While it is possible to create an IPPROTO_DIVERT socket and bind a divert port successfully, I couldn't find any command piece neither in pf manuel page nor in the web for diverting packets like divert-to, divert etc. My questions: Is packet divert mechanism still active in Sonomo ? If so, what is the correct rule syntax for PF for diverting packets on a specific port?

Hello! As a foreword, our issue is not on any version prior to macOS Sequoia. While testing our content filter on Sequoia, we found out that localhost traffic/flows were not being forwarded to the filter for evaluation. When setting up our default settings, we apply these rules that would forward loopback traffic to our filter: let ipv4localhost = NWHostEndpoint(hostname: "127.0.0.1", port: "0") let ipv4localhostRule = NENetworkRule(remoteNetwork: ipv4localhost, remotePrefix: 0, localNetwork: ipv4localhost, localPrefix: 0, protocol: .any, direction: .any) let ipv6localhost = NWHostEndpoint(hostname: "::1", port: "0") let ipv6localhostRule = NENetworkRule(remoteNetwork: ipv6localhost, remotePrefix: 0, localNetwork: ipv6localhost, localPrefix: 0, protocol: .any, direction: .any) let filterSettings = NEFilterSettings(rules: [NEFilterRule(networkRule: ipv4localhostRule, action: .filterData), NEFilterRule(networkRule: ipv6localhostRule, action: .filterData)], defaultAction: .filterData) We found out that these initialisers are deprecated in Sequoia https://developer.apple.com/documentation/networkextension/nenetworkrule/3143646-init and are replaced by https://developer.apple.com/documentation/networkextension/nenetworkrule/4365499-init. After replacing the deprecated calls, we do indeed see loopback traffic in the filter again. Our question is, is this intentional? Will deprecation of these methods mean that the "old" code will not work with macOS Sequoia anymore, or is it a bug? I'm asking this as it will force us to upgrade our builder nodes to be able to compile the new code, however as everything is still in beta there is a higher risk of problems that could accompany this. Thanks in advance, I wish you a nice day.

Hi, I have an app that is performing long-duration audio recording on the Watch and need to communicate with the phone occasionally to: Request an auth token (login happens on the phone app) when needing to upload a recording. Occasionally poke the iPhone app to sample the current location (I don't do this on Watch). Most of the time, both the Watch and iPhone apps would be backgrounded but the Watch app has background audio enabled and is recording, so processing continues. I'm finding that WatchConnectivity isn't connected to the phone in these cases and cannot send a ping. That is, on the Watch side, WatchConnectivity is not connected to the phone (isReachable==false), and the messages are simply never received on the phone as a result. I'm not sure how else the apps should communicate this information. How are these scenarios typically handled? Thank you, -- B.

For years our iOS apps have experienced a networking problem, which blocks them connecting to our servers via their API endpoint domains. How can we recover after the scenario described below? Using 3rd party error logging solutions, which have different endpoint domains, we can record the error: NSUnderlyingError": Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, _kCFNetworkCFStreamSSLErrorOriginalValue=-9816, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9816, _NSURLErrorNWPathKey=satisfied (Path is satisfied), viable, interface: pdp_ip0[lte], ipv4, dns, expensive, uses cell}, "_NSURLErrorFailingURLSessionTaskErrorKey": LocalDataTask <DEDBFA4D-810D-4438-A6A0-95E3B9668B9E>.<308>, "_kCFStreamErrorDomainKey": 3, "_NSURLErrorRelatedURLSessionTaskErrorKey": <__NSSingleObjectArrayI 0x301f82e60>( LocalDataTask <DEDBFA4D-810D-4438-A6A0-95E3B9668B9E>.<308> ) "NSLocalizedDescription": An SSL error has occurred and a secure connection to the server cannot be made., "NSLocalizedRecoverySuggestion": Would you like to connect to the server anyway? -9816 is the "server closed session with no notification" error based on comments in CoreFoundation source files. Subsequent API endpoint calls to the same domain return the same error. The SSL error occurs most prevalently after a server outage. However, despite our best efforts, we have been unable to replicate triggering the problem for development purposes via experiments with our server. When the error occurs the users report that: Fully closing (i.e. not just sending to background) and reopening the app does NOT clear connectivity to our server being blocked. Problem seems more prevalent when using mobile/cell data. Switching from mobile/cell data to WIFI resolves the connection problem and then switching back to mobile/cell data shows the problem again. So the underlying problem is not cleared. All other apps on the same device and mobile/cell data or WIFI connection, like Safari, have no problems connecting to the Internet. Deleting and reinstalling, or updating (when an update is available) resolves the problem. Or after waiting a few days the problem seems to resolve itself. The last two point above suggest that something is persisted/cached in the app preventing it from connecting properly with subsequent network attempts. Notes: We have one shared instance of the URLSession in the app for its networking because we are aware of the perils of multiple URLSession instances. We recently added conditions to call the URLSession await reset() method when detecting the SLL errors before repeating the request. It is debatable whether this reduces the problem as we still see logged cases with the subsequent requests hitting the same -9816 error. URLSession configuration: let config = URLSessionConfiguration.default config.timeoutIntervalForResource = 22 config.timeoutIntervalForRequest = 20 config.requestCachePolicy = .reloadIgnoringLocalCacheData config.urlCache = nil

