General: TN3151 Choosing the right networking API Networking Overview document — Despite the fact that this is in the archive, this is still really useful. TLS for App Developers DevForums post Choosing a Network Debugging Tool documentation WWDC 2019 Session 712 Advances in Networking, Part 1 — This explains the concept of constrained networking, which is Apple’s preferred solution to questions like How do I check whether I’m on Wi-Fi? TN3135 Low-level networking on watchOS Adapt to changing network conditions tech talk Foundation networking: DevForums tags: Foundation, CFNetwork URL Loading System documentation — NSURLSession, or URLSession in Swift, is the recommended API for HTTP[S] on Apple platforms. Network framework: DevForums tag: Network Network framework documentation — Network framework is the recommended API for TCP, UDP, and QUIC on Apple platforms. Network Extension (including Wi-Fi on iOS): See Network Extension Resources Wi-Fi Fundamentals Wi-Fi on macOS: DevForums tag: Core WLAN Core WLAN framework documentation Wi-Fi Fundamentals Secure networking: DevForums tags: Security Apple Platform Security support document Preventing Insecure Network Connections documentation — This is all about App Transport Security (ATS). Available trusted root certificates for Apple operating systems support article Requirements for trusted certificates in iOS 13 and macOS 10.15 support article About upcoming limits on trusted certificates support article Apple’s Certificate Transparency policy support article Technote 2232 HTTPS Server Trust Evaluation Technote 2326 Creating Certificates for TLS Testing QA1948 HTTPS and Test Servers Miscellaneous: More network-related DevForums tags: 5G, QUIC, Bonjour On FTP DevForums post Using the Multicast Networking Additional Capability DevForums post Investigating Network Latency Problems DevForums post Local Network Privacy FAQ DevForums post Extra-ordinary Networking DevForums post Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"

I am in the middle of investigating an issue arising in the call to setsockopt syscall where it returns an undocumented and unexpected errno. As part of that, I'm looking for a way to list any socket content filters or any such extensions are in play on the system where this happens. To do that, I ran: systemextensionsctl list That retuns the following output: 0 extension(s) which seems to indicate there's no filters or extensions in play. However, when I do: netstat -s among other things, it shows: net_api: 2 interface filters currently attached 2 interface filters currently attached by OS 2 interface filters attached since boot 2 interface filters attached since boot by OS ... 4 socket filters currently attached 4 socket filters currently attached by OS 4 socket filters attached since boot 4 socket filters attached since boot by OS What would be the right command/tool/options that I could use to list all the socket filters/extensions (and their details) that are in use and applicable when a call to setsockopt is made from an application on that system? Edit: This is on a macosx-aarch64 with various different OS versions - 13.6.7, 14.3.1 and even 14.4.1.

I am trying to browse an SSH Service from UI Test Target using NWBrowser let descriptor = NWBrowser.Descriptor.bonjour(type: "_superapp._tcp", domain: "local.") let browser = NWBrowser(for: descriptor, using: .tcp) browser.stateUpdateHandler = { newState in print("browser.stateUpdateHandler \(newState)") } I get failed(-65555: NoAuth) error nw_browser_fail_on_dns_error_locked [B1] DNSServiceBrowse failed: NoAuth(-65555) I have added _superapp._tcp in Bonjour Services for UI Test Target Info.plist. I have also added Local Network Permission in UI Test Target Info.plist. Everything works fine, when I call this Bonjour service from App Target. Doesn't work when I call this from UI Test Target.

Hi, Brief background on what I'm trying to achieve: I have an IoT device that produces a HLS stream of saved videos when they are accessed through the device's broadcast hotspot. To access the hotspot, I use an NEHotspotConfiguration. When I use AVPlayer to watch the HLS stream, everything is fine! When I use a media pod (VLC) to try to consume the HLS stream, traffic goes over cellular network even though the device's host address is 192.168.1.254. I am under the impression this is ALWAYS a local network device. I haven't spent much time digging into the code for VLC to figure out why, but when I disable cell network in my app's settings, the VLC request resolves perfectly. I have been served radio silence on their forums and issues, so I thought if there's another solution this would be the place to ask! Is there something going on with the way iOS handles web requests to local network devices? My IoT device's hotspot never has internet access, and after reading Quinn's Extra-ordinary Networking advice (https://developer.apple.com/forums/thread/734348), I'm still lost for how I can force my request to go to the WiFi network rather than cellular... Does anyone have any recommendations? Thanks in advance!

