I'm developing a file access control system. In order to protect the file content copied out, I'm finding a way to deny user copy file content to other files. I know there are data transmission between the copied application and pboard service by XPC. But I don't know how to interrupt the data transmission. Or I can do something to stop the copied data send to the Clipboard. So is there any way to prevent the contents of a file being copied?

completeRequestWithTextToInsert is used to return text into an arbitrary textfield via the context menu AutoFill/Passwords from a 3rd party password manager (or presumably the Passwords App) in iOS 18. While testing this feature in the debugger, it would often fail on the first invocation. It also appears to happen intermittently in the released app extension. Subsequent testing using the Passwords App shows it too may fail to return a value. I have confirmed this behaviour is repeatable with the Passwords App on an iPhone running iOS 18.3.1 Reboot the iPhone. Show the App Library, and right click Autofill. Select Passwords Select Passwords (App) Select a password. Nothing will be inserted (intermittently). Feedback assistant report: FB16788563

We’ve identified an issue in our app where, upon clicking the "Call Customer Center" button, users are unexpectedly shown a logo and message option on a native pop-up window. However, this wasn't the case before, and it should only display a phone number to dial, which was given inside our code. This is incorrect and misleading for our users, as: We are a Canadian-based service and have no affiliation with US messaging chat. The messaging feature was never enabled or intended for our app. Our app should only initiate a phone call to our customer support center — no messages or branding from third parties should appear

I have implemented "Sign in With Apple" in my app , but problem is when user logged in initially or first time and email I can retrieve , name and email but after that when i tried to re login it is giving null value for name and email, why it is happening and what should be done here?

Hi, We are trying to open an application "xyz.app" It worked fine until 15.1.1 versions. But facing issues with 15.2 and 15.3 The application is working fine when we navigate to xyz.app/Contents/MacOS/ and run applet in this directory. But the error ""Not authorized to send Apple events to Finder"" occurs when we are trying to open the app directly. Could someone please help me understand what might be causing this issue and how to resolve it?

We currently have an app that uses Sign in with Apple (SIWA), and we are planning to discontinue the SIWA feature. Specifically, we intend to disable SIWA from the app's Capabilities in the Apple Developer Center. My question is, if we disable SIWA, can we continue to use the private email addresses of users who registered using SIWA? Or will disabling SIWA also invalidate the users' private email addresses? We are considering asking users to change to a different, valid email address in our app. However, if the private email addresses are invalidated, we will not be able to disable SIWA until all users have completed the email address change. If anyone has knowledge about these behaviors, please let us know.

Hi, I'm looking at adding App Attest to an app, and I think I understand the mechanics of the attestation process, but I'm having trouble figuring out how development and testing are supposed to work. Two main questions: The "App Attest Environment" -- the documentation says that attestation requests made in the .development sandbox environment don't affect the app's risk metrics, but I'm not sure how to actually use this sandbox. My understanding is that one of the things App Attest does is to ensure that your app has been appropriately signed by the App Store, so it knows that it hasn't been tampered with. But the docs say that App Store builds (and Test Flight and Developer Enterprise Program) always use the .production environment. Does App Attest actually work for local developer-build apps if you have this entitlement set? Presumably only on hardware devices since it requires the Secure Enclave? Does our headend have to do something different when verifying the public key and subsequent attested requests for an app that's using the .development sandbox? The docs do mention that a headend server should potentially track two keys per device/user pair so that it can have a production and development key. How does the headend know if a key is from the sandbox environment? Thanks!