Starting at 7 am many of our apps are crashing on launch from the -[USRVWebViewCallback invoke:] EXC_BAD_ACCESS: Attempted to dereference garbage pointer 0x20. This is coming across OS versions and does not seem to be related to our code as many different applications are crashing. Did Apple turn something on this morning?

Hi Guys,we have developed an VPN application for iOS 10, that basically just installs a VPN profile (developed using NETunnelProviderManager) that sets a special DNS for evey request to block malicious websites system-wide, that's it.Out can worked great under iOS 10 and even under iOS 11. But since updating the OS of the device to iOS 12, there is a "Update required" directly on the VPN profile:My question now is, did anybody else faced that problem?Because we already updated XCode, compiled the app for Deployment Target iOS 12, updated the application through the App Store, we already talked to the Apple Supported, that saif we should try using the develop forums so, can anybody htell us WHAT we should update to get rid off this message? The VPN profile itself still works, meaning the malicious websites still get blocked. But the label "Update Required" should vanish, but what should we do?Kind Regards,Mario

Hi, For my iOS app, I want to temporarirly connect to a in-house Wifi accessory. The iOS app will exchange some messages to configure the accessory and Wifi accessory does not need a connection to the internet. Based on the other post, NEHotspotConfiguration can be used to programmatically connect to a wifi network. However, iOS ask the authorization "Wants to Join Wi-Fi Network". I have following questions: Can we Wireless Accessory Configuration (WAC) for the same interaction? And in this case, can we silently connect to the accessory using Wifi without user having to authorize the connection? If WAC is used for this application, do we have to go through MFi certification? And what is estimated cost for this certification? Do we pay a one time fee or per device/app installation fee? The device is usb peripheral with a built-in wifi module. Thanks for the clarification

Sorry if this has been asked before. I was looking if there was any specific reason why location permission is needed to SSID name? I built small utility app to show network details. Some users have expressed concerns regarding enabling location services just to get the SSID or BSSID values. Just want to understand, and hopefully convey the right message to the users.

We have noticed that even if we have a localized CFBundleDisplayName, the phone would use the CFBundleName in the VPN permission dialog: " Would Like To Add VPN Configurations" The problem is even if we localize the CFBundleName in the InfoPlist.xcstrings, it still uses the base language in the permission prompt regardless of what language the phone is in. Is it possible to localize the name that's shown in the VPN permission dialog?

