If we start uploading a video file from the foreground and then switch to another app or press the home button, we can enable background processing by selecting the 'Background processing' option in the app's background modes. We utilize URLSession to handle the upload. I have a few questions regarding this process: If the user manually kills the app, will the upload continue in the background? For files around 100 MB, if the user locks the phone while the upload is in progress (and the app is in the background but not terminated), will the upload still be successful? Does Apple provide any additional APIs that would facilitate successful file uploads even if the user terminates the app? I would appreciate any solutions or insights you can provide. Thank you!

I'm trying to handle the error in NEHotspotConfigurationManager connection method.When i try even OS network connect dialog showing with "Cannot connect" response return as "Success". In my flow i'm trying to connect to a private network. First i connect using below code and then set the IP Address,SubNetMask,Router and DNS server address manually to already added Wifi by running below code. I'm doing this manually because as i understand you cannot set the IP Address,SubNetMask,Router and DNS server address using Swift. https://forums.developer.apple.com/forums/thread/96834?page=2 I read the above thread and what i can understand from that is it's a bug in the os method. So does this problem fixed on latest iOS version? or is there a way to handle this problem? Error handler code→ let eapSetting = NEHotspotEAPSettings() eapSetting.username = self.username eapSetting.password = self.password eapSetting.supportedEAPTypes = [NEHotspotEAPSettings.EAPType.EAPPEAP.rawValue as NSNumber] eapSetting.trustedServerNames = ["ABC"] NEHotspotConfigurationManager.shared.removeConfiguration(forSSID: self.ssid) let hotspotConfiguration = NEHotspotConfiguration(ssid: self.ssid, eapSettings: eapSetting) manager.apply(hotspotConfiguration){ (error) in if let error = error { print("Error") return } else { print("Success") return } }

I have some user of my App reporting that they are not able to store thread network credentials in keychain, the error they get is "Can not store frozen credentials". I couldn't find documentation around this error message, can anyone help me with it's meaning? Why this specific credential can't be stored in keychain?

I am in the middle of investigating an issue arising in the call to setsockopt syscall where it returns an undocumented and unexpected errno. As part of that, I'm looking for a way to list any socket content filters or any such extensions are in play on the system where this happens. To do that, I ran: systemextensionsctl list That retuns the following output: 0 extension(s) which seems to indicate there's no filters or extensions in play. However, when I do: netstat -s among other things, it shows: net_api: 2 interface filters currently attached 2 interface filters currently attached by OS 2 interface filters attached since boot 2 interface filters attached since boot by OS ... 4 socket filters currently attached 4 socket filters currently attached by OS 4 socket filters attached since boot 4 socket filters attached since boot by OS What would be the right command/tool/options that I could use to list all the socket filters/extensions (and their details) that are in use and applicable when a call to setsockopt is made from an application on that system? Edit: This is on a macosx-aarch64 with various different OS versions - 13.6.7, 14.3.1 and even 14.4.1.

I am trying to browse an SSH Service from UI Test Target using NWBrowser let descriptor = NWBrowser.Descriptor.bonjour(type: "_superapp._tcp", domain: "local.") let browser = NWBrowser(for: descriptor, using: .tcp) browser.stateUpdateHandler = { newState in print("browser.stateUpdateHandler \(newState)") } I get failed(-65555: NoAuth) error nw_browser_fail_on_dns_error_locked [B1] DNSServiceBrowse failed: NoAuth(-65555) I have added _superapp._tcp in Bonjour Services for UI Test Target Info.plist. I have also added Local Network Permission in UI Test Target Info.plist. Everything works fine, when I call this Bonjour service from App Target. Doesn't work when I call this from UI Test Target.