I’ve explained this point many times on the forums, so I figured I’d write it up properly once and for all. If you have questions or comments, start a new thread in Privacy & Security > General and add the App Sandbox tag. That way I’ll be sure to see it. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" The Case for Sandboxing a Directly Distributed App Many folks consider the App Sandbox to be a binary choice: “My app ships in the Mac App Store, so I must sandbox it.” “I directly distribute my app, so I’ll ignore the App Sandbox.” However, those are not your only options. In many cases it makes sense to sandbox a directly distributed app. Sandboxing your app has at least three benefits: It enables app container protection. See Trusted Execution Resources for a link to more info on that. If your app includes any app extensions, it simplifies your development experience because your app and its extensions run in a similar environment. It improves your app’s security (although the actual benefits vary based on the specifics of your app). Sandboxing some apps can be tricky because of the additional security limits applied by the sandbox. However, in a directly distributed app you have access to two techniques that are not available to Mac App Store apps: Temporary exception entitlements Non-sandboxed XPC services Temporary exception entitlements Use temporary exception entitlements to selectively disable specific sandbox security limits. Imagine, for example, that you’re creating a simple document-based app that’s generally compatible with the sandbox. However, that app needs to send an Apple event to Music to create a playlist. That Apple event is blocked by the sandbox. You don’t need to disable the entire App Sandbox just to get around this security limit. Instead, use the com.apple.security.temporary-exception.apple-events entitlement to open a small hole in the sandbox. There are temporary exception entitlements to disable most sandbox security limits. For more information about them, follow the link in App Sandbox Resources. IMPORTANT Don’t be alarmed by the temporary in temporary exception entitlements. That word makes sense when you view this from the Mac App Store perspective. Back in the early days of the Mac App Store, some apps were allowed to use temporary exception entitlements because of limitations in the App Sandbox. Once App Sandbox was sufficiently enhanced, these temporary exception entitlements were no longer allowed in the Mac App Store. However, there’s nothing temporary about the implementation of these entitlements. They work today and are expected to continue working in the future. Using them in a directly distributed app is not a problem. Non-sandboxed XPC services Not all sandbox security limits have a corresponding temporary exception entitlement. For example, the sandbox prevents you from sending a Unix signal to other processes, and there’s no temporary exception entitlement to allow that. If you run into such a limit, move that code to a non-sandboxed XPC service, then have the main app request that the XPC service perform the operation on its behalf. An XPC service can be useful even when there is a temporary exception entitlement to disable a specific sandbox security limit. Continuing the Apple event example from above, if you put the code that sends the Apple event into an XPC service, you only need to apply the temporary exception entitlement to that service, not to your app as a whole. Conclusion If you directly distribute your app, consider enabling the App Sandbox. It has some important benefits, and it might be more feasible than you think.

With the new ios 26 update, certain numbers will be filtered into other inboxes within imessage. What numbers are classified as "known", and will not be moved into these filters. Do they need to be a contact in your phone, or if a business texts you how will that be filtered?

Hi Apple Developer Team, I am encountering an issue with the “Sign in with Apple” feature. While implementing this functionality in my dotnet application, I noticed that the user’s first name and last name are not being returned, even though I have explicitly requested the name scope. However, the email and other requested information are returned successfully. Here are the details of my implementation: 1. Scope Requested: name, email 2. Response Received: Email and other data are present, but fullName is missing or null. 3. Expected Behavior: I expected to receive the user’s first and last name as per the fullName scope. I have verified the implementation and ensured that the correct scopes are being passed in the request. Could you please help clarify the following? 1. Are there specific conditions under which Apple may not return the user’s fullName despite the scope being requested? 2. Is there a recommended approach or fallback mechanism to handle this scenario? 3. Could this behavior be related to a limitation or change in the API, or might it be an issue on my end? I also came to know that for initial sign in the user details will be displayed in the signin-apple payload as Form data but how do I fetch those form-data from the signin-apple request, please suggest I would greatly appreciate any guidance or solutions to resolve this issue. Thank you for your support!

Hello, We received a rejection on one of our IOS applications because we were doing Microsoft MSAL login through the user's browser. The representative recommended that we use Webview to do in-app logins. However when we tried to handle the custom app uri redirection (looking like myapp://auth/), Webview does not seem to send the user back to the application. Does anyone have a fix for this? Thanks!

