PLATFORM AND VERSION iOS Development environment: Xcode 16.0, macOS 15.0.1 Run-time configuration: iOS 17.5.1 DESCRIPTION OF PROBLEM We are working on an iOS application that utilizes the NEFilterDataProvider class from the Network Extension framework to control network flows. However, we are encountering an issue where network flows are not being detected as expected. Here are the details of our setup: We are using the NEFilterDataProvider class to filter network traffic in our app. The filtering setup works well for certain flows/apps, but we cannot detect Facebook network flows as intended. The app is correctly configured with the necessary entitlements, and we have set up the required App Groups and Network Extension capabilities. We would like to request guidance on how to troubleshoot or resolve this issue. Could you provide insights on: Whether there are any known limitations or conditions under which network flows may not be detected by NEFilterDataProvider. Recommendations for additional debugging techniques to better understand why some flows might not be captured. Recommendations for additional code to be added to detect some flows that might not be captured. Any specific scenarios or configurations that might be causing this issue in iOS. STEPS TO CHECK Replace below code in FilterDataProvider. Try running the app and set debugger in FilterDataProvider. Launch Facebook app. You will observe that no NEFilterFlow is detected in handleNewFlow for actions such as posts, reels, etc. import NetworkExtension class FilterDataProvider: NEFilterDataProvider { let blockedDomains = [ "facebook.com" ] override func startFilter(completionHandler: @escaping (Error?) -> Void) { // Perform any necessary setup here. DNSLogger.shared.log(message: "Filter started") completionHandler(nil) } override func stopFilter(with reason: NEProviderStopReason, completionHandler: @escaping () -> Void) { // Perform any necessary cleanup here. DNSLogger.shared.log(message: "Filter stopped with reason: \(reason)") completionHandler() } override func handleNewFlow(_ flow: NEFilterFlow) -> NEFilterNewFlowVerdict { var url: URL? if let urlFlow = flow as? NEFilterBrowserFlow { url = urlFlow.url } else { let urlFlow = flow as? NEFilterSocketFlow url = urlFlow?.url } guard let hostName = url?.host else { return .allow() } DNSLogger.shared.log(message: "Domain reveived: \(hostName)") return .allow() } // Handle inbound data (data received from the network) override func handleInboundData(from flow: NEFilterFlow, readBytesStartOffset offset: Int, readBytes: Data) -> NEFilterDataVerdict { DNSLogger.shared.log(message: "Inbound data: \(readBytes)") return .needRules() } // Handle outbound data (data sent to the network) override func handleOutboundData(from flow: NEFilterFlow, readBytesStartOffset offset: Int, readBytes: Data) -> NEFilterDataVerdict { // Inspect or modify outbound data if needed // For example, you could log the data or modify it before sending DNSLogger.shared.log(message: "Outbound data: \(readBytes)") return .needRules() } override func handleRemediation(for flow: NEFilterFlow) -> NEFilterRemediationVerdict { return .needRules() } override func handleRulesChanged() { // Handle any changes to the rules } }

I'm looking to develop an iOS application that functions as a remote for Apple TV, including discovering Apple TV devices over Wi-Fi. If anyone has experience building similar applications, could you share insights on available frameworks or protocols to discover Apple TVs? Additionally, if there are reference apps on the App Store that work like Apple's default remote app, I would greatly appreciate recommendations. Any guidance from developers who have worked on similar projects would be very helpful!

