It seems to be a big feature to share data between different Apps through the iOS Keychain, but how can I avoid the sharing between apps? I can't find anything for that case in the Apple documentation.
I know that the access-group and therefore the access of the keychain for an app is defined through the provisioning profile with the parameter keychain-access-groups.
<key>Entitlements</key>
<dict>
<key>application-identifier</key>
...
<key>keychain-access-groups</key>
<array>
<string>XXXXXXXXXX.*</string>
</array>
</dict>
After Apple redesigned their developer-page it is not more possible to create different App-Prefix-Ids where defines the keychain-access-groups. I hope someone can give me a hint, how to prevent the sharing of the keychain for different apps with the same code base.
Additional Note:
It is not possible to save the data with different keys.
Update:
I found an attribute that set on runtime the keychain-access-group kSecAttrAccessGroup I think this should help to fix the problem.
You misunderstood what share means here, which is you can opt to share with different apps produced by you and accepted by Apple. Arbitrary apps cannot access your app's keychain data.
Related
I have added the following code in the Info.plist
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
<key>NSAppleMusicUsageDescription</key>
<string>Play using while you are hiking</string>
<key>NSCameraUsageDescription</key>
<string>Please Allow the app to access the device camera</string>
<key>NSMicrophoneUsageDescription</key>
<string>Please Allow the app to access the device microphone</string>
<key>NSPhotoLibraryUsageDescription</key>
<string>Privacy - Please Allow the app to handle your photos</string>
</dict>
I am creating the archive in Xcode and re distributing and still getting the error Missing Purpose String in Info.plist"
As on Apple documentation for NSAllowsArbitraryLoads
Important
You must supply a justification during App Store review if you set the key’s value to YES, as described in Provide Justification for Exceptions. Use this key with caution because it significantly reduces the security of your app. In most cases, it’s better to upgrade your servers to meet the requirements imposed by ATS, or at least to use a narrower exception.
I’m creating a .pdf reader for tvOS. I’d like to store the .pdfs in an iCloud Drive folder and access them read-only. Not suprisingly, I’m encountering difficulty getting iCloud to work: FileManager.default.url(forUbiquityContainerIdentifier: nil) always returns nil.
I’m assuming that I need to added the entry to info.plist (why doesn’t Xcode do this?) I’m including the following. The key matches my bundle ID with a prefix of ‘iCloud’.
<dict>
<key>iCloud.com.spiffcleanser.books</key>
<dict>
<key>NSUbiquitousContainerIsDocumentScopePublic</key>
<true/>
<key>NSUbiquitousContainerName</key>
<string>books</string>
<key>NSUbiquitousContainerSupportedFolderLevels</key>
<string>Any</string>
</dict>
</dict>
I have a number of questions but all are related so I hope its acceptable to ask them all at once. At this point I’m merely trying to get the container URL.
I’m using the default ubiquity container. I’ve created an iCloud entitlement and have checked CloudKit. Do I need to specify a container from the list or is the default container used implicitly if I don’t specify one?
My identifier on the developer sigh indicates that I have an iCloud entitilement. The container assignment matches what I specify in Xcode. If I’m using the default container, should the list be empty or should I configure a container with the bundle ID of my app in the same manner as in the .plist file?
I know that after modifying the entitlements I need to rebuild the provisioning profile, is it sufficient to toggle ‘Automatically manage signing’ or do I need to explicitly create a profile?
Is it necessary to bump the version number each time I change the config? I assume incrementing the build number is sufficient.
Thanks for any help.
I've solved this. iCloud support for documents is not available on tvOS. This is due to only minimal local storage being available.
I am trying to upload a new version of our app on the App Store Connect. In our old version we are already using push notification and hence, the certificate for Apple Push Services is already active and added in the Apple Developer Portal (as shown in the screenshot below). When we uploaded our previous version of the app to App Store Connect, there was no issue. However, now when I am trying to upload our new version of the app to App Store Connect using Xcode, there is no error shown in the Xcode side and uploading is successful (as shown in the screenshot below).
When I go back to the App Store Connect to check my uploaded build version so that I can submit it for review, it is saying that the build is being processed (as shown in the screenshot below). After sometime I receive an email from the App Store Connect mentioning that our build version has the following issues (detailed email is provided at the end of this question):
ITMS-90683: Missing Purpose String in Info.plist
ITMS-90078: Missing Push Notification Entitlement
For our app's latest build version it is mentioned that ITMS-90683 error for Info.plist (shown below) is missing description for NSContactsUsageDescription, NSCalendarsUsageDescription, NSAppleMusicUsageDescription, NSMotionUsageDescription, NSSpeechRecognitionUsageDescription, NSLocationAlwaysUsageDescription & NSLocationWhenInUseUsageDescription. However, in our app, which is built with Flutter framework, we are not using any of these permissions specifically.