Hey there, I’m currently exploring the possibility of integrating Sign in with Apple into my iOS app and backend. Regarding the iOS app, I’ve read that when a user is signed in, you always need to call getCredentialState on the app’s launch. Is this true? If so, how is it possible to sign the user out then? I intend to incorporate SwiftData and CloudKit into my application. In light of this, I’m curious about your approach to user management. Specifically, I’m wondering if you would store the user’s data in a Redis database after successful authentication on the backend. Or, would you separate the user data and save it using SwiftData/ CloudKit?

Hello, We are working on integrating app integrity verification into our service application, following Apple's App Attest and DeviceCheck guide. Our server issues a challenge to the client, which then sends the challenge, attestation, and keyId in CBOR format to Apple's App Attest server for verification. However, we are unable to reach both https://attest.apple.com and https://attest.development.apple.com due to network issues. These attempts have been made from both our internal corporate network and mobile hotspot environments. Despite adjusting DNS settings and other configurations, the issue persists. Are there alternative methods or solutions to address this problem? Any recommended network configurations or guidelines to successfully connect to Apple's App Attest servers would be greatly appreciated. Thank you.

To apply for NFC & SE Platform entitlement, I need to provide information regarding licensed applets and TSM. However, I currently lack background knowledge in these areas. Could you provide me with an overview or examples of what licensed applets and TSM entail?

On Thursday, June 12, 2025, Sign in with Apple was impacted by an incorrect subdomain defined in its /.well-known/openid-configuration file. The JSON returned incorrectly provided https://account.apple.com instead of the expected https://appleid.apple.com. For Sign in with Apple, the value for the issuer (iss) claim in the user's identity token is https://appleid.apple.com. Additionally, if your clients use the Sign in with Apple REST API, the following endpoints should be used for each request: https://appleid.apple.com/auth/authorize https://appleid.apple.com/auth/token https://appleid.apple.com/auth/revoke https://appleid.apple.com/auth/keys This issue with the /.well-known/openid-configuration file was resolved the same day. Use the URL below to confirm the expected subdomain is provided, as needed: https://appleid.apple.com/.well-known/openid-configuration Cheers, Paris X Pinkney |  WWDR | DTS Engineer

Hello, I am implementing "Sign in with Apple" on my backend and validating the Identity Token (JWT) received from the client. I noticed that for some users who choose the "Hide My Email" option, the is_private_email claim is missing from the ID Token payload, even though the email address clearly belongs to the private relay domain (@privaterelay.appleid.com). Here is an example of the decoded payload I received: { "iss": "https://appleid.apple.com", "aud": "com.platform.elderberry.new.signinwithapple", "exp": 1764402438, "iat": 1764316038, "sub": "000851.86193ef81ad247feb673746c19424f28.0747", "c_hash": "3FAJNf4TILzUgo_YFe4E0Q", "email": "x8sqp2dgvv@privaterelay.appleid.com", "email_verified": true, "auth_time": 1764316038, "nonce_supported": true // "is_private_email": true <-- This field is missing } My Questions: Is the is_private_email claim considered optional in the ID Token? Is it safe and recommended to rely solely on the email domain suffix (@privaterelay.appleid.com) to identify if a user is using a private email? Any insights or official references would be appreciated. Thanks.

https://developer.apple.com/news/?id=j9zukcr6 starting from Jan 2026 there is change in requirements for account notifications for Sign in with Apple. Does this apply only to developers based in South Korea or all apps which are avai via the korean App Store?

