the app in ipad can not connect to tcp server in the same local network. libinfo check path: unsatisfied (Local network prohibited) reproduce steps: I update my ipad to iapd iOS/18.0 install the app make the app connect to tcp server in the windows which is in the same local network. the ipad trigger Local Network privacy alert I tap the allow button, I check the toggle of Local Network privacy is on as well I try to make the app connect to tcp server in the windows again, but can not connect to tcp server, the ipad system log: nw_path_libinfo_path_check [8F864AB4-C5E1-488D-B396-ECEC2F3FB77E IPv4#0423cc45:9520 tcp, legacy-socket, attribution: developer] libinfo check path: unsatisfied (Local network prohibited), interface: en0[802.11], ipv4, uses wifi 7. I try to make the app connect to tcp server in other windows. It connects successful. the ipad system log: nw_path_libinfo_path_check [C84DC25A-5A14-4080-ABAA-10ED24AE2D6D IPv4#7df62769:9520 tcp, legacy-socket, attribution: developer] libinfo check path: satisfied (Path is satisfied), interface: en0[802.11], ipv4, dns, uses wifi So please apple developer help investigate why the app can not connect to the tcp sever in the same local network, even though the toggle of local network permission is on in ipad os 18

We’ve noticed that in iOS 18, the "Deactivate Configuration" button within the Per-App VPN settings immediately disables the VPN for selected apps without any confirmation prompt. This can be problematic for users, as there is no warning or verification before the action is taken, which may lead to unintended disruptions in VPN connectivity. We haven’t found any relevant documentation on Apple’s developer website addressing this behavior. Any insights or suggestions would be greatly appreciated and if we can have documentation to disable this button using MDM profile it will be great

I'm trying to troubleshoot what is going on with my app. The app works just fine when the user is logged in. It's able to post data to my REST API just fine. But when the app goes in to the background, the BGAppRefreshTask fires off just fine, but it's unable to post its data. There payload is super small a two keys and two short strings and thats it. I've tried searching on kCFStreamErrorCodeKey -2103 and ErrorDomainKey 4 but not much comes up. Here is my error with the URL string altered... Error Domain=NSURLErrorDomain Code=-1001 "The request timed out." UserInfo={_kCFStreamErrorCodeKey=-2103, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <3126EFA1-00D3-4423-A31B-D40AB900292D>.<1>, _NSURLErrorRelatedURLSessionTaskErrorKey=( "LocalDataTask <3126EFA1-00D3-4423-A31B-D40AB900292D>.<1>" ), NSLocalizedDescription=The request timed out., NSErrorFailingURLStringKey=https://my.example.com/myapi/v1/device, NSErrorFailingURLKey=https://my.example.com/myapi/v1/device, _kCFStreamErrorDomainKey=4}

My company has a server that supports ticket-based TLS session resumption (per RFC 5077). We have done Wireshark captures that show that our iOS client app, which uses URLSession for REST and WebSocket connections to the server, is not sending the TLS "session_ticket" extension in the Client Hello package that necessary to enable ticket-based resumption with the server. Is it expected that URLSession does not support ticket-based TLS session resumption? If "yes", is there any way to tell URLSession to enable ticket-based session resumption? the lower-level API set_protocol_options_set_tls_tickets_enabled() hints that the overall TLS / HTTP stack on IOS does support ticket-based resumption, but I can't see how to use that low-level API with URLSession. I can provide (lots) more technical details if necessary, but hopefully this is enough context to determine whether ticket-based TLS resumption is supported with URLSession. Any tips / clarifications would be greatly appreciated.

A few months ago, I remember reading some official documentation that was describing how to switch to a background upload when the app is about to be suspended. Unfortunately, I can't find that resource back, so it would be fantastic if someone would point it out to me. If I remember correctly, the procedure described was to start a regular upload task within some UIApplication.backgroundTask, and in any case the upload wasn't finished at the moment the system would call the suspension handler, the upload was "transitioned" into a a background one while preserving the current progress (I think because it was using the same URLSession or something, hence why I want to find back the documentation!) Note that I don't want to start a background upload from the beginning (this is what we do already!). I'm mostly looking for that piece of documentation to experiment if that scheme would improve our upload performance. Thanks!

I want to add encryption algorithms from liboqs in a VPN app I am building but I don't see any fields for adding custom encryption algorithms in NEVPNIKEv2SecurityAssociationParameters. Is it possible to do this?

