95% of that. Is that expected? And if so what happened to the remaining 5%?

I recently re-read Performing manual server trust authentication and noticed that it does not mention having to call SecTrustEvaluate (or its replacements) in client code (anymore). Is that implicitly taken care of by ATS?

Is there a way for an app to interact with the new iOS 18 feature "Locked/Hidden Apps"? In our apps we prompt our users for biometric authentication ourselves and found that locking an app seems to interfere with that.

After the XPC Updates from last year I am trying to understand what is possible with XPC on iOS. The documentation for XPCSession states it is available, but none of its initializers is. So how is one supposed to use it?

I am trying to implement BLE communication between installations of an iOS app and I am following Transferring Data Between Bluetooth Low Energy Devices since the data I need to transfer exceeds the 512 byte limit for attribute values. I already have this working based on an older version of the app, however after I integrated with the mainline of development I am getting CBATTErrorRequestNotSupported which seems to be caused by OSStatus 65535 (which is kBluetoothSDPErrorCodeReservedEnd, but that is documented to not even be present on iOS). So it seems that a change on our end is causing these errors, but I am completely stumped as to what change that might be. Is anyone able to enlighten me?

I have been bitten by this repeatedly so I am finally going to ask: Is there a way to infer an error from its localizedDescription only? It sometimes happens that a user reaches out for support with just a localized error message, but no error code or error domain and it is really hard to correctly guess what the non-localized description may have been in order to search for it. For example I know from experience that "Der eingegebene Benutzername oder das Passwort ist ungültig." is the German localization of "The user name or passphrase you entered is not correct." which in turn is errSecAuthFailed (aka. -25293). It would be really helpful to be able to just look this up somewhere...

Suppose there is a key in the keychain that is protected by an ACL which specifies .userPresence as its access control - is it possible to prevent the user from being prompted to authenticate with biometrics and to force authentication via the device passcode instead?

The sample code uses a static variable of the PeripheralViewController class to account for congestion in the BLE stack - which is frowned upon by the Swift 6 compiler. Why does this variable need to be static in the first place?

On iOS Bundle.main.preferredLocalizations returns the list of languages the application bundle supports in user-preferred order with the first element being the language the application is running in. Additionally Locale.preferredLanguages returns the list of languages in the order they are presented in Preferences.app > General > Language & Region > Preferred Languages with the first element being the user's "primary language" (i.e. the language the system is running in). However this only seems to be true unless the user has chosen a per-app language which is different from the primary language in which case Locale.preferredLanguages.first is equal to Bundle.main.preferredLocalizations.first - regardless of the latter's position in the Preferred Languages list. Furthermore this seems to change depending on the value of the "AppleLanguages" key in the User Defaults' global domain (see c.f. https://stackoverflow.com/a/42648166). Is this behaviour documented anywhere? Addendum: I know that according to https://forums.developer.apple.com/forums/thread/718512?answerId=733680022#733680022 AppleLanguages is an implementation detail, not something that’s considered API. Locale.preferredLanguages is API, though.

Is there a way to view the opt-in rate via the API? I have been unsuccessful in finding one.

I am trying to retrieve the numbers displayed in "App Analytics" under "Metrics" > "Active Devices" using the API. Since there does not seem to be a dedicated report for this metric I am using the daily "App Sessions Standard" report and by looking at the "Sessions" field I am able to recreate the numbers displayed for the "Sessions" metric. However if I try to infer the active devices by looking at the "Unique Devices" field my numbers for individual days are in the same ballpark (deviations may be attributable to privacy reasons?), but the total number of devices is way off. Is there a better way to recreate this metric?

I am trying to use the NFCTagReaderSession to SELECT the master file of a ISO 7816 smartcard by sending a corresponding NFCISO7816APDU after connecting to the card, but I am running into errors: Error Domain=NFCError Code=2 "Missing required entitlement" UserInfo={NSLocalizedDescription=Missing required entitlement} Error Domain=NFCError Code=103 "Session invalidated" UserInfo={NSLocalizedDescription=Session invalidated} I know that in order to communicate with a NFCISO7816Tag I need to declare the supported AIDs in the Info.plist, but what am I supposed to declare here?

The CA/Browser Forum has voted (cf. https://groups.google.com/a/groups.cabforum.org/g/servercert-wg/c/9768xgUUfhQ?pli=1) to eventually reduce the maximum validity period for a SSL certificate from 398 days to 47 days by March 2029. This makes statically pinning a leaf certificate rather challenging. What are the consequences for App Transport Security Identity Pinning as it exists today?

For testing purposes we have code that calls SecTrustEvaluateAsyncWithError() with a trust object containing a hardcoded leaf certificate and the corresponding intermediate certificate required to form a valid chain. Because the leaf certificate has since expired we pass a date in the past via SecTrustSetVerifyDate() at wich the certificate was still valid, but trust evaluation fails: Error Domain=NSOSStatusErrorDomain Code=-67825 "“<redacted>” certificate is not standards compliant" UserInfo={NSLocalizedDescription=“<redacted>” certificate is not standards compliant, NSUnderlyingError=0x600000c282a0 {Error Domain=NSOSStatusErrorDomain Code=-67825 "Certificate 0 “<redacted>” has errors: Certificate Transparency validation required for this use;" UserInfo={NSLocalizedDescription=Certificate 0 “<redacted>” has errors: Certificate Transparency validation required for this use;}}} I know that App Transport Security enforces Certificate Transparency by default, but is there a way around that here?