iOS18 UDP fails to send data, iOS other systems fine Device discovery by broadcasting over UDP Failed to send data to the discovered device using UDP communication This problem only occurs on iOS18, other iOS versions work fine I read the official forum of Apple, it is recommended to use BSD socket to send data, and it cannot be sent on iOS18. I suspect that the device privacy permission is found locally, which is invalid on iOS18

Hello there, I'm trying to consume graph.microsoft.com API by using URLSession. But I'm getting Error 400 from the server every time when I send a request with URLSession, but not if I use Postman for the same request. And when I examined the requests with Fiddler, I noticed that URLSession use HTTP/2, and Postman use HTTP/1.1. According to the Microsoft's documentation graph.microsoft.com supports only HTTP/1.1. As I understand URLSession decides to which version of HTTP to use during ALPN and will use HTTP/2 only if the server support it. My question is it possible the graph server to advertise itself as its support HTTP/2 and how to determinate this? Or maybe, which is more likely URLSession has bug that make it to do the wrong assumption about the HTTP/2. And most important there is there a mechanism to make URLSession to use a certain version of HTTP? Thank you in advance, Emil

I have a small example project that ran on both the simulator and a connected iPhone but now it and all other projects are failing with the same error. I am using Xcode 16.0 on MacOS Sonoma 14.6.1., iPhone 11 with iOS 18. Thank you in advance. The error is: Failed to resolve host network app id to config: bundleID: com.apple.WebKit.Networking instance ID: Optional([_EXExtensionInstanceIdentifier: 1163B5D2-09D3-4704-9564-61099502138B]) WebContent process (0x114018680) took 1.375772 seconds to launch GPU process (0x1140a0630) took 1.228457 seconds to launch Networking process (0x114034d00) took 1.426249 seconds to launch 0x105820a20 - [pageProxyID=7, webPageID=8, PID=34786] WebPageProxy::didFailProvisionalLoadForFrame: frameID=1, isMainFrame=1, domain=NSURLErrorDomain, code=-1200, isMainFrame=1, willInternallyHandleFailure=0 Message from debugger: killed Below is the code from one of the examples: import UIKit import WebKit class ViewController: UIViewController { let webView: WKWebView = { let prefs = WKWebpagePreferences() prefs.allowsContentJavaScript = true let configuration = WKWebViewConfiguration() configuration.defaultWebpagePreferences = prefs let webView = WKWebView(frame: .zero, configuration: configuration) return webView }() override func viewDidLoad() { super.viewDidLoad() view.addSubview(webView) guard let url = URL(string: "https://google.com") else { return } webView.load(URLRequest(url: url)) //evaluate JavaScript DispatchQueue.main.asyncAfter(deadline: .now()+5){ self.webView.evaluateJavaScript("document.body.innerHTML") { result, error in guard let html = result as? String, error == nil else { return } print(html) } } } override func viewDidLayoutSubviews(){ super.viewDidLayoutSubviews() webView.frame = view.bounds } }

NSLocalizedDescription=The certificate for this server is invalid. You might be connecting to a server that is pretending to be “domain” which could put your confidential information at risk., _kCFStreamErrorDomainKey=3, Xcode: 15.4 simulator iOS version: 17.5 in Info.plist I have this NSAppTransportSecurity NSAllowsArbitraryLoads Note: The server certificate valid.