The documentation for the defaultPath property of NEProvider is as follows: This NWPath object contains information about which physical network interface will be used by connections opened by the Network Extension provider. You can determine when this physical interface changes by observing this property using KVO. However, I have noticed that it is deprecated as of iOS 18. Is there any existing replacement for this functionality since it has been deprecated, or is a new replacement on the horizon? This is very useful for network extensions in order to detect changes to the network, for instance when moving from WiFi to mobile data.

I am building a NEPacketTunnelProvider, and in its configuration I set a SecIdentity persistent reference. That reference is passed to the tunnel provider but when I try to use it there, I get an errSecInteractionNotAllowed error. The private key for that identity is protected by .userPresence. If I remove the protection, the network extension can access the identity and the private key. Is there any way that a VPN network extension can use a keychain item protected by .userPresence?

I have a network call that can sometimes take longer than 30 seconds and user might sometimes background the app after waiting a bit (think like a image generation done on a server which takes a while). I want to make sure that I have exhausted all the options available to provide the best possible solution for the user (1) Use beginBackgroundTask. The downside to this is that I'm only given about 30 seconds or so, and if it takes longer, the call just get killed. (2) Use URLSessionConfiguration.background. The upside is that this can take as long as it needs but it seems to be delegated to the system, and you never know when it will run? What if the user stays in the foreground and now the user will not know when the call will even begin (determined by the OS) (3) Use BGProcessingTask. Again problem is that we cant control when the task is run (which in this case we want it to be immediately). So really none of the options really is ideal. Are there other options? What I would like ideally is The call should start immediately upon user request The call should go on indefinitely when the app stays in foreground The call should go on for an extended period (like 2 minutes) if the user puts the app in background If the call is completed in the background, have a way for the app to retrieve the result when the user brings the app back in the foreground

I am trying to connect to localhost:8081 from simulator, but it is unable to connect with following logs: info 12:07:49.167248+0530 com.apple.WebKit.Networking nw_resolver_host_resolve_callback [C8.1] flags=0x40000003 ifindex=0 error=NoSuchRecord(-65554) hostname=localhost. addr=IN6ADDR_ANY ttl=60 info 12:07:49.167310+0530 com.apple.WebKit.Networking nw_resolver_host_resolve_callback [C8.1] flags=0x40000002 ifindex=0 error=NoSuchRecord(-65554) hostname=localhost. addr=INADDR_ANY ttl=108002 Macos 14.6.1 iOS simulator version 17.5 Som observations localhost:8081 does not load on simulator but 0.0.0.0:8081 loads fine, also 127.0.0.0:8081 loads fine on simulator. My laptop is a managed device with network filter Switching network sometimes fixes the issue. Restarting laptop sometimes fixes the issue. localhost:8081 opens find on laptop, but not on simulator. Contents of my laptop's /etc/hosts: ## # Host Database # # localhost is used to configure the loopback interface # when the system is booting. Do not change this entry. ## 127.0.0.1 localhost 255.255.255.255 broadcasthost ::1 localhost

Hi, We are building a VPN application with a packet tunnel network extension. The NE (network extension) provides the VPN itself (obviously) alongside some VPN related functionalities. The VPN does not intends to capture all the network, instead it just give access to one or several remote network (aka we are only routing some subnet to the NE). The issue is that for some functionalities, we would need the NE to create network connection that might need to be routed through the tunnel. The issue is that the routes that we declared with the NE are not applied to the network traffic emanating from the NE itself. I do understand that this is a requirement to avoid VPN loop, moreover with VPN that capture all the traffic. But in our case we know we will avoid collision since we only route some networks. What solution do we have ? Is there an option somewhere to for the application of all route to the NE ?

I am developing a watchOS-only app, and whenever I attempt to make a network request, it always fails and throws the following error: Error Domain=NSURLErrorDomain Code=-1009 "The Internet connection appears to be offline." I noticed that when I turn off Wi-Fi and Bluetooth in the settings of the iPhone paired with the Apple Watch (thus disconnecting the Apple Watch from the iPhone), my app can successfully connect to the network. Additionally, when the app contains both an iOS app and a watchOS app, after granting network permissions on the iOS app, the watchOS app can access the network normally when connected to the iPhone. When opening some system apps on the Apple Watch (such as the "Workout" app), the app will display a network permission request similar to that on iOS, but this request does not automatically pop up when my watchOS app attempts to access the network. Is there a way to request network permissions in a watchOS-only app so that it can access the network while connected to the iPhone?

