This week I’m handling a DTS incident from a developer who wants to escalate privileges in their app. This is a tricky problem. Over the years I’ve explained aspects of this both here on DevForums and in numerous DTS incidents. Rather than do that again, I figured I’d collect my thoughts into one place and share them here. If you have questions or comments, please start a new thread with an appropriate tag (Service Management or XPC are the most likely candidates here) in the App & System Services > Core OS topic area. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" BSD Privilege Escalation on macOS macOS has multiple privilege models. Some of these were inherited from its ancestor platforms. For example, Mach messages has a capability-based privilege model. Others were introduced by Apple to address specific user scenarios. For example, macOS 10.14 and later have mandatory access control (MAC), as discussed in On File System Permissions. One of the most important privilege models is the one inherited from BSD. This is the classic users and groups model. Many subsystems within macOS, especially those with a BSD heritage, use this model. For example, a packet tracing tool must open a BPF device, /dev/bpf*, and that requires root privileges. Specifically, the process that calls open must have an effective user ID of 0, that is, the root user. That process is said to be running as root, and escalating BSD privileges is the act of getting code to run as root. IMPORTANT Escalating privileges does not bypass all privilege restrictions. For example, MAC applies to all processes, including those running as root. Indeed, running as root can make things harder because TCC will not display UI when a launchd daemon trips over a MAC restriction. Escalating privileges on macOS is not straightforward. There are many different ways to do this, each with its own pros and cons. The best approach depends on your specific circumstances. Note If you find operations where a root privilege restriction doesn’t make sense, feel free to file a bug requesting that it be lifted. This is not without precedent. For example, in macOS 10.2 (yes, back in 2002!) we made it possible to implement ICMP (ping) without root privileges. And in macOS 10.14 we removed the restriction on binding to low-number ports (r. 17427890). Nice! Decide on One-Shot vs Ongoing Privileges To start, decide whether you want one-shot or ongoing privileges. For one-shot privileges, the user authorises the operation, you perform it, and that’s that. For example, if you’re creating an un-installer for your product, one-shot privileges make sense because, once it’s done, your code is no longer present on the user’s system. In contrast, for ongoing privileges the user authorises the installation of a launchd daemon. This code always runs as root and thus can perform privileged operations at any time. Folks often ask for one-shot privileges but really need ongoing privileges. A classic example of this is a custom installer. In many cases installation isn’t a one-shot operation. Rather, the installer includes a software update mechanism that needs ongoing privileges. If that’s the case, there’s no point dealing with one-shot privileges at all. Just get ongoing privileges and treat your initial operation as a special case within that. Keep in mind that you can convert one-shot privileges to ongoing privileges by installing a launchd daemon. Just Because You Can, Doesn’t Mean You Should Ongoing privileges represent an obvious security risk. Your daemon can perform an operation, but how does it know whether it should perform that operation? There are two common ways to authorise operations: Authorise the user Authorise the client To authorise the user, use Authorization Services. For a specific example of this, look at the EvenBetterAuthorizationSample sample code. Note This sample hasn’t been updated in a while (sorry!) and it’s ironic that one of the things it demonstrates, opening a low-number port, no longer requires root privileges. However, the core concepts demonstrated by the sample are still valid. The packet trace example from above is a situation where authorising the user with Authorization Services makes perfect sense. By default you might want your privileged helper tool to allow any user to run a packet trace. However, your code might be running on a Mac in a managed environment, where the site admin wants to restrict this to just admin users, or just a specific group of users. A custom authorisation right gives the site admin the flexibility to configure authorisation exactly as they want. Authorising the client is a relatively new idea. It assumes that some process is using XPC to request that the daemon perform a privileged operation. In that case, the daemon can use XPC facilities to ensure that only certain processes can make such a request. Doing this securely is a challenge. For specific API advice, see this post. WARNING This authorisation is based on the code signature of the process’s main executable. If the process loads plug-ins [1], the daemon can’t tell the difference between a request coming from the main executable and a request coming from a plug-in. [1] I’m talking in-process plug-ins here. Plug-ins that run in their own process, such as those managed by ExtensionKit, aren’t a concern. Choose an Approach