Hi, Brief background on what I'm trying to achieve: I have an IoT device that produces a HLS stream of saved videos when they are accessed through the device's broadcast hotspot. To access the hotspot, I use an NEHotspotConfiguration. When I use AVPlayer to watch the HLS stream, everything is fine! When I use a media pod (VLC) to try to consume the HLS stream, traffic goes over cellular network even though the device's host address is 192.168.1.254. I am under the impression this is ALWAYS a local network device. I haven't spent much time digging into the code for VLC to figure out why, but when I disable cell network in my app's settings, the VLC request resolves perfectly. I have been served radio silence on their forums and issues, so I thought if there's another solution this would be the place to ask! Is there something going on with the way iOS handles web requests to local network devices? My IoT device's hotspot never has internet access, and after reading Quinn's Extra-ordinary Networking advice (https://developer.apple.com/forums/thread/734348), I'm still lost for how I can force my request to go to the WiFi network rather than cellular... Does anyone have any recommendations? Thanks in advance!

I am working on developing a Mac app that will be distributed outside of the App Store. I have added the network extension which packaged in System Extension with packet tunnel capability. I have created a build following these steps here: https://developer.apple.com/forums/thread/737894 based on your suggestions in my accepted post: https://developer.apple.com/forums/thread/761251 It works fine in this case when the machine has SIP disabled and systemextensionsctl developer on. As soon as I have made changes on the machine to systemextensionsctl developer off and SIP enabled, System Extension stopped loading. I have copied the app to the "/Applications" directory before opening it. When I check the loading status of the system extension with the "systemextensionsctl list" command, it shows as "[validating by category]" Am I missing something? Thanks in advance.

iOS18 UDP fails to send data, iOS other systems fine Device discovery by broadcasting over UDP Failed to send data to the discovered device using UDP communication This problem only occurs on iOS18, other iOS versions work fine I read the official forum of Apple, it is recommended to use BSD socket to send data, and it cannot be sent on iOS18. I suspect that the device privacy permission is found locally, which is invalid on iOS18

In my Packet Tunnel Provider, I'm setting the NEDNSSettings to localhost as I have a local DNS server listening on port 53 (this is a dns forwarder which conditionally forwards to different upstreams based on rules). On iOS it works just fine, I'm able to listen on localhost:53 in the Network Extension, then set NEDNSSettings servers to "127.0.0.1". However on macOS due to the port being under 1024, I get a Permission denied OS code 13 error. I'm assuming this is due to the Network Extension not running as root. Can this be changed? This could be rectified if you could customize the port in NEDNSSettings, as the listener could be on port 5353, but it doesn't look like it is possible? Just wondering if there is some other way to accomplish what I'm trying to do in the macOS Network Extension?

Hello there, I'm trying to consume graph.microsoft.com API by using URLSession. But I'm getting Error 400 from the server every time when I send a request with URLSession, but not if I use Postman for the same request. And when I examined the requests with Fiddler, I noticed that URLSession use HTTP/2, and Postman use HTTP/1.1. According to the Microsoft's documentation graph.microsoft.com supports only HTTP/1.1. As I understand URLSession decides to which version of HTTP to use during ALPN and will use HTTP/2 only if the server support it. My question is it possible the graph server to advertise itself as its support HTTP/2 and how to determinate this? Or maybe, which is more likely URLSession has bug that make it to do the wrong assumption about the HTTP/2. And most important there is there a mechanism to make URLSession to use a certain version of HTTP? Thank you in advance, Emil

Hi, we have an iOS application that runs a NEAppProxyProvider network extension. The configuration for the extension is delivered by MDM and we've noticed that some MDMs are beginning to force end users to select certificate based authentication as the auth type for the per-app VPN payload. This itself causes no problems, but when a certificate to use for the authentication is also provided in the profile, our extension fails to start. Our application does not use the credentials from the profile, certificate based or otherwise, so we aren't doing anything unusual with them either. We thought the problem might be caused because we lacked the com.apple.managed.vpn.shared entitlement that would be needed to access the certificate once it was on device (even though we never actually try to access it), but that did not fix the issue. We have also confirmed that this happens regardless of MDM used to configure the profile. Here are the relevant logs we are seeing that show the extension never starts: neagent: NEAgentSession: failed to create the delegate nesessionmanager:[313]: Tearing down XPC connection due to setup error: Error Domain=NEAgentErrorDomain Code=2 "(null)" : Last disconnect error for changed from "none" to "The VPN app used by the VPN configuration is not installed" STEPS TO REPRODUCE Create an application that establishes a basic per-app VPN (just a loopback works) using the network extension Using an MDM, create and deploy a per-app VPN profile with certificate based authentication (include a certificate as well) that uses the test application as a plugin. Using the MDM, assign another application to the per-app VPN. Try to connect to the internet using the assigned application, it should fail to connect because the system can't start the extension. For reference it appears that this issue is similar to ours: https://forums.developer.apple.com/forums/thread/746879 I've tried all the suggestions on that page, including adding a 'first-light' log and that is never seen. There are also no additional clues when adding the VPN debug profile to the device. Thanks!

