We have received some information that with the release of iOS 18, there have been notable changes in how this API behaves, can apple team shed some light on this? on ios 17 this worked without much issues, what has changed on ios 18?
setUPIVerificationCodeSendCompletion on ios 18
We have received some information
Receive from who?
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
It’s better to reply as a reply, rather than in the comments; see Quinn’s Top Ten DevForums Tips for this and other titbits.
We have received …
That’s not a lot to go on. Has anyone in this chain raised this officially with Apple? If so, what was the bug number?
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
Its a private API which is given behind an entitlement, we dont have a lot of documentation or discussion about this API in the public forums, nor does the documentation state in which case it may or may not fail, the only thing we have are back end logs where we see the API being triggered on success of this setUPIVerificationCodeSendCompletion function, which was not supposed to be triggered for that person. We dont know how to simulate it. Which is why i am asking here. Do you want me to raise a bug report? I cant simulate it, but the logs say otherwise. And answering if in the chain has raised it with apple, its above my pay grade, i am not aware of this, i assuming it has been. If you're not in a position to answer this, i understand.
Do you want me to raise a bug report?
I expect that’s where we’ll end up, but I wanna make sure I properly understand your issue before I send you in that direction.
Its a private API
To be clear, this isn’t a private API [1]. It’s a public API with public documentation, albeit one that’s gated by a managed entitlement.
where we see the API being triggered on success of this setUPIVerificationCodeSendCompletion function, which was not supposed to be triggered for that person.
What do you mean by “not supposed to be triggered”?
The API calls the completion handler with a true value “after the SMS successfully transmitted to the sender’s cellular carrier”. My understanding is that you’re not the carrier in this equation, so the only info you have is whether the carrier delivered the SMS to you. So I’m trying to understand how you’re determining that there’s a mismatch here.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
[1] Personally, I never use the term private API. APIs are, by definition, public. Anything that’s not public is an implementation detail.
As per our logs the user has not successfully sent the SMS from his device, which is an iphone, the payload has come from another device, which is not an iphone, just like how this MFMessageComposeViewController was working before setUPIVerificationCodeSendCompletion, irrespective of wether an sms was sent or not, callback was given as sent on dismissal of MFMessageComposeViewController(on send button tap), so i can copy the SMS payload and ask someone else to send it to the number, thats the behaviour we are seeing in our back end logs. Fine its a "public" api. Can we discuss about how i can raise a bug simulating this? raising a bug would require me to provide video evidence of this? If i could i would.
Can we discuss about how i can raise a bug simulating this?
Sure.
I have a tonne of general advice on this topic in Bug Reporting: How and Why? Beyond that, it kinda depends on how reproducible this is. Are you able to reproduce it yourself?
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
no we are not able to reproduce it, which is why i am seeking your expertise on this.
no we are not able to reproduce it
So the only evidence you have for this is your own logging? Or are you contact with someone what can reproduce it?
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
the ones who are doing this are not the legitimate owners of the account, so its not possible at the moment to reproduce it, just wanted to know what possible new features introduced on ios 18.x especially w.r.t messaging, could trigger this bypassing of the API, so we can try to reproduce it, or atleast try to keep some additional checks in place to flag such activity.
The whole purpose of this feature is to support UPI. If you believe that folks have found a way to bypass that, that’s definitely bugworthy, even if you can’t fulfil the usual requirements of a bug report (steps to reproduce, a sysdiagnose log, and so on).
Please post your bug number, just for the record.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
Feedback number FB19883396