最近服务器做了防重放功能，发现iOS有很多命中重放错误，因为我们的请求使用了UUID签名，排除了算法问题 经过排查发现iOS在请求过程中，如果网络发生变化，例如开启和断开vpn，或者开启和关闭WIFI，就会导致系统把正在进行的请求多次重放，这会导致从App的感知来看，请求和响应都只调用了一次，但是服务端却收到了多次 具体操作步骤： 1、开启抓包工具，例如wireshark 2、使用demo代码发送请求（先开启慢速网络，不然速度太快来不及操作）： 3、不等请求完成，关闭wifi，这时会切换到蜂窝数据 4、等待请求完成后，通过日志可以看出请求的发送和响应都只进行了一次，但是抓包工具可以看到请求被发送了2次 demo如下： // Create a URLSession with the default configuration NSURLSession *defaultSession = [NSURLSession sharedSession]; // Setup the request to the URL NSTimeInterval ms = [NSDate.date timeIntervalSinceReferenceDate] * 1000; NSURL *url = [NSURL URLWithString:[NSString stringWithFormat:@"https://static.fusionbank.com/resource/20240930/8f54352194ac8beecbd5d3f5842b27bb.png?_t=%f",ms]]; NSMutableURLRequest *urlRequest = [NSMutableURLRequest requestWithURL:url]; urlRequest.timeoutInterval = 20; // Create dataTask NSLog(@"--- request start"); dataTask = [defaultSession dataTaskWithRequest:urlRequest completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) { dispatch_async(dispatch_get_main_queue(), ^{ NSLog(@"--- request finish %@", [error localizedDescription]); // Handle your response here [self.loadingView stopAnimating]; if (data) { UIImage* img = [UIImage imageWithData:data]; self.imageView.image = img; } }); }]; // Fire the request [dataTask resume]; 日志如下： 111.log 抓包工具显示请求发了2次： 请求和响应情况：

Hello, I'm developing a transparent proxy which only intercepts traffic coming from certain apps. I'm having a problem when there are other transparent proxies active where the flow.metaData.sourceApplicationSigningIdentifier property is whichever provider intercepted the traffic before my provider did. To verify this, I have implemented a small application that installs two transparent proxy profiles which handle the flows only coming from Safari. Here's the is the bit of the code where the provider determines that: open override func handleNewFlow(_ flow: NEAppProxyFlow) -> Bool { guard let flow = flow as? NEAppProxyTCPFlow else { return false } let sourceApp = flow.metaData.sourceAppSigningIdentifier NSLog("[TransparentProxyProvider] Received flow from: \(sourceApp)") guard sourceApp == "com.apple.Safari" else { return false } // Create NWConnection and handle flow copying as needed return true } As you can see from the following screenshots, when both profiles are active are the same time, the logs show that the second profile sees that the source application is the first profile: From what I understand, that happens because the Transparent Proxy Provider creates a TCP connection and therefore, from the Operating System's perspective, is initiating a new separate flow which is what is then intercepted by the second provider. My questions are: Is this expected behavior? Is there a way to find what the actual source application was? How does the Operating System determine which profile receives the traffic first?

Hey all so I’m just looking to normalize my ifconfig loadout. Essentially I have many interfaces and as many as 25-50 interfaces on my device. special clauses: -i may not factory reset the device including all data because AppleID phone number and password have been lost -i have access to blink shell for a llimited number of days -I have had permission denied in every way accessing the device via other shells and have no desire to do this via SSH ; simply put i think that if my phone is set up like this; THERE MUST be SOME way to get these interfaces flags down AT LEAST. And possibly in theory I should be able to even UNINSTALL these many, many interfaces!! reaching out here seems to be the brightest idea, because of the scope of this task i realize I am not a fully stacked developer and have some desire to be one but realistically I wont be one so hopefully my task is clear -remove interfaces from ifconfig -a ‘s list of enummerated network interfaces. Even flags down will do. thank you for not deleting my thread please move it if possible I do have a copy

I'm coding resumable uploads using iOS 17's URLSession's uploadTask(withResumeData:. This function returns a non-Optional URLSessionUploadTask and does not throw. In cases where the system determines the resumeData is no longer valid, how do I detect that (so I can create a new URLSessionUploadTask from scratch)? I'm doing this for background uploads, so it's all URLSessionDelegate apis, but what are the failure modes, and what Error types and Codes would we get specially? Obviously, I expect the resume data is no longer usable or necessary when get a server success i.e. in the 2xx range. Does the resume data also become invalid for other server responses, like 4xx's? or 5xx's?. I expect the resume data usually shouldn't become invalid when getting URLError's like .networkConnectionLost, since that's like half the point of having the feature in the first place, to resume after the a broken network connection. But I do expect that if the resumeData is invalid, then I should be able to reach the server and get a server response, so in that case what Code would we get? I'm assuming the system is caching our upload file somewhere, and the resume data somehow makes a reference to it, so does that file get optimized away at some point in time when left untouched, and need us to start a fresh upload? We are also saving the file for potential future re-uploads, until we get certain assurances of completion from our backend, but I am just wondering on which logic branches I need to determine that the resumeData I thought I could use is no longer usable.