My Questions are as follows:
How can I fix the ITMS-90683 error when I am not using any of these
permissions explicitly in our app such that the build version can be
uploaded for review successfully?
Since, the Apple Push Services' certificate is already added to Apple Developer portal how can I fix the ITMS-90078 and submit the app for review?
Info.plist content:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CFBundleDevelopmentRegion</key>
<string>$(DEVELOPMENT_LANGUAGE)</string>
<key>CFBundleExecutable</key>
<string>$(EXECUTABLE_NAME)</string>
<key>CFBundleIdentifier</key>
<string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundleName</key>
<string>AppName</string>
<key>CFBundlePackageType</key>
<string>APPL</string>
<key>CFBundleShortVersionString</key>
<string>$(MARKETING_VERSION)</string>
<key>CFBundleSignature</key>
<string>????</string>
<key>CFBundleVersion</key>
<string>$(CURRENT_PROJECT_VERSION)</string>
<key>LSRequiresIPhoneOS</key>
<true/>
<key>NSCameraUsageDescription</key>
<string>Need to upload image</string>
<key>NSMicrophoneUsageDescription</key>
<string>Need to upload image</string>
<key>NSPhotoLibraryUsageDescription</key>
<string>Need to upload image</string>
<key>UILaunchStoryboardName</key>
<string>Launch Screen2</string>
<key>UIMainStoryboardFile</key>
<string>Main</string>
<key>UISupportedInterfaceOrientations</key>
<array>
<string>UIInterfaceOrientationPortrait</string>
<string>UIInterfaceOrientationLandscapeLeft</string>
<string>UIInterfaceOrientationLandscapeRight</string>
</array>
<key>UISupportedInterfaceOrientations~ipad</key>
<array>
<string>UIInterfaceOrientationPortrait</string>
<string>UIInterfaceOrientationPortraitUpsideDown</string>
<string>UIInterfaceOrientationLandscapeLeft</string>
<string>UIInterfaceOrientationLandscapeRight</string>
</array>
<key>UIViewControllerBasedStatusBarAppearance</key>
<false/>
</dict>
</plist>
Any help is much appreciated. Thank you in advance!
Screenshot of "Signing & Capabilities" of my project:
Screenshot of successful upload of the build version from Xcode:
Screenshot of the App Store Connect where the new build version is being processed:
Screenshot of Apple Developer Portal with Apple Push Services Certificate enabled, which is used by previous version fo the app:
Email from App Store Connect regarding the error:
Dear Developer,
We identified one or more issues with a recent delivery for your app,
[APP NAME] 2.0.1 (4). Please correct the following issues, then upload
again.
ITMS-90683: Missing Purpose String in Info.plist - Your app's code
references one or more APIs that access sensitive user data. The app's
Info.plist file should contain a NSContactsUsageDescription key with a
user-facing purpose string explaining clearly and completely why your
app needs the data. Starting Spring 2019, all apps submitted to the
App Store that access user data are required to include a purpose
string. If you're using external libraries or SDKs, they may reference
APIs that require a purpose string. While your app might not use these
APIs, a purpose string is still required. You can contact the
developer of the library or SDK and request they release a version of
their code that doesn't contain the APIs. Learn more
(https://developer.apple.com/documentation/uikit/core_app/protecting_the_user_s_privacy).
ITMS-90683: Missing Purpose String in Info.plist - Your app's code
references one or more APIs that access sensitive user data. The app's
Info.plist file should contain a NSCalendarsUsageDescription key with
a user-facing purpose string explaining clearly and completely why
your app needs the data. Starting Spring 2019, all apps submitted to
the App Store that access user data are required to include a purpose
string. If you're using external libraries or SDKs, they may reference
APIs that require a purpose string. While your app might not use these
APIs, a purpose string is still required. You can contact the
developer of the library or SDK and request they release a version of
their code that doesn't contain the APIs. Learn more
(https://developer.apple.com/documentation/uikit/core_app/protecting_the_user_s_privacy).
ITMS-90683: Missing Purpose String in Info.plist - Your app's code
references one or more APIs that access sensitive user data. The app's
Info.plist file should contain a NSAppleMusicUsageDescription key with
a user-facing purpose string explaining clearly and completely why
your app needs the data. Starting Spring 2019, all apps submitted to
the App Store that access user data are required to include a purpose
string. If you're using external libraries or SDKs, they may reference
APIs that require a purpose string. While your app might not use these
APIs, a purpose string is still required. You can contact the
developer of the library or SDK and request they release a version of
their code that doesn't contain the APIs. Learn more
(https://developer.apple.com/documentation/uikit/core_app/protecting_the_user_s_privacy).
