App access to saved passwords
iOS, iPadOS, macOS, and visionOS apps can request the Password AutoFill keychain’s help with signing a user in using ASAuthorizationPasswordProvider
and SecAddSharedWebCredential
. The password provider and its request can be used in conjunction with Sign in with Apple, so that the same API is called to help users sign into an app, regardless of whether the user’s account is password based or was created using Sign in with Apple.
Apps can access saved passwords only if the app developer and website administrator have given their approval and the user has given consent. App developers express their intent to access Safari saved passwords by including an entitlement in their app. The entitlement lists the fully qualified domain names of associated websites, and the websites must place a file on their server listing the unique app identifiers of apps approved by Apple.
When an app with the com.apple.developer.associated-domains entitlement is installed, iOS, iPadOS, and visionOS make a TLS request to each listed website, requesting one of the following files:
apple-app-site-association
.well-known/apple-app-site-association
If the file lists the app identifier of the app being installed, then iOS, iPadOS, or visionOS mark the website and app as having a trusted relationship. Only with a trusted relationship will calls to these two APIs result in a prompt to the user, who must agree before any passwords are released to the app, updated, or deleted.