Hi there, I have some thread related questions regards to network framework completion callbacks. In short, how should I process cross thread data in the completion callbacks? Here are more details. I have a background serial dispatch queue (call it dispatch queue A) to sequentially process the nw_connection and any network io events. Meanwhile, user inputs are handled by serial dispatch queue ( dispatch queue B). How should I handle the cross thread user data in this case? (I write some simplified sample code below) struct { int client_status; char* message_to_sent; }user_data; nw_connection_t nw_connection; dispatch_queue_t dispatch_queue_A static void send_message(){ dispatch_data_t data = dispatch_data_create(message, len(message), dispath_event_loop->dispatch_queue, DISPATCH_DATA_DESTRUCTOR_DEFAULT); nw_connection_send( nw_connection, data, NW_CONNECTION_DEFAULT_MESSAGE_CONTEXT, false, ^(nw_error_t error) { user_data.client_status = SENT; mem_release(user_data.message_to_sent); }); }); } static void setup_connection(){ dispatch_queue_A= dispatch_queue_create("unique_id_a", DISPATCH_QUEUE_SERIAL); nw_connection = nw_connection_create(endpoint, params); nw_connection_set_state_changed_handler(){ if (state == nw_connection_state_ready) { user_data.client_status = CONNECTED } // ... other operations ... } nw_connection_start(nw_connection); nw_retain(nw_connection); } static void user_main(){ setup_connection() user_data.client_status = INIT; dispatch_queue_t dispatch_queue_B = dispatch_queue_create("unique_id_b", DISPATCH_QUEUE_SERIAL); // write socket dispatch_async(dispatch_queue_B, ^(){ if (user_data.client_status != CONNECTED ) return; user_data.message_to_sent = malloc(XX,***) // I would like to have all io events processed on dispatch queue A so that the io events would not interacted with the user events dispatch_async_f(dispatch_queue_A, send_message); // Disconnect block dispatch_async(dispatch_queue_B, ^(){ dispatch_async_f(dispatch_queue_A, ^(){ nw_connection_cancel(nw_connection) }); user_data.client_status = DISCONNECTING; }); // clean up connection and so on... } To be more specific, my questions would be: As I was using serial dispatch queue, I didn't protect the user_data here. However, which thread would the send_completion_handler get called? Would it be a data race condition where the Disconnect block and send_completion_handler both access user_data? If I protect the user_data with lock, it might block the thread. How does the dispatch queue make sure it would NOT put a related execution block onto the "blocked thread"?

Hi everybody! With latest updates on Ventura around 13.9.X, Sonoma 14.5 and upper, and most probably Sequoia, we notice a change on how to retrieve BSSID. We know Airport is discontinue, but also other commands are impacted by new security policies. Now, to make any command work in the proper way we need to ask for Location Permission. But here is where we are finding some issues to make it compatible with the new requirements. We have a web desktop app (Built with Electronjs) that use an mach-o executable (built on C++). This executable runs IOREG to retrieve the BSSID. One of the tries we did is to request the Location Permission on the parent/GUI app, but by doing this, IOREG was not able to retrieve the BSSID. Then, we try to look for a way to make a little test only with our executable. But in the attempt to, we do not found a way to trigger the location permission request, either manually or by a command. Is there a way to prompt the user from a terminal executable or the right way is to prompt from the GUI? Do we need to stop using Mach-o executable in c++ and move to a native mach-o executable in swift to be able to prompt from it (This executable runs in the machine frequently, several times per minute)? We are open to change the command if need it.