Hi, I'm troubleshooting an iOS network connectivity issue when my app is running 'in' a per-app VPN and would like some clarification about the ordering of some of the logging generated after installing various debugging profiles on the device (VPN (Network Extension), Network Diagnostics, mDNSResponder). Context The connectivity issue is between two vendors my app is involved with. One supplies an app proxy provider extension to provide per-app VPN capability for my app. The other vendor provides an SDK framework that's attempting to make network connections which normally work when the VPN is not involved. We have confirmed with the VPN vendor that it is not a configuration (whitelisting, etc) type issue. I am trying to understand from the logs what component caused/initiated the network connection termination. Was it the kernel, was it the App Proxy Provider Network Extension code or was it the app (SDK framework) code ? Log entries I've attached a short log file and number the lines for reference, and have redacted a few commercially sensitive parts. NetworkLogExcerpt.txt Questions Can this log help determine who caused the network connection failure, and if not, is there any more instrumentation I could enable that might help? Do the log entries (and their timestamps) reflect the actual order/timing of events reported on, or is there some jumbling occurring due to my app, the kernel and iOSAppProxyProvider running in different processes/threads? After the app initiates the network connection (line 1), it appears that the kernel flow diversion code in netinet/flow_divert.c establishes the flow and closes it (lines 2 - 6) before iOSAppProxyProvider even starts to establish the flow (lines 7 - 10). Then the app somehow seems to detects a network error (line 8), before the iOSAppProxyProvider has even matched the VPN extension (line 12) to it and then finally the iOSAppProxyProvider closes the flow (lines 13-17). I'd have expected an interleaving of kernel and iOSAppProxyProvider log entries, with the app's own logging just occurring at the start and end, bracketing the whole interaction... I am new to this area of iOS, so apologies if I am missing some important foundational concepts about how these components all work together. Thanks in advance, Rob

We have network system extension which is fundamental part of our application and needs to be installed before the application can run. In many cases we need the installation to be automated, i.e. without logged-in user (with the help of MDM solution like JAMF). Is there a way to activate the extension fully automated without logged-in users? I tried to call 'open -W -a /Application/' from the package's post install script. But seems launch fails if no user is logged in.

I have the following snippet of code for receiving incoming data on a NWConnection: self.Connection.receive(minimumIncompleteLength: 1, maximumLength: self.MAX_INTAKE) { (data, context, isComplete, error) in if let err = error { // receive <error> returned non-nil self.Connection.cancel() return // exit completion handler } ... } This generally works and rarely receives an error. But seemingly at random, will return 89. When this happens I've been sending a .cancel before returning from the completion handler. It will work great for tens of thousands of connections, then suddenly return 89 error codes. My question is: Should I be canceling the connection here or simply let NWFramwwork do as it will? Canceling the connection seems to throw my NGINX reverse proxy into fits, from which it never recovers without a restart. In short what is the best practice for handling errors when receiving bytes in NWFramework?

I am developing an App using the Networking framework, which can be either a Socket Server or a Socket Client, such that 2 devices can communicate remotely. I would like to include the Client's userUID when creating a NWConnection, such that when the SocketServer accepts the connection, it knows immediately which user is connected. (Currently I achieve this by sending the UserUID in Welcome/Introduction messages, which seems an unnecessary overhead, and because I am using UDP, I also have to make sure these messages are acknowledged, before safely using the connection.) Is there a way to add this custom data into the NWConnection?

I am developing an App using the Networking framework, which can be either a Socket Server or a Socket Client, such that 2 devices can communicate remotely. For the most part I have it working, except: I am not sure of the best way to determine the IP Address for the Socket Server in order to allow the Client app to connect. I am currently using either of Cloud Functions, or lookup webpages (such as ipify.org) and even reading the IP addresses locally from within the device (this returns many, but not all of them connect successfully). These options seem to work if the Socket Server app is connected to the internet with an IPv6 address, but I find that when the Socket Server app is connected with an IPv4 address, the Client app never successfully connects. How should I: a) force the Socket Server app to have/use an IPV6 address at all times? or b) allow the Client app to connect successfully via an IPv4 address? And is there a simple way to know what IP Address the Socket Server is listening from?

I applied to Apple for authorization for the following page about 3 weeks ago, but have not received the results yet https://developer.apple.com/documentation/networkextension/local_push_connectivity Should I try to submit the application again with the same information or can I wait a little longer? I would appreciate it if you could give me a little information about the same application or even another authority, such as the time it took to reply to that application.　 Here is the actual page I applied for https://developer.apple.com/contact/request/local-push-connectivity

Hello, I am writing a NetworkExtension VPN using custom protocol and our client would like to able to use 5G network slice on the VPN, is this possible at all? From Apple's documentation, I found the following statement: If both network slicing and VPN are configured for an app or device, the VPN connection takes precedence over the network slice, rendering the network slice unused. Is it possible to assign a network slice on a NetworkExtension-based VPN and let the VPN traffic uses the assign network slice? Many thanks