There are (at least) seven different ways to run with root privileges on macOS: A setuid-root executable The sudo command-line tool The authopen command-line tool AppleScript’s do shell script command, passing true to the administrator privileges parameter The osascript command-line tool to run an AppleScript The AuthorizationExecuteWithPrivileges routine, deprecated since macOS 10.7 The SMJobSubmit routine targeting the kSMDomainSystemLaunchd domain, deprecated since macOS 10.10 The SMJobBless routine, deprecated since macOS 13 An installer package (.pkg) The SMAppService class, a much-needed enhancement to the Service Management framework introduced in macOS 13 Note There’s one additional approach: The privileged file operation feature in NSWorkspace. I’ve not listed it here because it doesn’t let you run arbitrary code with root privileges. It does, however, have one critical benefit: It’s supported in sandboxed apps. See this post for a bunch of hints and tips. To choose between them: Do not use a setuid-root executable. Ever. It’s that simple! Doing that is creating a security vulnerability looking for an attacker to exploit it. If you’re working interactively on the command line, use sudo, authopen, and osascript as you see fit. IMPORTANT These are not appropriate to use as API. Specifically, while it may be possible to invoke sudo programmatically under some circumstances, by the time you’re done you’ll have code that’s way more complicated than the alternatives. If you’re building an ad hoc solution to distribute to a limited audience, and you need one-shot privileges, use either AuthorizationExecuteWithPrivileges or AppleScript. While AuthorizationExecuteWithPrivileges still works, it’s been deprecated for many years. Do not use it in a widely distributed product. The AppleScript approach works great from AppleScript, but you can also use it from a shell script, using osascript, and from native code, using NSAppleScript. See the code snippet later in this post. If you need one-shot privileges in a widely distributed product, consider using SMJobSubmit. While this is officially deprecated, it’s used by the very popular Sparkle update framework, and thus it’s unlikely to break without warning. If you only need escalated privileges to install your product, consider using an installer package. That’s by far the easiest solution to this problem. Keep in mind that an installer package can install a launchd daemon and thereby gain ongoing privileges. If you need ongoing privileges but don’t want to ship an installer package, use SMAppService. If you need to deploy to older systems, use SMJobBless. For instructions on using SMAppService, see Updating helper executables from earlier versions of macOS. For a comprehensive example of how to use SMJobBless, see the EvenBetterAuthorizationSample sample code. For the simplest possible example, see the SMJobBless sample code. That has a Python script to help you debug your setup. Unfortunately this hasn’t been updated in a while; see this thread for more. Hints and Tips I’m sure I’ll think of more of these as time goes by but, for the moment, let’s start with the big one… Do not run GUI code as root. In some cases you can make this work but it’s not supported. Moreover, it’s not safe. The GUI frameworks are huge, and thus have a huge attack surface. If you run GUI code as root, you are opening yourself up to security vulnerabilities. Appendix: Running an AppleScript from Native Code Below is an example of running a shell script with elevated privileges using NSAppleScript. WARNING This is not meant to be the final word in privilege escalation. Before using this, work through the steps above to see if it’s the right option for you. Hint It probably isn’t! let url: URL = … file URL for the script to execute … let script = NSAppleScript(source: """ on open (filePath) if class of filePath is not text then error "Expected a single file path argument." end if set shellScript to "exec " & quoted form of filePath do shell script shellScript with administrator privileges end open """)! // Create the Apple event. let event = NSAppleEventDescriptor( eventClass: AEEventClass(kCoreEventClass), eventID: AEEventID(kAEOpenDocuments), targetDescriptor: nil, returnID: AEReturnID(kAutoGenerateReturnID), transactionID: AETransactionID(kAnyTransactionID) ) // Set up the direct object parameter to be a single string holding the // path to our script. let parameters = NSAppleEventDescriptor(string: url.path) event.setDescriptor(parameters, forKeyword: AEKeyword(keyDirectObject)) // The `as NSAppleEventDescriptor?` is required due to a bug in the // nullability annotation on this method’s result (r. 38702068). var error: NSDictionary? = nil guard let result = script.executeAppleEvent(event, error: &error) as NSAppleEventDescriptor? else { let code = (error?[NSAppleScript.errorNumber] as? Int) ?? 1 let message = (error?[NSAppleScript.errorMessage] as? String) ?? "-" throw NSError(domain: "ShellScript", code: code, userInfo: nil) } let scriptResult = result.stringValue ?? "" Revision History 2025-03-24 Added info about authopen and osascript. 2024-11-15 Added info about SMJobSubmit. Made other minor editorial changes. 2024-07-29 Added a reference to the NSWorkspace privileged file operation feature. Made other minor editorial changes. 2022-06-22 First posted.