ITMS-90683: Missing Purpose String in Info.plist - Your app's code
references one or more APIs that access sensitive user data. The app's
Info.plist file should contain a NSMotionUsageDescription key with a
user-facing purpose string explaining clearly and completely why your
app needs the data. Starting Spring 2019, all apps submitted to the
App Store that access user data are required to include a purpose
string. If you're using external libraries or SDKs, they may reference
APIs that require a purpose string. While your app might not use these
APIs, a purpose string is still required. You can contact the
developer of the library or SDK and request they release a version of
their code that doesn't contain the APIs. Learn more
(https://developer.apple.com/documentation/uikit/core_app/protecting_the_user_s_privacy).
ITMS-90683: Missing Purpose String in Info.plist - Your app's code
references one or more APIs that access sensitive user data. The app's
Info.plist file should contain a NSSpeechRecognitionUsageDescription
key with a user-facing purpose string explaining clearly and
completely why your app needs the data. Starting Spring 2019, all apps
submitted to the App Store that access user data are required to
include a purpose string. If you're using external libraries or SDKs,
they may reference APIs that require a purpose string. While your app
might not use these APIs, a purpose string is still required. You can
contact the developer of the library or SDK and request they release a
version of their code that doesn't contain the APIs. Learn more
(https://developer.apple.com/documentation/uikit/core_app/protecting_the_user_s_privacy).
Though you are not required to fix the following issues, we wanted to
make you aware of them:
ITMS-90078: Missing Push Notification Entitlement - Your app appears
to register with the Apple Push Notification service, but the app
signature's entitlements do not include the "aps-environment"
entitlement. If your app uses the Apple Push Notification service,
make sure your App ID is enabled for Push Notification in the
Provisioning Portal, and resubmit after signing your app with a
Distribution provisioning profile that includes the "aps-environment"
entitlement. Xcode does not automatically copy the aps-environment
entitlement from provisioning profiles at build time. This behavior is
intentional. To use this entitlement, either enable Push Notifications
in the project editor's Capabilities pane, or manually add the
entitlement to your entitlements file. For more information, see
https://developer.apple.com/library/content/documentation/NetworkingInternet/Conceptual/RemoteNotificationsPG/HandlingRemoteNotifications.html#//apple_ref/doc/uid/TP40008194-CH6-SW1.
ITMS-90683: Missing Purpose String in Info.plist - Your app's code
references one or more APIs that access sensitive user data. The app's
Info.plist file should contain a NSLocationAlwaysUsageDescription key
with a user-facing purpose string explaining clearly and completely
why your app needs the data. Starting Spring 2019, all apps submitted
to the App Store that access user data are required to include a
purpose string. If you're using external libraries or SDKs, they may
reference APIs that require a purpose string. While your app might not
use these APIs, a purpose string is still required. You can contact
the developer of the library or SDK and request they release a version
of their code that doesn't contain the APIs. Learn more
(https://developer.apple.com/documentation/uikit/core_app/protecting_the_user_s_privacy).
ITMS-90683: Missing Purpose String in Info.plist - Your app's code
references one or more APIs that access sensitive user data. The app's
Info.plist file should contain a NSLocationWhenInUseUsageDescription
key with a user-facing purpose string explaining clearly and
completely why your app needs the data. Starting Spring 2019, all apps
submitted to the App Store that access user data are required to
include a purpose string. If you're using external libraries or SDKs,
they may reference APIs that require a purpose string. While your app
might not use these APIs, a purpose string is still required. You can
contact the developer of the library or SDK and request they release a
version of their code that doesn't contain the APIs. Learn more
(https://developer.apple.com/documentation/uikit/core_app/protecting_the_user_s_privacy).
Best regards,
The App Store Team
How can I fix the ITMS-90683 error when I am not using any of these permissions explicitly in our app such that the build version can be uploaded for review successfully?
This part of app review doesn't care if you're actually using these features. All they check is whether the app has code to do so (which yours obviously does) and comes with the required purpose strings. To solve this, you basically have two options:
figure out which pieces of code/library/whatever you have in your app that brings this baggage along, and get rid of it, or
live with the baggage and provide the required purpose strings.
Since, the Apple Push Services' certificate is already added to Apple Developer portal how can I fix the ITMS-90078 and submit the app for review?