Hi there, I have some thread related questions regards to network framework completion callbacks. In short, how should I process cross thread data in the completion callbacks? Here are more details. I have a background serial dispatch queue (call it dispatch queue A) to sequentially process the nw_connection and any network io events. Meanwhile, user inputs are handled by serial dispatch queue ( dispatch queue B). How should I handle the cross thread user data in this case? (I write some simplified sample code below) struct { int client_status; char* message_to_sent; }user_data; nw_connection_t nw_connection; dispatch_queue_t dispatch_queue_A static void send_message(){ dispatch_data_t data = dispatch_data_create(message, len(message), dispath_event_loop->dispatch_queue, DISPATCH_DATA_DESTRUCTOR_DEFAULT); nw_connection_send( nw_connection, data, NW_CONNECTION_DEFAULT_MESSAGE_CONTEXT, false, ^(nw_error_t error) { user_data.client_status = SENT; mem_release(user_data.message_to_sent); }); }); } static void setup_connection(){ dispatch_queue_A= dispatch_queue_create("unique_id_a", DISPATCH_QUEUE_SERIAL); nw_connection = nw_connection_create(endpoint, params); nw_connection_set_state_changed_handler(){ if (state == nw_connection_state_ready) { user_data.client_status = CONNECTED } // ... other operations ... } nw_connection_start(nw_connection); nw_retain(nw_connection); } static void user_main(){ setup_connection() user_data.client_status = INIT; dispatch_queue_t dispatch_queue_B = dispatch_queue_create("unique_id_b", DISPATCH_QUEUE_SERIAL); // write socket dispatch_async(dispatch_queue_B, ^(){ if (user_data.client_status != CONNECTED ) return; user_data.message_to_sent = malloc(XX,***) // I would like to have all io events processed on dispatch queue A so that the io events would not interacted with the user events dispatch_async_f(dispatch_queue_A, send_message); // Disconnect block dispatch_async(dispatch_queue_B, ^(){ dispatch_async_f(dispatch_queue_A, ^(){ nw_connection_cancel(nw_connection) }); user_data.client_status = DISCONNECTING; }); // clean up connection and so on... } To be more specific, my questions would be: As I was using serial dispatch queue, I didn't protect the user_data here. However, which thread would the send_completion_handler get called? Would it be a data race condition where the Disconnect block and send_completion_handler both access user_data? If I protect the user_data with lock, it might block the thread. How does the dispatch queue make sure it would NOT put a related execution block onto the "blocked thread"?

Hi everybody! With latest updates on Ventura around 13.9.X, Sonoma 14.5 and upper, and most probably Sequoia, we notice a change on how to retrieve BSSID. We know Airport is discontinue, but also other commands are impacted by new security policies. Now, to make any command work in the proper way we need to ask for Location Permission. But here is where we are finding some issues to make it compatible with the new requirements. We have a web desktop app (Built with Electronjs) that use an mach-o executable (built on C++). This executable runs IOREG to retrieve the BSSID. One of the tries we did is to request the Location Permission on the parent/GUI app, but by doing this, IOREG was not able to retrieve the BSSID. Then, we try to look for a way to make a little test only with our executable. But in the attempt to, we do not found a way to trigger the location permission request, either manually or by a command. Is there a way to prompt the user from a terminal executable or the right way is to prompt from the GUI? Do we need to stop using Mach-o executable in c++ and move to a native mach-o executable in swift to be able to prompt from it (This executable runs in the machine frequently, several times per minute)? We are open to change the command if need it.

Hi, I have been working on the app that implements DNS Proxy Extension for a while now, and after a couple builds to TestFlight I noticed that I got a couple crashes that seem to be triggered by EXC_BREAKPOINT (SIGTRAP) After some investigation, it was found that crashes are connected to CFNetwork framework. So, I decided to additionally look into memory issues, but I found the app has no obvious memory leaks, no memory regression (within recommended 25%, actual value is at 20% as of right now), but the app still uses 11mb of memory footprint and most of it (6.5 mb is Swift metadata). At this point, not sure what's triggering those crashes, but I noticed that sometimes app will return message like this to the console (this example is for PostHog api that I use in the app): Task <0ABDCF4A-9653-4583-9150-EC11D852CA9E>.<1> finished with error [18 446 744 073 709 550 613] Error Domain=NSURLErrorDomain Code=-1003 "A server with the specified hostname could not be found." UserInfo={_kCFStreamErrorCodeKey=8, NSUnderlyingError=0x1072df0f0 {Error Domain=kCFErrorDomainCFNetwork Code=-1003 "(null)" UserInfo={_kCFStreamErrorDomainKey=12, _kCFStreamErrorCodeKey=8, _NSURLErrorNWResolutionReportKey=Resolved 0 endpoints in 2ms using unknown from cache, _NSURLErrorNWPathKey=satisfied (Path is satisfied), interface: en0[802.11], ipv4, dns, uses wifi}}, _NSURLErrorFailingURLSessionTaskErrorKey=LocalUploadTask <0ABDCF4A-9653-4583-9150-EC11D852CA9E>.<1>, _NSURLErrorRelatedURLSessionTaskErrorKey=( "LocalUploadTask <0ABDCF4A-9653-4583-9150-EC11D852CA9E>.<1>" ), NSLocalizedDescription=A server with the specified hostname could not be found., NSErrorFailingURLStringKey=https://us.i.posthog.com/batch, NSErrorFailingURLKey=https://us.i.posthog.com/batch, _kCFStreamErrorDomainKey=12} If DNS Proxy Provider uses custom DoH server for resolving packets, could the cache policy for URLSession be a reason? I had a couple other ideas (HTTP3 failure, CFNetwork core issues like described here) but not sure if they are valid Would be grateful if someone could give me a hint of what I should look at