I want to create a brush similar to a fountain pen, with a three-dimensional feel to the strokes and a distinct tip. Alternatively, is it possible to achieve this by modifying the configuration parameters of a fountain pen brush?

We sell magazines through a third party app platform called Pocketmags and our website. The magazines have Print, Digital and Combo options available for purchase. Also, this third party app provides the platform to read the digital version of the magazines. Once a user buys a subscription on the website, he/she receives the email with the login information on PocketMags, where he registers his login details and can start reading his subscription. With us, the customer shares his billing/shipping address along with their email id while they make payment. Now we have our own app where through which we want to sell these magazines and have to integrate In-App purchase for selling these digital subscriptions. How do we send the 3rd party subscription access details on email to the user if they do in app purchase?

We're experiencing an issue with in-app purchases in our React Native iOS app where RNIap.getProducts() is consistently returning an empty array, preventing users from making purchases. Technical Details: Using react-native-iap library Product ID: '[REDACTED]' Platform: iOS Product Type: Consumable (one-time payment, NOT subscription) Error in logs: "No products returned from App Store. Check App Store Connect." Debugging shows: Products Fetched: [] Steps to Reproduce: Open app and navigate to the quiz feature Attempt to purchase additional quiz attempts Modal opens but fails to load product information What We've Confirmed: IAP Connection initializes successfully No error is thrown during product fetch, just an empty array returned App is configured with correct Bundle ID Using Apple Sandbox test account We are implementing consumable purchases (one-time payments) Potential Issues to Investigate: Product configuration in App Store Connect Ensure product is set as "Consumable" type in App Store Connect Sandbox tester account permissions/activation Bundle ID matching between app and App Store Connect Product ID case sensitivity or typos

I'm developing an iPad app and encountered a strange issue with external Bluetooth keyboards. Issue: I have a Bluetooth keyboard set to JIS layout in Settings > General > Keyboard > Hardware Keyboard > Keyboard Type. If I connect the keyboard before launching the app, everything works fine, and the input follows the JIS layout. However, if I launch the app first and then turn on the Bluetooth keyboard, the input behaves as if the keyboard is in ANSI layout, even though the settings still show JIS. It seems like iPadOS defaults to ANSI if no external keyboard is connected when the app starts, and later connections do not update the layout properly. Has anyone encountered a similar issue, and is there a programmatic way to ensure that the correct keyboard layout is applied after the keyboard is connected? Any help or insights would be greatly appreciated!