Documentation for System Extensions talk about an "appropriate" Applications directory, but doesn't specify what this is. /Applications and its subdirectories qualifies, but are there more? Did this change in macOS 15 Sequoia? Installing System Extensions and Drivers : Your app is installed in an appropriate Applications directory of the system. OSSystemExtensionErrorUnsupportedParentBundleLocation: The app itself must be in one of the system’s Applications directories. Background: while testing one of our apps with a VPN Network Extension on the current Sequoia beta, it seems that the restrictions got tighter. I'm able to run this app in my user's ~/Applications on macOS 14.6.1, but on macOS 15.1 beta I get this error now: Error Domain=OSSystemExtensionErrorDomain Code=3 "App containing System Extension to be activated must be in /Applications folder. Current location: file:///…

Hello , I'm working on a macOS application involving a Packet Tunnel Extension and have encountered a few issues. I would appreciate any help or insights from the community. System Extension Not Activated: Despite the system extension activation request (OSSystemExtensionRequest) appearing successful, the system extension is not fully activating. Error log shows: Failed to create LSApplicationRecord for file:///Library/SystemExtensions/.../: 'The operation couldn’t be completed. (OSStatus error -10811.)' VPN Connection Timeout: When attempting to start the VPN connection, the connection status remains stuck at "Connecting" and does not enter the PacketTunnelProvider's startTunnel method. Error log shows: NESMVPNSessionStateStarting, with connection timing out (300 seconds). System Extension Entitlements Issue: In the system extension's entitlements file, I have included relevant configuration items, such as com.apple.security.application-groups and com.apple.security.system-extension. Despite the correct configuration, the error log still shows that the com.apple.security.application-groups entitlement is not satisfied. Here is the configuration from the system extension's entitlements file: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.developer.networking.networkextension</key> <array> <string>packet-tunnel-provider</string> <string>app-proxy-provider</string> <string>content-filter-provider</string> <string>dns-proxy</string> </array> <key>com.apple.developer.networking.vpn.api</key> <array> <string>allow-vpn</string> </array> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.application-groups</key> <array> <string>$(TeamIdentifierPrefix)com.mytest.client.macos.shared</string> </array> <key>com.apple.security.network.client</key> <true/> <key>com.apple.security.network.server</key> <true/> </dict> </plist> App Groups in Developer Account: In Xcode, the App Group identifier starts with the team code, such as $(TeamIdentifierPrefix)com.mytest.client.macos.shared. However, on the Apple Developer website, I can only add App Groups that start with group. rather than those with the team code prefix. Summary: The system extension is not fully activating, and the VPN connection remains stuck in the connecting state. The entitlements file configuration does not seem to be applied correctly. The discrepancy between Xcode and the Developer website regarding App Group identifiers is causing confusion. I have reviewed the entitlements file and the application's provisioning profile to ensure they match. Any advice or shared experiences from those who have faced similar issues would be greatly appreciated! Thank you!