I have tried filing a feedback, FB15509991, for help with this and that didn't go anywhere. Figured I would try the developer forums. Overview I am working on a matter device using the Matter SDK and the matter device basically consists of both a matter bridge and matter controller functionality. The bridge part is currently a none-issue, however trying to have our device be an additional controller for the existing matter fabric. The overall idea for our device as a matter controller is that it can be commissioned with Apple Home (via Matter BLE commissioning) and then view and control existing matter devices (over Wi-Fi network) on the Homekit matter fabric (convenient user experience), instead of our device having to form a matter fabric of its own and then having the user re-commission all their devices to add them our controller (difficult and possibly frustrating user experience), in order to have a consistent control experience between our device's display and Apple Home app. The big problem When we onboard our device via Apple Home app it does not have attribute write permission to other devices on the same fabric as we are seeing Unsupported Access (IM:0x0000057E) responses instead of expected attribute changes. Same for attempts to read valid endpoint/cluster/attributes. The possible solution Our operational device needs to be added to the access control list (ACL) with View and Operator permissions and then the ACL update pushed to all the fabric devices in order to give our device controller access to them. The next problem My question is what do we have to do in order for our device will be given control access permissions (View + Operator) in an ACL (access control list) update to other devices after our device has been commissioned? Because the matter specification does not define a "Controller Cluster" that could be used to type a device as a matter controller to make it obvious that the device wishes to have controller permissions post commissioning. So that means its up to each fabric administrator implementer as to how to accomplish what I'm requesting to do. I'm hoping somebody in the Apple team responsible for the Matter + HomeKit integration could give me some insight as to whether this is even possible at this time. Test environment The environment consists of: iPhone running iOS 17.7 iPad running iPadOS 18.0.1 HomePod Mini with software version 18.0 Realtek WiFi module running Matter Fan+Light firmware (Matter SDK 1.3) for target/controlee [our device] LCD display unit + Realtek WiFi module (Matter SDK 1.3) for controller.

I have implemented SSL pinning by following this article https://developer.apple.com/news/?id=g9ejcf8y , however pen testing team was able to bypass SSL pinning using Objection &amp; Frida tools. I am using URLSession for API calls. I used Xcode 16. My app's minimum iOS deployment version is 16 onwards. &lt;key&gt;NSAppTransportSecurity&lt;/key&gt; &lt;dict&gt; &lt;key&gt;NSPinnedDomains&lt;/key&gt; &lt;dict&gt; &lt;key&gt;*.mydomain.com&lt;/key&gt; &lt;dict&gt; &lt;key&gt;NSIncludesSubdomains&lt;/key&gt; &lt;true/&gt; &lt;key&gt;NSPinnedCAIdentities&lt;/key&gt; &lt;array&gt; &lt;dict&gt; &lt;key&gt;SPKI-SHA256-BASE64&lt;/key&gt; &lt;string&gt;my SHA256 key&lt;/string&gt; &lt;/dict&gt; &lt;/array&gt; &lt;/dict&gt; &lt;/dict&gt; &lt;/dict&gt; Could anyone suggest how to mitigate this bypass mechanism?

Hello, As a developer, I'm experiencing a problem with WebSocket connections since upgrading to MacOS 15.0 Sequoia. When using a JSON RPC API from my workstation using tools such as Postman and/or Docker, I encounter the following problem: At the start of communications, messages received on the WS channel are fine. But after a while (indefinite) the messages become corrupted, truncated or jumbled. For debugging purposes, I used the WireShark utility to confirm that the problem was not with the server itself. I was thus able to confirm that incoming WebSockets messages are not corrupted, whereas they are when received by Postman and/or Docker. To confirm my hypothesis that the problem appeared with the latest version of MacOS, we tested on 6 different workstations. 3 MacBook Pro 13” running MacOS 14.6 3 MacBook Pro 13” running MacOS 15.0 The results were clear: the 3 MacOS 14.6 workstations never encountered the problem of corrupted data on the WebSocket channel, whereas the 3 MacOS 15.0 workstations did. Should you require any further information, please do not hesitate to contact me. Yours faithfully Paul BESRET, R&D Engineer.

System extensions on iOS have very low limits on allowed memory. For instance the DNS proxy extensions seem to be limited to 15MB. When I try to monitor the extension with instruments it quickly runs out of memory, most likely due to the way instruments tracks memory usage. I did find that there are two entitlements related to memory usage but it is unclear if these would work for extensions or only for applications. What are the best techniques for debugging extensions that run out of memory? Is there a way to temporarily increase the limit while debugging?