Hi, I have been working on the app that implements DNS Proxy Extension for a while now, and after a couple builds to TestFlight I noticed that I got a couple crashes that seem to be triggered by EXC_BREAKPOINT (SIGTRAP) After some investigation, it was found that crashes are connected to CFNetwork framework. So, I decided to additionally look into memory issues, but I found the app has no obvious memory leaks, no memory regression (within recommended 25%, actual value is at 20% as of right now), but the app still uses 11mb of memory footprint and most of it (6.5 mb is Swift metadata). At this point, not sure what's triggering those crashes, but I noticed that sometimes app will return message like this to the console (this example is for PostHog api that I use in the app): Task <0ABDCF4A-9653-4583-9150-EC11D852CA9E>.<1> finished with error [18 446 744 073 709 550 613] Error Domain=NSURLErrorDomain Code=-1003 "A server with the specified hostname could not be found." UserInfo={_kCFStreamErrorCodeKey=8, NSUnderlyingError=0x1072df0f0 {Error Domain=kCFErrorDomainCFNetwork Code=-1003 "(null)" UserInfo={_kCFStreamErrorDomainKey=12, _kCFStreamErrorCodeKey=8, _NSURLErrorNWResolutionReportKey=Resolved 0 endpoints in 2ms using unknown from cache, _NSURLErrorNWPathKey=satisfied (Path is satisfied), interface: en0[802.11], ipv4, dns, uses wifi}}, _NSURLErrorFailingURLSessionTaskErrorKey=LocalUploadTask <0ABDCF4A-9653-4583-9150-EC11D852CA9E>.<1>, _NSURLErrorRelatedURLSessionTaskErrorKey=( "LocalUploadTask <0ABDCF4A-9653-4583-9150-EC11D852CA9E>.<1>" ), NSLocalizedDescription=A server with the specified hostname could not be found., NSErrorFailingURLStringKey=https://us.i.posthog.com/batch, NSErrorFailingURLKey=https://us.i.posthog.com/batch, _kCFStreamErrorDomainKey=12} If DNS Proxy Provider uses custom DoH server for resolving packets, could the cache policy for URLSession be a reason? I had a couple other ideas (HTTP3 failure, CFNetwork core issues like described here) but not sure if they are valid Would be grateful if someone could give me a hint of what I should look at

On Sequoia it became impossible to properly debug programs using third party mDNS, multicast or broadcast, thanks to a bug? in I guess the new local network privacy feature, every send call returns no route to host. If I run the CI job, which properly packages, signs, notarizes said program, the resulting .app works fine and also requests permission to access the local network - which is impossible through lldb as it doesn't have an Info.plist, just the ***** binary itself. However this may not be the issue, see the repro method below. A fast and easy method to reproduce is using an example from this repo: https://github.com/keepsimple1/mdns-sd/ Running the query example in a good old shell without lldb (cargo run --example query _smb._tcp) starts outputting results. Then running the same binary through lldb (lldb -o run target/debug/examples/query _smb._tcp) would result in no route to host errors. I can't provide an output anymore as I was forced to downgrade. It works fine again on 14.6.1. I'm a bit reluctant to even try 14.7. Also reported in feedback assistant: FB15185667

Hello! I'm developing NETransparentProxyProvider which started to work unexpectedly on macOS 15. Seems that iCloud Private Relay is not auto-disabled anymore in favor of another filtering software, when Firewall is enabled in macOS 15. Disabling firewall immediately restores old behavior. To reproduce this issue, you need to enable both iCloud Private Relay and Firewall. Then, Safari will always try to use iCloud Private Relay, even if Transparent Proxy has "destinationAddress:nil" rule. Every connection from Safari will be to "mask.icloud.com" over HTTP/3. Connections inside are not visible as separate flows. Since I have excludedRule for "icloud.com" (to not to alter Apple services), Safari traffic is just stopped to be processed. Is new behavior is expected or some type of regression?