The problem is not with the certificate, but with the app's entitlement, which you're not showing. Make you you have the push notification entitlement enabled in your app.
I'm developing a iOS 7 app and i would like to know if the feature "Per app VPN" is activated "by hand" (like location services, where you can choose which app can and can't) or I can set it up by code inside the app?
Looking around the web I found very little info about it, and apple announcement did not make it any clear also... I was hoping to prompt the user for the VPN configuration when he first open the app, and then, when he is "outside" the internal Wi-Fi, I would automatically activate it...
Information is still somewhat sketchy, but from what I can tell so far its something the VPN vendors will need to support, and it will be enabled using configuration profiles, e.g. via MDM. In the profile you'll define your VPN configuration like you can do today, and additionally you'll specify which apps use which VPN configs. Apps won't be need to be modified at all, nor (I assume) even aware they're being tunneled. I don't know yet if they'll allow users to configure this on their own, without a config profile. I don't see why not, other than maybe wanting to insulate common users from "enterprisey" features.
I expect Apple will release a new version of the iPhone Configuration Utility or Apple Configurator that will allow you to set all of this up. If you have access to their developer site there's information about the XML keys in the config profile that turn it on, so you could probably craft a profile on your own without the tool, but without VPN vendor support there's not much you'll be able to do. I don't know if any of the built-in VPNs currently support it.
*Note: This is an example custom payload. It needs to be modified to match your VPN configuration and is supported by some VPN providers. This example is using a Connection Type of L2TP. The new keys for Per-App VPN are the VPNUUID and OnDemandMatchAppEnabled.
<dict>
<key>PayloadDescription</key>
<string>Configures VPN settings, including authentication.</string>
<key>PayloadDisplayName</key>
<string>VPN (VPN Configuration)</string>
<key>PayloadIdentifier</key>
<string>126b636d-38ce-4bb1-a211-5239e60bd4ab</string>
<key>PayloadOrganization</key>
<string></string>
<key>PayloadType</key>
<string>com.apple.vpn.managed.applayer</string>
<key>PayloadUUID</key>
<string>63e3f54a-e8bd-45fd-af18-5aadfed9dc9d</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>UserDefinedName</key>
<string>VPN Configuration #12345</string>
<key>VPNUUID</key>
<string>b78ee624-442d-4997-a77f-dc8245109716</string>
<key>OnDemandMatchAppEnabled</key>
<string>True</string>
<key>VPNType</key>
<string>L2TP</string>
<key>EAP</key>
<dict />
<key>IPv4</key>
<dict>
<key>OverridePrimary</key>
<integer>0</integer>
</dict>
<key>PPP</key>
<dict>
<key>CommRemoteAddress</key>
<string>ExampleServerHostname</string>
<key>CCPEnabled</key>
<integer>1</integer>
</dict>
<key>Proxies</key>
<dict />
</dict>
More information is available at: https://developer.apple.com/library/ios/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html
I want to share application data between two developer profiles is this possible to do with the keychain access?
From reading the documentation it sounds like you are restricted to the identifier preceding the application id. EX: GUS8339.com.company.app would restrict you to GUS8339 profile signed applications
You're correct, but it's slightly more complicated:
The provisioning profiles must have the same bundle seed. This is set when you create the corresponding "app ID". An app can change app ID after you've submitted it to the App Store, but note non-wildcard app IDs must have unique bundle IDs (that is, if you've already set up a non-wildcard app ID for the app, you can only change it to use a wildcard app ID).
You have to give both apps access to the same "keychain access group". This is set in the app entitlements. I think Xcode has a working UI for editing these now. You can use a wildcard access group, but I don't think this is recommended.
The relevant portion of the provisioning profile looks something like this (open one in your favourite text editor):
<key>Entitlements</key>
<dict>
<key>application-identifier</key>
<string>A1B2C3D4E5.com.example.myapp</string>
<key>aps-environment</key>
<string>production</string>
<key>get-task-allow</key>
</false>
<key>keychain-access-groups</key>
<array>
<string>A1B2C3D4E5.*</string>
</array>
</dict>
This restricts what you can put in the entitlements, but you should be able to specify something like
<key>keychain-access-groups</key>
<array>
<string>A1B2C3D4E5.com.example.myappsuite</string>
</array>
Note that you may need to specify this to the keychain API!
Keychain access groups depend on the bundle seed ID - the value "GUS8339" that is unique to your provisioning profile. So to answer more directly, no, you can't use access groups across different provisioning profiles, as the seed ID is basically the provisioning profile ID in your example.