Hello, we are developing an application that uses TLS client authentication with self-signed certificate. The app has multiple targets, including iOS and macOS clients. However, we are encountering issues with the client certificate on both platforms. Specifically, the client certificate is being rejected when making a URLRequest, and an AuthChallenge is triggered. The strange part is that the TLS handshake fails for every target except one iOS target, making it unclear whether the issue lies with the server or the system. Flow The connection uses TLS with Client Authentication. User is authenticated by client certificate, that is issued when user signs in. The certificate is self-signed. It is decoded from PKCS#12 blob into Swift.Data and then successfully imported with SecPKCS12Import. The Keychain uses access groups (separate for each target), kSecAttrSynchronizable is set to false and the items are accessible .afterFirstUnlock. The certificate is used for two types of connections - 1) Basic query request 2) Periodic status report First type of request never fails - it is successful, the problem arises with second type of requests. If the certificate is expired on didReceive challenge: URLAuthenticationChallenge, it is refreshed and then provided for verification with URLCredential Issue With default target everything works as expected. The issue arose when another targets with the same functionality (Different UI, Access Group, Bundle identifier) were added (different xcodeproj or same). Importing certificate is successful as are basic query requests. The issue are with the second type of requests - Periodic status report. Whenever this request is sent via URLSession, it fails. Here is the output in Xcode console: - boringssl_context_handle_fatal_alert(2072) [C1.1.1.1:2][0x13c0755a0] read alert, level: fatal, description: bad certificate - nw_read_request_report [C1] Receive failed with error "bad certificate format" - boringssl_session_handshake_error_print(44) [C1.1.1.1:2][0x13c0755a0] Error: 5266350496:error:10000412:SSL routines:OPENSSL_internal:SSLV3_ALERT_BAD_CERTIFICATE:/AppleInternal/Library/BuildRoots/a8fc4767-fd9e-11ee-8f2e-b26cde007628/Library/Caches/com.apple.xbs/Sources/boringssl/ssl/tls_record.cc:592:SSL alert number 42 - “Task <..>.<1> finished with error [-1202] Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “<redacted>” which could put your confidential information at risk.”“
 The certificate is in fact not invalid, since it works as expected for the other type of request and with the one specific target Here is the output from Console.app consoleoutput.txt I also noticed an additional error when I specifically searched for errors in Console.app. I'm not sure if it's connected, though it doesn't seem likely, as this error appears far more frequently than the requests.
 | Security | com.apple.security | trustd | SecKeyVerifySignature failed: Error Domain=NSOSStatusErrorDomain Code=-67808 "RSA signature verification failed, no match" UserInfo={numberOfErrorsDeep=0, NSDescription=RSA signature verification failed, no match} debug 21:56:54.822609+0200 | Security | com.apple.security | trustd | SecKeyVerifySignature failed: Error Domain=NSOSStatusErrorDomain Code=-50 "rsa_pub_crypt failed, ccerr=-7" (paramErr: error in user parameter list) UserInfo={numberOfErrorsDeep=0, NSDescription=rsa_pub_crypt failed, ccerr=-7} debug 21:56:43.954898+0200 On iOS an additional error appears.
 
SecKeyVerifySignature failed: Error Domain=NSOSStatusErrorDomain Code=-50 "<SecKeyRef algorithm id: 1, key type: RSAPublicKey, version: 4, 2048 bits (block size: 256), exponent: {hex: 10001, decimal: 65537}, modulus: F12EA3…97D85C5, addr: 0x7eca128c0>: sign - input buffer bad size (264 bytes)" UserInfo={numberOfErrorsDeep=0, NSDescription=<SecKeyRef algorithm id: 1, key type: RSAPublicKey, version: 4, 2048 bits (block size: 256), exponent: {hex: 10001, decimal: 65537}, modulus: F12EA31…A835FA7B With the message that says, "The certificate for this server is invalid...," it appears that the server certificate is failing. However, as mentioned, it works for another target that uses the exact same endpoint. When making a simple GET request to this endpoint, it passes as expected, probably since client certificate is not requested. I also checked the trust result on AuthenticationChallenge and it was successful. Could this be an issue with the client/server certificate itself? Or perhaps with how the client certificate is being handled—such as storing it inside the keychain, possible collisions? Thank you for your response.

Hi! I am building a simple per-app VPN application. I want the traffic from the certain appRules-specified application to go to the HTTP/HTTPS proxy server. I am lacking the following pieces of information: When proxy settings are configured who receives the traffic first: a proxy server or a packet tunnel provider? Since HTTP and HTTPS protocols are on the highest level of the networking stack I expect the proxy server to receive the traffic first. Will the packet tunnel provider receive TCP/UDP traffic from the specified applications with specified HTTP/HTTPS proxy settings?

I installed the WiFi diagnostics profile and the profile installed correctly. I see the diag tab in my current SSID and the data is correct. However I am try to save the wifi connection log with the Save logs feature. I give a name and click Save Log and nothing happens.

Hi, I have been working on the app with NE Filter Providers for a while now and it seems to work well. However, unlike Content Filter Providers, DNS Proxy is invalidated when device is inactive state. It shows status "Invalid" for just a couple seconds before to changes to "Starting" and eventually "Running". That's not a major issue, but I would like to know what's causing this behaviour and if there is a way to fix it. I am using custom DoH in my DNS Proxy for flows proxying. And if the server times out to respond, app sends rcode 5 (Refused) for requested flow. At the same time, app shouldn't crash because all errors are handled appropriately. Would be very grateful for any thoughts, thank you!

