I realize that I'm a bit late to the game here in getting sandbox-ready, but so it goes.
I'm developing for OS X 10.9. The app displays Calendar event data, but does not allow editing, so I have enabled the Calendars capability.
The app works great with sandboxing enabled when I run it from Xcode, but when I export it signed with Developer ID, the app runs, but can't access the Calendar data. What's more, the system never asks me to allow the app to access Calendar data.
When I run the app, it launches, but doesn't show any data. In Console, sandboxd throws a bunch of errors that look like this:
sandboxd: ([54]) appleeventsd(54) deny file-read-metadata /Library
and
sandboxd: ([54]) appleeventsd(54) deny mach-lookup com.apple.ocspd
I've checked the app's entitlements with codesign -d --entitlements, and it confirms that it's Sandboxed and has calendar entitlements. However, when I check in-app to see if it has permission to access [EKEventStore authorizationStatusForEntityType:EKEntityTypeEvent], it, unsurprisingly given it has never asked, returns EKAuthorizationStatusNotDetermined.
I feel like I am missing something pretty basic here regarding entitlements, code signing, or deployment, but I'm at a loss to find out what it is. And so I throw myself on your collective mercy and wisdom.
Related
So I have an app generated with GeneXus in the Play Store and I received the following e-mail from the store:
[...] Policy issue: Google Play requires developers to provide a valid privacy policy when the app requests or handles sensitive user or device information. Your app requests sensitive permissions (e.g. camera, microphone, accounts, contacts, or phone) or user data, but does not include a valid privacy policy. [...]
So I went to the Developer Console and found this in the privacy police section (translated from portuguese):
Your app have an APK with the version code 40 thar require these permissions: android.permission.READ_PHONE_STATE. Using these permissions in an APK require a privacy police.
So my question is: What am I using in GeneXus that needs this permission? I get the NetworkId from the ClientInformation object, is it?
Yes, that is precisely the reason. The Android method that obtains the IMEI number (and that GeneXus applications call to obtain it) needs the READ_PHONE_STATE permission to execute. This is understandable, as it's considered private information.
Following Android's Best Practices for Unique Identifiers I would suggest using the ClientInformation.Id property instead. As a bonus, it doesn't persist over device wipes, which in 99% of cases is the intended behavior (unless the app is only installed in controlled devices, which doesn't seem to be the case if it's published in the Play Store).
If you decide to go this route, just remember to reset the Send Device Information on Requests property to false.
(Note: the property name has been/will be changed to Include Network Id in Client Information as of GeneXus 15 U3, since the old name was prone to confusion).
I want to request the permissions that I need for my android wear app upfront as per this. So Programmatically where exactly I should put my permission request code. Also is the protocol to ask for Permission the same as the mobile app like this.
All of the permissions are controlled in the Androidmanifest. Here is an example of some permissions being declared in the Androidmanifest:
These permissions are used to get the weather from the device and relay the information to an Android Wear device. Google offers documentation for developers to use to determine what permissions should be used. Declaring permissions should happen in the Androidmanifest in the format provided in the image. In the sample code posted, it is not necessary to include watch permissions, they are only required if the app works with Android Wear.
Way back in the day Google added a feature in Android 4.3 that let the user control what permissions apps could access on a per app basis known as App Ops. This was a great feature that cut down on privacy issues and gave users the piece of mind knowing that random apps installed could not access the device’s location. When Google introduced Android 6.0 Marshmallow, This time when an app needs to use a permission a dialog box pops up on the screen and asks the user if it is OK that the app uses a certain permission. This may get a little annoying, but at least every permission used by an app has to go through the user first.
If your app doesn't already have the permission it needs, the app must call one of the [requestPermissions()](https://developer.android.com/reference/android/support/v4/app/ActivityCompat.html#requestPermissions(android.app.Activity, java.lang.String[], int)) methods to request the appropriate permissions. Your app passes the permissions it wants, and also an integer request code that you specify to identify this permission request. This method functions asynchronously: it returns
right away, and after the user responds to the dialog box, the system calls the app's callback method with the results, passing the same request code that the app passed to requestPermissions().
