Sandboxed TouchID / DeviceOwnerAuthentication CanEvalutePolicy is always false

DavidLilleyDavidLilley David LilleyUSMember ✭✭✭
edited March 17 in Xamarin.Mac

In short I trying to get TouchID to work in sandboxed app.

I am asking for permission like the following

using (LAContext aContext = new LAContext())
{
    NSError aError = null;
    bool fCanEvaluate = aContext.CanEvaluatePolicy(
        _GetPolicyType(),
        out aError);

    return fCanEvaluate;
}

Where GetPolicyType is either LAPolicy.DeviceOwnerAuthentication (System Password Prompt) : LAPolicy.DeviceOwnerAuthenticationWithBiometrics (TouchID Prompt)

In a Non-Sandbox it returns true and in sandboxed environment it returns false :(

NSError is the following:

  • Error 4099
  • Description Couldn’t communicate with a helper application.
  • RecoverySuggestion Try your operation again. If that fails, quit and relaunch the application and try again.*
  • The connection to service named com.apple.CoreAuthentication.agent was invalidated.

I seem to be at loss at what i am missing. Any ideas ?

Best Answer

  • ChrisHamonsChrisHamons Chris Hamons USXamarin Team Xamurai
    Accepted Answer

    That took some detective work, but I now know what's going on:

    Add this to your additional mmp args:

    --link_flags="-framework LocalAuthentication"

    And things should just work.

    For anyone interested in the details:

    • I spent awhile messing with code signing / entitlements and the like, comparing the objective-c to C# to no avail.
    • As is most security related Apple things, the Console output was completely worthless.
    • Google searching finally turned up https://itechroof.wordpress.com/2015/11/13/touch-authentication/
    • Which had this (dated) line - Touch ID is based on the framework called LocalAuthentication. LocalAuthentication framework has to be added to your project in order for Touch ID to work. Lets add the framework first.
    • I then verified the assertion: https://gist.github.com/chamons/42b78e0a0368be7ee700d8a3c42e282f
    • A quick test gave me the happy: "CanEvaluatePolicy:True"

    I will file a bug shortly (as mmp should be doing this for you).

Answers

  • DavidLilleyDavidLilley David Lilley USMember ✭✭✭

    Just built objective c xcode to test this and this works. Has anyone got TouchID in a Sandboxed environment to work ?

  • ChrisHamonsChrisHamons Chris Hamons USXamarin Team Xamurai

    Have you checked out the console (like Console.App not Stdout) output?

    Could you post your C# / obj-c sample?

  • DavidLilleyDavidLilley David Lilley USMember ✭✭✭
    edited March 17

    Obviously something is wrong ... but what... _LAClient evaluatePolicy:options:uiDelegate:reply:]_block_invoke -> (null) ??

    Xamarin

    default 15:16:35.904370 +0100 App4X LAContext: -[LAContext initWithExternalizedContext:] 0 on
    default 15:16:35.904571 +0100 App4X LAUtils: runningInSystemContext = 0
    error 15:16:35.906310 +0100 App4X initWithExistingContext -> (null), Error Domain=NSCocoaErrorDomain Code=4099 "The connection to service named com.apple.CoreAuthentication.agent was invalidated." UserInfo={NSDebugDescription=The connection to service named com.apple.CoreAuthentication.agent was invalidated.}
    default 15:16:35.906983 +0100 App4X LAContext: __37-[LAContext canEvaluatePolicy:error:]_block_invoke 2 on
    default 15:16:35.907160 +0100 App4X LAClient: -[LAClient evaluatePolicy:options:uiDelegate:reply:] 2, {
    1000 = 1;
    }, (null) on
    default 15:16:35.907326 +0100 App4X LAClient: __52-[LAClient evaluatePolicy:options:uiDelegate:reply:]_block_invoke -> (null), Error Domain=NSCocoaErrorDomain Code=4099 "The connection to service named com.apple.CoreAuthentication.agent was invalidated." UserInfo={NSDebugDescription=The connection to service named com.apple.CoreAuthentication.agent was invalidated.} on
    default 15:16:35.907444 +0100 App4X LAContext: __37-[LAContext canEvaluatePolicy:error:]_block_invoke -> Error Domain=NSCocoaErrorDomain Code=4099 "The connection to service named com.apple.CoreAuthentication.agent was invalidated." UserInfo={NSDebugDescription=The connection to service named com.apple.CoreAuthentication.agent was invalidated.} on
    default 15:16:35.909271 +0100 App4X LAContext: -[LAContext dealloc] on
    default 15:16:35.178891 +0100 kernel SandboxViolation: App4X(3990) deny(1) mach-lookup com.apple.CoreAuthentication.agent