Hi, I have been working on the app with NE Filter Providers for a while now and it seems to work well. However, unlike Content Filter Providers, DNS Proxy is invalidated when device is inactive state. It shows status "Invalid" for just a couple seconds before to changes to "Starting" and eventually "Running". That's not a major issue, but I would like to know what's causing this behaviour and if there is a way to fix it. I am using custom DoH in my DNS Proxy for flows proxying. And if the server times out to respond, app sends rcode 5 (Refused) for requested flow. At the same time, app shouldn't crash because all errors are handled appropriately. Would be very grateful for any thoughts, thank you!

Hello Folks I have a Custom UrlSessionDeleagte which is checking server authentication by overriding method func urlSession(_ session: URLSession, didReceive challenge: URLAuthenticationChallenge, completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -&gt; Swift.Void) { if (challenge.protectionSpace.authenticationMethod == NSURLAuthenticationMethodServerTrust) { let serverTrust = challenge.protectionSpace.serverTrust // Applying additional validations. if(validated) { completionHandler(.useCredential, URLCredential(trust:serverTrust)) } } else { completionHandler(.performDefaultHandling, nil) } Initialized URL Session as below and reusing it in subsequent requests. if(urlSession != nil) { urlSession = URLSession(configuration: URLSessionConfiguration.Default, delegate: customURLSessionDelegate, delegateQueue : nil) } Now the issue is the uncertainty in response time First request - say took approx 11 secs. Second request if send immediately (&lt; 2 secs difference from last call) - took only 0.2 secs or 1.2 secs. Third request if send after &gt;20 secs - took again 12 secs. I want to know whether it is an implementation issue, or iOS behavior of handling the Server trust Authentication process in this way? Because the time it took after initializing a DataTask to checking server Auth differes. Also when call is sent immdiately it does not checkk Authentication again, but when send a after ~20 secs debugger fall on the Authentication method again, even if the URlsession instance was same.

Hi, let us explain the situation we have: We have a macOS server app which happens to be/act as a QUIC server (this setup is for a live demo). Once the server receives a streaming request from the client, server starts to send a bunch of QUIC streams to the client. The server needs to run on a macbook pro for the live demo and everything works fine, now when we click on a different app (the server app looses focus) the server app goes to background state and the network activity just stops going from 90MB/s to almost zero, but when we click on the server app again, the network activity goes back to 90MB/s and it continues normally. We understand this is the OS taking some decisions by managing resources efficiently. Question: Kindly let us know which options do we have to keep the server app QUIC networking tasks continuously running, even if it is not on the foreground (basically for it to behave like an actual server/service)? Thanks in advance