Hello, in the sample code found in the Apple CardSession documentation, there are commented line in the APDU respond method: case .received(let cardAPDU): do { /// Call handler to process received input and produce a response. let responseAPDU = ProcessAPDU(cardAPDU.payload) try await cardAPDU.respond(response: responseAPDU) } catch { /// Handle the error from respond(response:). If the error is /// CardSession.Error.transmissionError, then retry by calling /// CardSession.APDU.respond(response:) again. } in the catch part, it says that we should handle the error from respond and retry in case of transmission error, how can we achieve that ? How can we check the error ? Could you give a sample code for that ? best regards

i have codes looks like: import UIKit import LiveCommunicationKit @available(iOS 17.4, *) class LiveCallKit: NSObject, ConversationManagerDelegate { @available(iOS 17.4, *) func conversationManager(_ manager: ConversationManager, conversationChanged conversation: Conversation) { } @available(iOS 17.4, *) func conversationManagerDidBegin(_ manager: ConversationManager) { } @available(iOS 17.4, *) func conversationManagerDidReset(_ manager: ConversationManager) { } @available(iOS 17.4, *) func conversationManager(_ manager: ConversationManager, perform action: ConversationAction) { } @available(iOS 17.4, *) func conversationManager(_ manager: ConversationManager, timedOutPerforming action: ConversationAction) { } @available(iOS 17.4, *) func conversationManager(_ manager: ConversationManager, didActivate audioSession: AVAudioSession) { } @available(iOS 17.4, *) func conversationManager(_ manager: ConversationManager, didDeactivate audioSession: AVAudioSession) { } @objc public enum InterfaceKind : Int, Sendable, Codable, Hashable { /// 拒绝/挂断 case reject /// 接听. case answer } var sessoin: ConversationManager var callId: UUID var completionHandler: ((_ actionType: InterfaceKind,_ payload: [AnyHashable : Any]) -> Void)? var payload: [AnyHashable : Any]? @objc init(icon: UIImage!) { let data:Data = icon.pngData()!; let cfg: ConversationManager.Configuration = ConversationManager.Configuration(ringtoneName: "ring.mp3", iconTemplateImageData: data, maximumConversationGroups: 1, maximumConversationsPerConversationGroup: 1, includesConversationInRecents: false, supportsVideo: false, supportedHandleTypes: Set([Handle.Kind.generic])) self.sessoin = ConversationManager(configuration: cfg) self.callId = UUID() super.init() self.sessoin.delegate = self } @objc func toIncoming(_ payload: [AnyHashable : Any], displayName: String,actBlock: @escaping(_ actionType: InterfaceKind,_ payload: [AnyHashable : Any])->Void) async { self.completionHandler = actBlock do { self.payload = payload self.callId = UUID() var update = Conversation.Update(members: [Handle(type: .generic, value: displayName, displayName: displayName)]) let actNumber = Handle(type: .generic, value: displayName, displayName: displayName) update.activeRemoteMembers = Set([actNumber]) update.localMember = Handle(type: .generic, value: displayName, displayName: displayName); update.capabilities = [ .playingTones ]; try await self.sessoin.reportNewIncomingConversation(uuid: self.callId, update: update) try await Task.sleep(nanoseconds: 2000000000); } catch { } } } i want to listen the button event,but i can't find the solutions!please give me a code demo

I am using the public url https://api.storekit-sandbox.itunes.apple.com/inApps/v1/notifications/jwsPublicKeys to get the jwks keys to verify the signed payload for store kit payments. I am checking Apple server notifications. const APPLE_JWKS_URL = "https://api.storekit-sandbox.itunes.apple.com/inApps/v1/notifications/jwsPublicKeys" // Apple JWK set (cached by jose) const appleJWKS = createRemoteJWKSet(new URL(APPLE_JWKS_URL)); const jwks = await appleJWKS(); logger.debug("Apple JWKS Keys: %O", jwks); // Log the keys if (!signedPayload) { // return res.status(400).json({ error: "Missing signedPayload" }); } // Step 1: Verify JWS (signature + payload) using Apple's JWKS const { payload, protectedHeader } = await jwtVerify( signedPayload, appleJWKS, { algorithms: ["ES256"], // Apple uses ES256 for signing } );