    XCode

    default 15:19:32.996395 +0100 App4X Button pressed!
    default 15:19:32.996503 +0100 App4X SandBoxed true
    default 15:19:32.996576 +0100 App4X LAContext: -[LAContext initWithExternalizedContext:] 0 on
    default 15:19:32.996624 +0100 App4X LAUtils: runningInSystemContext = 0
    default 15:19:32.997894 +0100 coreauthd Daemon: -[Daemon connectToExistingContext:callback:processId:userId:auditSessionId:cApiOrigin:checkEntitlementBlock:invalidationBlock:connectionHash:reply:] 0, 100006, 501 on
    default 15:19:32.998243 +0100 App4X LAContext: __37-[LAContext canEvaluatePolicy:error:]_block_invoke 2 on
    default 15:19:32.998307 +0100 App4X LAClient: -[LAClient evaluatePolicy:options:uiDelegate:reply:] 2, {
    1000 = 1;
    }, (null) on
    default 15:19:32.998620 +0100 coreauthd ContextProxy: __67-[ContextProxy evaluatePolicy:options:uiDelegate:originator:reply:]_block_invoke 2, {
    1000 = 1;
    }, (null),

    Attached my sample codes.

  • ChrisHamonsChrisHamons Chris Hamons USXamarin Team Xamurai

    Normally stuff like this:

    The connection to service named com.apple.CoreAuthentication.agent was invalidated

    Means macOS expected the thing you are talking to the be sandboxed and it wasn't. The documentation is almost non-existant which features/APIs require sandboxing.

    Your objective-c sample IS sandboxed. Your C# one is not.

    Open up Entitlements.plist in your C# version, check Enable App Sandbox and see if that works better.

  • DavidLilleyDavidLilley David Lilley USMember ✭✭✭

    Unfortunately its not the case, wish it was that simple
    No they are both sandboxed, infact in code I check both they are sandboxed.

    Debug output from c#
    Button Pressed
    SandBoxed:True
    CanEvaluatePolicy:False

  • DavidLilleyDavidLilley David Lilley USMember ✭✭✭

    If you remove the sandboxing then you see
    Button Pressed
    SandBoxed:False
    CanEvaluatePolicy:True

  • ChrisHamonsChrisHamons Chris Hamons USXamarin Team Xamurai

    Looks like there is a bug in XS 6.4 with entitlements not showing up in the IDE correctly.

    Let me file that and take a look at this again...

  • ChrisHamonsChrisHamons Chris Hamons USXamarin Team Xamurai

    6.3 not 6.4, but the bug is here - https://bugzilla.xamarin.com/show_bug.cgi?id=53467

  • DavidLilleyDavidLilley David Lilley USMember ✭✭✭
    edited March 20

    @ChrisHamons, I am presuming LaContext.CanEvaluatePolicy is always false in sandboxed environment is a bug, has this already been filed as i cannot find it ? Do you want me to file it ?

  • ChrisHamonsChrisHamons Chris Hamons USXamarin Team Xamurai

    That is a good question. Here's my thoughts:

    • If CanEvaluatePolicy was really one value, but our bindings returned anther, that completely would be a bug. However, as it's a simple obj-c API auto generated by our tooling I would be rather shocked if our bindings were returning the wrong value.
    • I did say I was going to dig into this on Friday, but that has obviously not happened. Apologies, I was buried by multiple release blocking critical issues to sort out.
    • I will look tomorrow, but I'm thinking this is likely a "it's not doing what we expect" issue and not a bug. Our tooling has a very thin layer over most of this code.
  • ChrisHamonsChrisHamons Chris Hamons USXamarin Team Xamurai
    Accepted Answer

    That took some detective work, but I now know what's going on:

    Add this to your additional mmp args:

    --link_flags="-framework LocalAuthentication"

    And things should just work.

    For anyone interested in the details:

    • I spent awhile messing with code signing / entitlements and the like, comparing the objective-c to C# to no avail.
    • As is most security related Apple things, the Console output was completely worthless.
    • Google searching finally turned up https://itechroof.wordpress.com/2015/11/13/touch-authentication/
    • Which had this (dated) line - Touch ID is based on the framework called LocalAuthentication. LocalAuthentication framework has to be added to your project in order for Touch ID to work. Lets add the framework first.
    • I then verified the assertion: https://gist.github.com/chamons/42b78e0a0368be7ee700d8a3c42e282f
    • A quick test gave me the happy: "CanEvaluatePolicy:True"

    I will file a bug shortly (as mmp should be doing this for you).

  • DavidLilleyDavidLilley David Lilley USMember ✭✭✭

    @ChrisHamons thanks, Seems to work perfectly!

Sign In or Register to comment.