Issue with passport-apple: req.user Returning Undefined Data & Callback URL Issue I am facing an issue with passport-apple where, after successful authentication, the callback function does not receive the expected user data. Instead, req.user contains undefined values, and there seems to be an issue with the callback URL handling. Steps to Reproduce I have configured passport-apple with the following strategy: passport.use( new AppleStrategy( { clientID: process.env.APPLE_CLIENT_ID, teamID: process.env.APPLE_TEAM_ID, keyID: process.env.APPLE_KEY_ID, privateKeyLocation: path.join(__dirname, 'Auth.p8'), callbackURL: process.env.APPLE_CALLBACK_URL, scope: ['name', 'email'], passReqToCallback: true }, async (req, accessToken, refreshToken, idToken, profile, done) => { try { const decoded = jwt.decode(idToken); const user = { id: decoded?.sub || null, email: decoded?.email || null, name: profile?.name?.firstName || 'Unknown' }; const userApp = await authController.handleAppleAuth(user.email, accessToken, refreshToken); done(null, userApp); } catch (error) { return done(error); } } ) ); Observed Behavior Apple login succeeds, and an existing user is found in the database. However, req.user contains undefined values after authentication. The callback URL does not seem to function correctly, leading to potential misrouting or incomplete authentication flow. Expected Behavior req.user should contain the authenticated user's ID, email, and name. The callback URL should properly handle the authentication response. Actual Behavior req.user contains undefined values instead of valid user data, and the callback URL handling seems to be incorrect. Log Output: { id: '001412.13cccc5062074c35833683f6f0bcf5f6.1212', email: 'xyz@somemail.com', name: 'Unknown' } user checking redirectionn [Function: next] 📍 Processing Apple callback 📍 Authentication successful for user: { id: undefined, email: undefined } { id: undefined, email: undefined, firstName: undefined, lastName: undefined, subscriptionStatus: undefined }

Hi, we are having Sign in with Apple issues. For a large % of new users on our app which select this option, the first name and last name values are not being passed to us. This is the case in both scenarios - where the user shares their email address or hides it, and happens on iPhone when the user selects the default iCloud account. We're unclear why this is occurring.

Hi, My app keeps getting rejected during App Review with the reason that the Sign in with Apple button is unresponsive. However, I have tested it extensively on: • A real iPad Pro (iPadOS 18.3.2) • Multiple Xcode simulators • Including an iPad Air 5th simulator (18.3.1) In all of these cases, the button works correctly. The reviewer mentioned they are using an iPad Air 5th running iPadOS 18.3.2, which I cannot find as a simulator in Xcode, nor do I have access to this exact device around me. I’m using standard SignInWithAppleButton code with no custom wrappers or UI layers on top. Here is the relevant snippet: GeometryReader { geometry in ZStack { Color.black.opacity(0.3) .ignoresSafeArea() .onTapGesture { prompt = "" showChat = false } VStack(alignment: .leading, spacing: 0){ switch purchaseManager.hasAISubscription { case 1: HStack{ } case 2: HStack{ } case 3: HStack{ } default: HStack{ } } Divider() ScrollView { VStack(alignment: .leading, spacing: 8) { ForEach(filteredChatHistory, id: \.id) { chat in } } Spacer() } .frame(maxHeight: geometry.size.height * 0.7) .defaultScrollAnchor(.bottom) .padding() Divider() HStack(){ if httpManager.isLoggedIn && purchaseManager.hasAISubscription > 0 { } } else if purchaseManager.hasAISubscription == 0{ } else{ Spacer() SignInWithAppleButton(.continue){ request in request.requestedScopes = [.email] } onCompletion: { result in switch result { case .success(let auth): switch auth.credential { case let appleCredential as ASAuthorizationAppleIDCredential: let userID = appleCredential.user saveToKeychain(userID, for: "com.xing-fu.aireader.apple.userid") if let identityTokenData = appleCredential.identityToken, let identityToken = String(data: identityTokenData, encoding: .utf8) { Task { //后端认证过,才算登录成功 await httpManager.loginWithApple(identityToken) } } break default: break } case .failure(let error): print("error") } } .frame(maxWidth: 350, maxHeight: 40) .padding() .cornerRadius(10) Spacer() } } } .overlay( // 边框 RoundedRectangle(cornerRadius: 10) .stroke(Color.g2, lineWidth: 4) ) .background(Color(UIColor.systemBackground)) .cornerRadius(10) // 圆角 .shadow(color: Color.black.opacity(0.1), radius: 5, x: 0, y: 5) .frame(width: geometry.size.width * 0.8) .onDisappear{ httpManager.alertMessage = nil } } }