I am developing an iOS app that uses CLLocationManager to collect location continuously in both foreground and background. But it has the following 4 issues and I don’t understand why: After a while of not using the app, I can not get location updates regularly. Even after that, I go into the app more often or even turn OFF and turn ON the permission again, but the problem still doesn’t improve until I reinstall the app. Previously, I used SilentLog SDK to collect location. Since the cost was quite high, we developed our own SDK that also handles location tracking. After updating the app from the old version using SilentLog SDK to the new version using my own SDK, I can not get location updates regularly. However, when I reinstalled the app, it worked perfectly. It seems that apps downloaded from TestFlight can get location more continuously than apps downloaded from the App Store We sometimes encounter this error in the logs: Error Domain=kCLErrorDomain Code=0 “(null)” I think my app was not terminated in the background because I still collect location but it is not as frequent. I want to know if Apple has any mechanism to prevent such apps from getting location data continuously? I use CLLocationManager with the following configuration: self.locationManager.distanceFilter = 20 self.locationManager.desiredAccuracy = kCLLocationAccuracyBest self.locationManager.allowsBackgroundLocationUpdates = true self.locationManager.showsBackgroundLocationIndicator = false self.locationManager.pausesLocationUpdatesAutomatically = false I also filter the location updates using: guard let location = locations.last else { return } guard location.horizontalAccuracy <= 100 else { return } guard location.speedAccuracy >= 0 else { return } I use a background task to wake up the device every 15 minutes, and I also use silent push notifications in a similar manner. Each time the task is executed, I usually call stopLocation and then startLocation again. This happens quite frequently — will it have any impact or cause any issues?

Guys has anyone here used the PlayVideoIntent protocol while implementing app intents? If yes can you please walk me though what purpose it solves and what features and functionality I can unlock with it? Link to apple's documentation -> https://developer.apple.com/documentation/appintents/playvideointent