NEAppProxyProvider MacOS Sequoia 15 never called “handleNewFlow” although it works well in the macOS Ventura/ Sonoma

While I was starting App Proxy without errors from my application, the AppProxyProvider could not receive new flows in the function handleNewFlow. I just encounter this issue on macOS 15 beta (24A5309e). Everything is fine on the earlier macOS versions.

In the development environment, if I disable and then enable the Network Connection permission to my app in the Setting on my device, my app is denied the network connection permission permanently. The error message is The Internet connection appears to be offline. Please advise me what to do.

Hello, I'm wondering if a NEDNSProxyProvider should supports TCP DNS query or not ? DNS UDP datagrams are limited to 512 bytes and sometimes, a DNS resolver should fallback to TCP to handle large queries. But I don't see anything about supporting TCP flow in the DNS Proxy provider reference. Is there a guarantee that it will only receive UDP flow ? How is the system handling large DNS queries in that case ?

I am developing an iOS application based on Objective-C, and I have encountered a requirement where I need to determine if the password for the currently connected Wi-Fi is empty. If it is empty, the user is allowed to proceed to the next step. If it is not empty, they must enter a password. This will be used in the next process, which is the network configuration of a physical device. After researching documentation, I found two possible approaches to determine if the Wi-Fi password is empty. The first approach is to directly check the encryption type of the current Wi-Fi. If there is no encryption type, the Wi-Fi password is empty. The second approach is to use Apple's NEHotspotConfiguration class to attempt connecting to the Wi-Fi and determine if the password is empty. However, both approaches have encountered issues. For the first approach, there seems to be no public API available to directly retrieve the Wi-Fi encryption type. For the second approach, when using NEHotspotConfiguration to connect, I first get the Wi-Fi's SSID and then attempt to connect with an empty password. I am using [NEHotspotConfiguration alloc] initWithSSID:ssid] to create a configuration, and then I call [NEHotspotConfigurationManager sharedManager] applyConfiguration: to connect. However, regardless of whether the Wi-Fi is actually encrypted or unencrypted, no error is returned. The code is as follows: NSString *ssid = [NetInterface getCurrent_SSID]; // The Wi-Fi SSID that needs to be checked NEHotspotConfiguration *configuration = [[NEHotspotConfiguration alloc] initWithSSID:ssid]; configuration.joinOnce = YES; // Remove previous configuration (optional) [[NEHotspotConfigurationManager sharedManager] removeConfigurationForSSID:ssid]; self.isWiFiEmptyOperateState = 1; // Attempt to apply the new configuration [[NEHotspotConfigurationManager sharedManager] applyConfiguration:configuration completionHandler:^(NSError * _Nullable error) { self.isWiFiEmptyOperateState = 2; if (error) { if (error.code == NEHotspotConfigurationErrorInvalid) { NSLog(@"Wi-Fi %@ is encrypted, a password is required", ssid); } else if (error.code == NEHotspotConfigurationErrorUserDenied) { NSLog(@"User denied the Wi-Fi configuration"); } else { NSLog(@"Other error: %@", error.localizedDescription); } } else { NSLog(@"Successfully connected to Wi-Fi %@, this network might be open", ssid); } }]; In the code above, it always ends up logging "Successfully connected to Wi-Fi." Is there any other approach that can fulfill my functional requirement? I noticed that some apps on the App Store have implemented this functionality, but all my attempts so far have failed.

I need to connect to a JMS that publishes data that I need to collect. I am trying one solution: RabbitMQ with the JMS plugin. I succeeded to install RabbitMQ and send messages from one process to another. However, I need to consume a JMS that an external party publishes. Can anybody tell me how I should configure the Host, Port, Username, Password and Queue name for RabbitMQ/JMS so that I can consume (or subscribe to) that JMS? Or does anybody know another way to consume (or subscribe to) a JMS from Swift? I have no idea which of the provided Tags I should select. Thanks! Wouter

When creating multiple QUIC streams (NWConnections) sharing one QUIC tunnel (using NWMultiplexGroup), is it possible to assign different priorities to the streams? And if yes, how? The only prioritization option I found so far is NWConnection.ContentContext.relativePriority, but I assume that is for prioritizing messages within a single NWConnection?