I developed a program to connect to Wi-Fi using the CoreWLAN API. First, I need to scan for SSIDs. However, when I call the scanning function, the scan fails occasionally. Failed to perform Wi-Fi scan, returned error code 16, will try again in 200 ms took 2.0468 seconds, returned error [16, com.apple.wifi.apple80211API.error, 'Resource busy'] I need to retry several times to succeed, which makes the process of connecting to Wi-Fi relatively slow. I want to know the reason of this error. 2024-08-06 18:24:13.090634+0800 0x86f393 Default 0x0 158 0 airportd: (IO80211) [com.apple.WiFiManager:] Info: <airport[158]> -[CWXPCSubsystem performScanWithChannelList:ssidList:legacyScanSSID:dwellTimeOverride:interfaceName:scanParametersOverride:allowDuringAWDLRealTimeMode:connection:scannedChannels:error:]: Failed to perform Wi-Fi scan, returned error code 16, will try again in 200 ms 2024-08-06 18:24:13.295896+0800 0x86f393 Default 0x0 158 0 airportd: (IO80211) Apple80211IOCTLSetWrapper:5093 @[3748838.819485] ifname['en0'] IOUC type 10/'APPLE80211_IOC_SCAN_REQ', len[5456] return 16/0x00000010 2024-08-06 18:24:13.295929+0800 0x86f393 Default 0x0 158 0 airportd: (IO80211) [com.apple.WiFiManager:] Info: <airport[158]> -[CWXPCSubsystem performScanWithChannelList:ssidList:legacyScanSSID:dwellTimeOverride:interfaceName:scanParametersOverride:allowDuringAWDLRealTimeMode:connection:scannedChannels:error:]: Failed to perform Wi-Fi scan, returned error code 16, will try again in 200 ms 2024-08-06 18:24:13.498811+0800 0x86f393 Default 0x0 158 0 airportd: (IO80211) [com.apple.WiFiManager:] Info: <airport[158]> -[CWXPCSubsystem performScanWithChannelList:ssidList:legacyScanSSID:dwellTimeOverride:interfaceName:scanParametersOverride:allowDuringAWDLRealTimeMode:connection:scannedChannels:error:]: Failed to perform Wi-Fi scan, returned error code 16 2024-08-06 18:24:13.499112+0800 0x86f393 Default 0x0 158 0 airportd: (IO80211) [com.apple.WiFiManager:] Scan: <airport[158]> -[CWXPCConnection __performScanWithChannelSubset:ssidList:legacyScanSSID:includeHiddenNetworks:mergeScanResults:maxAge:maxMissCount:maxWakeCount:maxAutoJoinCount:interfaceName:waitForWiFi:waitForBluetooth:token:priority:scanParametersOverride:allowDuringAWDLRealTimeMode:reply:]_block_invoke: [575EE] WIFI_REQ_SCAN (exit) 2024-08-06 18:24:13.499318+0800 0x86f7a7 Default 0x0 158 0 airportd: (IO80211) [com.apple.WiFiManager:] AutoJoin: <airport[158]> Failed cache-assisted scan request for wifihelper with channels {( <CWChannel: 0x138b236f0> [channelNumber=1(2GHz), channelWidth={20MHz}, active], <CWChannel: 0x138b8f880> [channelNumber=6(2GHz), channelWidth={20MHz}, active], <CWChannel: 0x138bee730> [channelNumber=11(2GHz), channelWidth={20MHz}, active], <CWChannel: 0x138b77590> [channelNumber=2(2GHz), channelWidth={20MHz}, active], <CWChannel: 0x138bb7e40> [channelNumber=3(2GHz), channelWidth={20MHz}, active], <CWChannel: 0x138b51290> [channelNumber=4(2GHz), channelWidth={20MHz}, active] )}, took 2.0468 seconds, returned error [16, com.apple.wifi.apple80211API.error, 'Resource busy'] wifi.log

We found there is a significant crash reports (most of them are from iOS 17, the rest are iOS 16 and 15) comes from network loader from CFNetwork. Apparently it seems there are two types of crashes if we checked from the stack trace, the one we found from both Xcode organizer and 3rd party crash reporter is referring to URLConnectionLoader::loadWithWhatToDo and the other one from our 3rd party crash reporter (didn’t found the report from Xcode organizer) referring to _CFURLResponseCreateFromArchiveList (this one only happened on iOS 17.5 and later devices). It seems that they are both kinda similar which might point to the same root cause. From what I’ve seen, we never touch the lower level API directly, we usually use the URLSession to manage our API request. The crashed stack trace also didn’t give any indication about which of our app code that triggered the crash, it only shows calls to Apple’s internal SDKs so we are unsure how to approach this issue meanwhile the crash event already reached 800+ in the last 30 days. Unfortunately, we cannot reproduce the issue as the stack trace itself seems unclear to us. I have submitted a report through feedback assistant with number: FB14679252. Would appreciate if anyone can give any advice on what we can do to avoid this in the future and probably any hint on why it could happened. Hereby I attached the crash reports that we found each from Xcode crash report and our 3rd party crash reporter (the report said it crashed on com.apple.CFNetwork.LoaderQ) so you could get a glimpse of the similarity. Xcode crash report xcode crash report.crash 3rd party crash report 3rd party crash report.txt