Hi all, I am overhauling code of an iPadOS app that discovers devices on a network using a custom UDP broadcast based discovery protocol. This is how the discovery mechanism should work: The iPad sends an IPv4 broadcast message to the network's broadcast address using a fixed destination port, but a random source port (determined at bind time). The device responds with a unicast message to the source IP address and port of the discovery message. Until now the code is based on BSD sockets using GCDAsyncUdpSocket and has been working well for around ten years with a single socket that was used to both send and receive the discovery messages and replies. We would like to make the move to the Network Framework now and I tried to recreate this discovery mechanism with the Network Framework in Objective-C. I am able to create an nw_connection_t with the broadcast address as hostname and the specific destination port as port. I am able to send discovery messages to the device and the device sends a reply (verified with Wireshark). But calling nw_connection_receive_message(...) never fires. Also in Wireshark the iPad replies with Destination unreachable (Port unreachable). When I create the connection with the unicast address of the device, the reply is received. It seems to me, that the connection doesn't accept replies from addresses / ports that don't match, what was set when the connection was created. Is there a way to also accept messages from other sources? E.g. there is nw_multicast_group_descriptor_set_disable_unicast_traffic when doing multicast. This seems to solve this problems when doing mutlicast. This is a code excerpt of what I tried: // Create default UDP parameters without DTLS nw_parameters_t params = nw_parameters_create_secure_udp(NW_PARAMETERS_DISABLE_PROTOCOL, NW_PARAMETERS_DEFAULT_CONFIGURATION); // Enable P2P (should enable broadcast and multicast) nw_parameters_set_include_peer_to_peer(params, true); // Require the active interface // The active interface comes from a path monitor callback nw_parameters_require_interface(params, self.networkUtils.activeInterface.interface); // Setup the remote endpoint with the "ping" (discovery) broadcast IP address and port const char *endpointAddress = [pingAddress.ipAddress cStringUsingEncoding:NSUTF8StringEncoding]; NSString *portString = @(pingAddress.port).stringValue; const char *endpointPort = [portString cStringUsingEncoding:NSUTF8StringEncoding]; nw_endpoint_t broadcastEndpoint = nw_endpoint_create_host(endpointAddress, endpointPort); nw_connection_t tmpConnection = nw_connection_create(broadcastEndpoint, params); __weak __typeof(self) weakSelf = self; nw_connection_set_state_changed_handler(tmpConnection, ^(nw_connection_state_t state, nw_error_t _Nullable error) { __strong __typeof(weakSelf) strongSelf = weakSelf; MSLogVerbose("State changed: %d; error: %@", state, error); strongSelf.connectionState = state; if (state == nw_connection_state_ready) { [strongSelf receiveMessageForConnection:tmpConnection]; } }); nw_connection_set_queue(tmpConnection, AGGalileoBrowser.browserQueue); nw_connection_start(tmpConnection); Thanks for your help! Arno

Code I have used for years on Macs now crashes after updating OS: SSL_CTX *sslctx = SSL_CTX_new(SSLv23_client_method()); Reading the posts about TLS changes, I change it to this: SSL_CTX *sslctx = SSL_CTX_new(TLS_client_method()); In fact any method I give results in crash.. Is this a known issue? Is there something I now need to call before calling SSL_CTX_new()?

please help, upgrade to Sequoia 15, system default open it, how to close? how to turn off private WiFi address using code, swift or objective-c language

Hi all, I would like to know if it is possible to activate a content filter through the command line interface (CLI). Based on my research, it seems that Apple does not allow this for security design reasons. If it’s indeed not permitted, is there a way to use a GUI-based app as a workaround, where the GUI would only serve the purpose of activating the content filter? After the filter is activated, I’d like to hide the GUI app and run the content filter in the background. Is this approach feasible, and what would be the best way to achieve it? Thanks in advance for your help!