We are integrating the Microsoft Web Chat Control inside a WKWebView in our iOS application. The microphone button (used for speech input) works as expected when the app is active. However, we are facing an issue when the app is sent to the background and then brought back to the foreground. Issue Details: When the app returns from background to foreground: 🔹 The mic button becomes unresponsive (taps are not recognized). 🔹 No permission prompt or speech functionality is triggered. 🔹 Other elements of the Web Chat control continue to work fine. This issue seems isolated to iOS and WKWebView usage. We have verified that microphone permissions are granted and there are no system-level blocks. Environment: Platform: iOS Web Container: WKWebView Microsoft Web Chat Version: Devanshu Kinariwala add version here iOS Version: iOS 18.3.1 Devices: iPhone 13, iPhone 14 Pro error in browser console [Error] A MediaStreamTrack ended due to a capture failure (x3) [Error] WebSocket connection to 'wss://directline.botframework.com/v3/directline/conversations/JQ1k0phVogeJ30ZQddBvAQ-in/stream?watermark=-&t=eyJhbGciOiJSUzI1NiIsImtpZCI6ImlmOEs0aFg4R1hXVnZkS3pwdFRFWFJveURTUSIsIng1dCI6ImlmOEs0aFg4R1hXVnZkS3pwdFRFWFJveURTUSIsInR5cCI6IkpXVCJ9.eyJib3QiOiJhaWFhcy1xYS1jb252YWktYm90Iiwic2l0ZSI6InRWcW14cDBQZU9vIiwiY29udiI6IkpRMWswcGhWb2dlSjMwWlFkZEJ2QVEtaW4iLCJuYmYiOjE3NDI5NzE1MTgsImV4cCI6MTc0Mjk3MTU3OCwiaXNzIjoiaHR0cHM6Ly9kaXJlY3RsaW5lLmJvdGZyYW1ld29yay5jb20vIiwiYXVkIjoiaHR0cHM6Ly9kaXJlY3RsaW5lLmJvdGZyYW1ld29yay5jb20vIn0.Mx3MMVP3t9Ex36UW-YARskZLny0iORxc6-B0ewvNp0S-ivUjvOS43kZc0J5HoOgYRkoGaKemo00_JSkzryAbKKoSwqMjahf0VotqTZsJjoIgtyNJFfAYyGVriBHMV_6FfH_YEezDMD5puY6R89eM-atQOw-CfoClwrxn8jgVL5Kn19WdDZvmQwFIArklA7as8bboKcWv4PveEKptM9xCokttaGzv-S5pdbNETMoJzIhLcJDHmEVJ6oJ0TFs5XS7RGMSQlM_gs95TySzVjVL7XV6qEOt_A10lRzmx0PxPIUw_nqllEIbWFy5H7AfsxbKRtM1nLe4lRm1KS7_xw9dSlw' failed: The operation couldn’t be completed. Software caused connection abort [Error] WebSocket connection to 'wss://eastus2.stt.speech.microsoft.com/speech/recognition/conversation/cognitiveservices/v1?language=en-US&format=detailed&Ocp-Apim-Subscription-Key=4JuKqIMwLMhgAxfORVDEYfiuTL6Hrbnj3isAeGfs7aks4AOltun6JQQJ99AKACHYHv6XJ3w3AAAYACOGJFYj&X-ConnectionId=A93B097C62F14C55B30A851798609F73' failed: The operation couldn’t be completed. Software caused connection abort [Error] WebSocket connection to 'wss://eastus2.stt.speech.microsoft.com/speech/recognition/conversation/cognitiveservices/v1?language=en-US&format=detailed&Ocp-Apim-Subscription-Key=4JuKqIMwLMhgAxfORVDEYfiuTL6Hrbnj3isAeGfs7aks4AOltun6JQQJ99AKACHYHv6XJ3w3AAAYACOGJFYj&X-ConnectionId=E99DF3A6CE734E0294A5FB5296D725CC' failed: The operation couldn’t be completed. Software caused connection abort [Error] WebSocket connection to 'wss://eastus2.stt.speech.microsoft.com/speech/recognition/conversation/cognitiveservices/v1?language=en-US&format=detailed&Ocp-Apim-Subscription-Key=4JuKqIMwLMhgAxfORVDEYfiuTL6Hrbnj3isAeGfs7aks4AOltun6JQQJ99AKACHYHv6XJ3w3AAAYACOGJFYj&X-ConnectionId=8B3370005E7A4946BEA174E804F64FF7' failed: The operation couldn’t be completed. Software caused connection abort Swift: // Method to check microphone permission func checkMicrophonePermission(completion: @escaping (Bool) -> Void) { let authorizationStatus = AVCaptureDevice.authorizationStatus(for: .audio) switch authorizationStatus { case .authorized: // Permission granted completion(true) case .notDetermined: // Request permission AVCaptureDevice.requestAccess(for: .audio) { granted in DispatchQueue.main.async { completion(granted) } } case .denied, .restricted: // Permission denied or restricted completion(false) @unknown default: // Handle future cases completion(false) } }

I'm working on a watchOS app that has an iOS counterpart. There will be a subscription required to unlock functionality and I would like the user to be able to make the purchase on either the iPhone or the watch and have both apps unlock. The first link below says that StoreKit 2's Transaction.currentEntitlements will not work in this case like it does with extensions. The second link says it might work but doesn't in the sandbox. What is the best way to make this work? Will it just work in the App Store? Should I use WCSession to send the purchase information from one platform to the other and store it in the keychain? Something else? Via https://www.revenuecat.com/blog/engineering/ios-in-app-subscription-tutorial-with-storekit-2-and-swift/ "Transaction.currentEntitlements can be used in extensions the same way it was used in the previous steps. This works for extensions like Widgets and Intents. However, an iOS app with a companion watchOS app will not work even though Transaction.currentEntitlements can be executed in it. A companion watch app does not stay updated with the same transaction history as its iOS app because they are separate platforms." Via https://developer.apple.com/forums/thread/739963 "In TestFlight I was able to confirm that the Watch app and IOS app share in-app purchases. It seems the problems confirming this with Storekit and Sandbox are limits of the testing environments."