On Sequoia it became impossible to properly debug programs using third party mDNS, multicast or broadcast, thanks to a bug? in I guess the new local network privacy feature, every send call returns no route to host. If I run the CI job, which properly packages, signs, notarizes said program, the resulting .app works fine and also requests permission to access the local network - which is impossible through lldb as it doesn't have an Info.plist, just the ***** binary itself. However this may not be the issue, see the repro method below. A fast and easy method to reproduce is using an example from this repo: https://github.com/keepsimple1/mdns-sd/ Running the query example in a good old shell without lldb (cargo run --example query _smb._tcp) starts outputting results. Then running the same binary through lldb (lldb -o run target/debug/examples/query _smb._tcp) would result in no route to host errors. I can't provide an output anymore as I was forced to downgrade. It works fine again on 14.6.1. I'm a bit reluctant to even try 14.7. Also reported in feedback assistant: FB15185667

Hi all, I am overhauling code of an iPadOS app that discovers devices on a network using a custom UDP broadcast based discovery protocol. This is how the discovery mechanism should work: The iPad sends an IPv4 broadcast message to the network's broadcast address using a fixed destination port, but a random source port (determined at bind time). The device responds with a unicast message to the source IP address and port of the discovery message. Until now the code is based on BSD sockets using GCDAsyncUdpSocket and has been working well for around ten years with a single socket that was used to both send and receive the discovery messages and replies. We would like to make the move to the Network Framework now and I tried to recreate this discovery mechanism with the Network Framework in Objective-C. I am able to create an nw_connection_t with the broadcast address as hostname and the specific destination port as port. I am able to send discovery messages to the device and the device sends a reply (verified with Wireshark). But calling nw_connection_receive_message(...) never fires. Also in Wireshark the iPad replies with Destination unreachable (Port unreachable). When I create the connection with the unicast address of the device, the reply is received. It seems to me, that the connection doesn't accept replies from addresses / ports that don't match, what was set when the connection was created. Is there a way to also accept messages from other sources? E.g. there is nw_multicast_group_descriptor_set_disable_unicast_traffic when doing multicast. This seems to solve this problems when doing mutlicast. This is a code excerpt of what I tried: // Create default UDP parameters without DTLS nw_parameters_t params = nw_parameters_create_secure_udp(NW_PARAMETERS_DISABLE_PROTOCOL, NW_PARAMETERS_DEFAULT_CONFIGURATION); // Enable P2P (should enable broadcast and multicast) nw_parameters_set_include_peer_to_peer(params, true); // Require the active interface // The active interface comes from a path monitor callback nw_parameters_require_interface(params, self.networkUtils.activeInterface.interface); // Setup the remote endpoint with the "ping" (discovery) broadcast IP address and port const char *endpointAddress = [pingAddress.ipAddress cStringUsingEncoding:NSUTF8StringEncoding]; NSString *portString = @(pingAddress.port).stringValue; const char *endpointPort = [portString cStringUsingEncoding:NSUTF8StringEncoding]; nw_endpoint_t broadcastEndpoint = nw_endpoint_create_host(endpointAddress, endpointPort); nw_connection_t tmpConnection = nw_connection_create(broadcastEndpoint, params); __weak __typeof(self) weakSelf = self; nw_connection_set_state_changed_handler(tmpConnection, ^(nw_connection_state_t state, nw_error_t _Nullable error) { __strong __typeof(weakSelf) strongSelf = weakSelf; MSLogVerbose("State changed: %d; error: %@", state, error); strongSelf.connectionState = state; if (state == nw_connection_state_ready) { [strongSelf receiveMessageForConnection:tmpConnection]; } }); nw_connection_set_queue(tmpConnection, AGGalileoBrowser.browserQueue); nw_connection_start(tmpConnection); Thanks for your help! Arno

iOS 18 is awesome however below are some bugs that needs to be sorted out even before the 18.1 update Cellular network id is displayed instead of the name Dedicated WIFI toggle missing in Control center Connectivity toggle needs to be revisited VPN, Bluetooth, headphone icons continue to display when these are no longer in use Cellular network strength weaker comparted to IOS 17 As a bonus. We need some new wallpaper