You should dynamically request the permissions from user on wearable devices just the same way you do on the phone side.
We're developing a Mac App(non-sandboxed) needs to access an ssl client certificate in keychain.
when the app first launches, there is a prompt to confirm to access keychain item. with options: always allow, allow, deny. which is fine.
when user choose always allow, the next time user launches app, the app will have the right access to use that certificate. but, when our app is update.(our app update using sparkle, it just simply replace the .app file on disk, then relaunches the app) , the updated app SOMEHOW CAN NOT ACCESS THIS CERTIFICATE, and get error -25293(errSecAuthFailed) ,
console output
Dec 10 19:21:55 userMacBook-Pro.local com.apple.SecurityServer[15]: suppressing keychain prompt for invalidly signed client /Applications/My-APP.app(42277)
Dec 10 19:21:55 userMacBook-Pro.local My-APP[42277]: CFNetwork SSLHandshake failed (-25293)
Error Domain=kCFStreamErrorDomainSSL Code=-25293
then i check that private key in keychain, the app's name is still in access control panel. finally, i reboot the system, the updated app can access this certificate again(without any promote prompt to confirm to access keychain item) and everything works fine. so, how can i keep the app keep right access to certificate after update without reboot the system? but this bug is not always shown, if the system is just boot(not running for hours), the app can update serval times and keep the right to certificate.
the app is always in access control after user click "Always Allow"
PS, if i manually go to access control list and choose "Allow all applications to access this item, then the app will has the right access. but we can not let our user to do this operation"
after some google search, i found a similar issue on sequel-pro
Won't save passwords on 10.8 12A269
SO, how can i let my app update , and keep the right access ? I found this issue on serval 10.9.x , 10.10.x systems.
I realize that this is a potentially duplicate question and is related to the following issues:
Do we need to wait after an admin accepts an app marketplace scopes for his domain in order to avoid consent screen?
Consent screen appearing after Google Apps installation using oauth2 while it should not
I currently don't have the commenting privilege yet, but was asked to post here by the Google Apps reviewer currently handling my case.
In any event, after going through the installation flow for my app numerous times at various speeds, I believe there is an issue related to timing and the propagation of permissions through the Google system. If I do the installation and attempt to login really quickly I get presented with the consent pop up. If I wait a few seconds then I do not get presented with the consent pop up.
I have verified that the OAuth scopes configured for the Google Apps Marketplace SDK in the developer console match those we are using during login. I am using the JavaScript client-side library that is mentioned in the Apps Marketplace guide.
Any help would be appreciated as this issue is preventing my app from getting approved.
We are integrating our app in the new Google Marketplace.
Our marketplace config in the developer console is ok.
Our oauth2/sso flow is ok (scopes match the ones setup in the console, auth params ok)
All users, when accessing our application through the Navigation bar, don't see any consent screen. All is perfect … except the following :
when an admin user is installing our application for his domain for the first time, he is presented with the domain consent screen displaying the scopes defined in our marketplace config, which is fine, he accepts and is presented with a button "Launch app". This link hit our server and a redirection is made to google auth in order to get the email and profile of that user. The redirection happens quickly that the admin is presented with yet another consent screen displaying the exact same scopes … which is bad.
If we wait 10 - 20 seconds before clicking the 'Launch app' button and after having accepted the scopes for the domain, the redirection to google auth is done and no consent screen is presented to the admin.
Are we missing something? Some sort of pooling technique with callback? "Sleeping"?
The same happens with other apps available on Google Apps Marketplace.
I installed several apps from Marketplace (Mavenlink, Lucidchart, etc), and they showed exactly the same result. I was prompted with consent screen immediately after installing them. A bit later, and I was let in without prompting.
It seems that the information on the installed app is not immediately propagated through Google system. There is a short delay between the time the administrator installs an app to his domain, and the time that app becomes available on his domain.
Most users wouldn't mind to wait a minute after the installation. Unfortunately, a reviewer at Google is not that forgiving. If he is quick enough to start your app immediately after the installation, your app will be caught asking for consent, for which it will be rejected from Marketplace. Too bad.