Looking for assistance in managing subscription upgrades for TestFlight users. I have a few monthly subscriptions, 30days, each with a different set of available features, 1 with all, and 1 with fewer. (All are in proper order and grouped in App Store connection subscriptions) subscribing seems to be working fine, and purchasing an upgrade is going ok. what is not: reflecting the upgraded plan in app (currently reflects it will start in 30days when current subscription expires) I’m lead to believe this will be resolved with a live app in App Store, that will then handle prorating, terminate the old plan and immediately start the new one. looking for help getting TestFlight to show immediate upgrades.

In my understanding, with the latest court ruling in the US, iOS apps may decide to support web-based payments for subscriptions and in-app purchases. However, are we allowed to exclusively support web-based payments and not implement StoreKit at all?

How can I get the region region currently used in the macOS App Store? Preferably via Swift libraries, but any command / function will suffice. The following StoreKit property seems to always return the region for the Apple Account associated with my macOS user. await Storefront.current?.countryCode See the Apple docs. My macOS Apple Account region is US; in the App Store, when I sign into a different Apple Account whose region is GB (UK), Storefront.current?.countryCode continues to return US, not GB (or UK). I correctly see prices in pounds instead of in dollars, British spelling instead of American spelling, apps listed in my purchased tab for the UK (not the US) Apple Account, and, in the Account Settings dialog, the UK Apple Account email address, billing address & Country/Region set to United Kingdom. I didn't get any relevant results from the following command lines: defaults find GB defaults find UK defaults find uk-apple-id@example.com defaults find uk-apple-id The following didn't change after I signed into the UK Apple Account in the App Store: $ defaults read com.apple.AppStoreComponents { ASCLocaleID = "en-US@calendar=gregorian"; } Maybe Storefront.current?.countryCode only specifies the country code for the Storefront that will be used for in-app purchases, instead of for purchasing new apps from the App Store; maybe the former is tied to the Apple Account for the macOS user, instead of to the Apple Account for the App Store. If that's the case, what other mechanism can I use to obtain the country code for the App Store storefront?

We are currently integrating In-App Purchases for our app and have configured App Store Server Notifications (v2) in the Sandbox environment. During testing, we observed the following issue: When a transaction is cancelled, declined, or pending (e.g., Ask to Buy flows or authorization pending), No App Store Server Notification is sent to our webhook endpoint. We only receive webhook events where the status is "purchased". This becomes a critical problem for us because our backend must accurately track transaction states including failed and pending purchases, especially for wallet top-up use cases. Additionally, we tried mocking failed transactions (via Xcode local environment and turning off In-App Purchases from Developer Settings) to simulate a technical failure scenario. Even in these cases, no webhook notification was received when the purchase failed server-side. Is it expected behavior in Sandbox that only successful transactions ("purchased") trigger webhooks? Are failed or pending transactions suppressed in Sandbox intentionally? Will webhook behavior be different in Production (i.e., will we receive webhook notifications for failures there)? Is there any extra configuration or entitlement needed to fully test failure scenarios via webhooks in Sandbox?

Is there any way to obtain the ControlWidget installed by user, I use WidgetCenter.shared.getCurrentConfigurations cannot work

In a document based SwiftData app for macOS, how do you go about opening a (modal) child window connected to the ModelContainer of the currently open document? Using .sheet() does not really result in a good UX, as the appearing view lacks the standard window toolbar. Using a separate WindowGroup with an argument would achieve the desired UX. However, as WindowGroup arguments need to be Hashable and Codable, there is no way to pass a ModelContainer or a ModelContext there: WindowGroup(id: "myWindowGroup", for: MyWindowGroupArguments.self) { $args in ViewThatOpensInAWindow(args: args) } Is there any other way?

I would like to explore developing apps to integrate with Matter, but it seems that there are limited code examples available. To start with I would like to create a MacOs or iOS application to control a Matter device like a light bulb. I would as an example just like to know how to turn the light on or off. Where should I start?

When I test subscibe in sandbox，IOS says this transaction need to request parent’s approval。But this is a sandbox account，it don't have any family members