New Local Network Privacy Setting has been added in Privacy &amp;amp; Security Section of system Settings. I just want to know if this permission be managed through MDM mobileconfig profile. Let me know if any suggestions are there, in respect to this.

How can I resolve the error（Code=65 "No route to host）. Xcode 16(SDK ios18): We invoke GCDAsyncUdpSocket to send UDP data to the broadcast address,then get Error Domain=NSPOSIXErrorDomain Code=65 "No route to host" Xcode 16.1 beta 2(SDK ios18.1): We invoke GCDAsyncUdpSocket to send UDP data to the broadcast address,then it work fine. Xcode 15.4(SDK ios17.5): We invoke GCDAsyncUdpSocket to send UDP data to the broadcast address,then it work fine. Notes: Privacy - Local Network Usage Description and the multicast entitlement has been added. Bonjour services has been added _http._tcp、_http._udp Code: GCDAsyncUdpSocket *gcdUdpSearchSocket = [[GCDAsyncUdpSocket alloc] initWithDelegate:self delegateQueue:dispatch_get_main_queue()]; NSError *error = nil; if (![gcdUdpSearchSocket enableBroadcast:YES error:&error]){ NSLog(@"gcdUdpSearchSocket enableBroadcast Error binding: %@", error); return; } if (![gcdUdpSearchSocket bindToPort:UDP_PORT error:&error]) { NSLog(@"GCDUdp Error binding: %@", error); return; } if (![gcdUdpSearchSocket beginReceiving:&error]) { NSLog(@"GCDUdp Error receiving: %@", error); return; }

Hello Apple We have been facing lot of SSL issues when we are connecting to iOS devices with OS 17.5.1, 7.6.1 and 18. Need more clarification on the latest parameters to be used on the server side like -&gt; TLS Version and Cipher Suites Please do update us on the above. Error message-&gt; "An SSL error has occurred and a secure connection to the server cannot be made."

Hi, I'm working on a sample app to enable two-way data transfer between Mac, iOS, and Android devices. The devices will be in close proximity to each other. To implement this, I used Google's Nearby API, which supports cross-platform communication. The approach has worked well for Mac and iOS devices, even across different networks. However, while Mac and Android devices communicate successfully when on the same network, they fail to discover each other when on different networks. Mac :left_right_arrow: iOS-----Works fine in all scenarios. Mac :left_right_arrow: Android-------Works only when both devices are on the same network, but fails to discover each other on different networks. Is there any alternative approach to achieve reliable cross-platform communication, or any technical documentation that could help with this? Thanks in advance!

Hi, just got upgraded this morning and now I can't use my local Tomcat install as server for my apps. I can access it in safari using localhost, but not using my computers IP. I start it from terminal. I looked everywhere in settings, and searched online of course, but have been unable to find an answer. Anyone knows how I can fit it? Input appreciated.

My app often fails to access the network (other apps on the device can access the network normally), and restarting the app is also ineffective. I need to open and close the flight mode to restore the app's network I used to suspect the background refresh was the cause, but removing the background refresh still occasionally causes this problem.

ISSUE Upgrading a macOS Ventura host to Sequoia results in the attached three issues visible in either of the two screen shot: Whether or not "Block all incoming connections" is enabled, a small subset of connections are hard-wired to "Allow incoming connections"; It is not possible to remove the hard-wired "Allow incoming connections" (e.g., selecting the row, the "-" button at bottom left is not available"; and After the upgrade to Sequoia, SidecarRelay was set to "Block incoming connections". QUESTIONs a) What terminal level commands should be used to remove the hard-wired "Allow incoming connections"? b) What other integrity checks should I run on the firewall configuration to see if other aspects of its operations are now botched? FB15074003 tracks the issues noted above.