I want to connect my iOS App with a MQTT Server via a Kotlin Multiplatform XCFramework. This Framework uses the library KMQTT to connect to our MQTT Server. As you can see Here KMQTT uses the default POSIX commands to connect to a socket. This setup works great on Android, not so much for iOS: When connecting to a IPv6 Address iOS devices get the POSIX Error 47, this was "fixed" by only using IPv4 more importantly: On ~50% of devices, when connecting to the socket they get the POSIX Error 1 (EPERM). The devices are iPhone 13, 14 Pro and a 15 and they all use either iOS 17 or iOS 18. When trying to open the ip via Safari they can connect. This problem seems to come from the Provider, as when i open a Hotspot from a device that doesn't work, all connected iOS Devices also don't work and when another device that works opens a hotspot and the not-working device connects to it, this device works. Do you guys have any idea, why this error is thrown?

I have a macOS app with Network Extension. It requests VPN permission with the code like this: self.tunnelManager = [NETunnelProviderManager new]; NETunnelProviderProtocol *protocol = [NETunnelProviderProtocol new]; protocol.providerBundleIdentifier = @"com.myapp.macos.tunnelprovider"; self.tunnelManager.protocolConfiguration = protocol; [self.tunnelManager setOnDemandRules:nil]; [self.tunnelManager setOnDemandEnabled:NO]; [self.tunnelManager setEnabled:YES]; [self.tunnelManager saveToPreferencesWithCompletionHandler:^(NSError * _Nullable saveError) {}]; A lot of my app users are businesses and they would like to have pre-install VPN config. We currently do it like this: <array> <dict> <key>PayloadDisplayName</key> <string>MyAppName</string> <key>PayloadType</key> <string>com.apple.vpn.managed</string> <key>UserDefinedName</key> <string>MyAppName</string> <key>VPN</key> <dict> <key>AuthenticationMethod</key> <string>Password</string> <key>ProviderBundleIdentifier</key> <string>com.myapp.macos.tunnelprovider</string> <key>ProviderDesignatedRequirement</key> <string>anchor apple generic and identifier "com.myapp.macos.tunnelprovider" and (certificate leaf[field.1.2.3] /* exists */ or certificate 1[field.1.2.3] /* exists */ and certificate leaf[field.1.2.3] /* exists */ and certificate leaf[subject.OU] = "123")</string> <key>RemoteAddress</key> <string/> </dict> <key>VPNSubType</key> <string>com.myapp.macos</string> <key>VPNType</key> <string>VPN</string> </dict> </array> Now, if the users installs my app first and allows the VPN permission, then MDM will set the profile above to the user, the user will end up with two VPN profiles in settings. They will be called "My App" and "My App 1" At first we thought it's harmless, but users with two VPN profiles sometimes have app update issues, where after update the newer version of client fails to communicate with the older version of tunnel, it cannot even tell it to quit. The tunnel must be force-quit by the user in this case. We suspect two profiles to be the reason for that. Is there a way to make sure duplicate VPN profiles do not happen?

This post is part of the Local Network Privacy FAQ. What operations require local network access? The general rule is that outgoing traffic to a local network address requires that the user grant your app local network access. Common scenarios include: Making an outgoing TCP connection — yes Listening for and accepting incoming TCP connections — no Sending a UDP unicast — yes Sending a UDP multicast — yes Sending a UDP broadcast — yes Connecting a UDP socket — yes Receiving an incoming UDP unicast — no Receiving an incoming UDP multicast — yes Receiving an incoming UDP broadcast — yes These TCP and UDP checks are done at the lowest levels of the system and thus apply to all networking APIs. This includes Network framework, BSD Sockets, NSStream, and NSURLSession, and any other protocols that you layer on top of those. IMPORTANT Receiving an incoming UDP multicast or broadcast does not currently require local network access but, because we hope to change that in a future update, our advice right now is that you write your code as if did (r. 69792887, 70017649). Resolving link-local DNS names (those ending with local, per RFC 6762) requires local network access. Again, this check applies to a wide variety of APIs including <dns_sd.h>, <net_db.h>, Network framework, NSStream, and NSURLSession. Finally, all Bonjour operations require local network access: Registering a service with Bonjour — yes Browsing for Bonjour services — yes Resolving a Bonjour service — yes Again, these checks apply to all APIs that use Bonjour, including <dns_sd.h>, Network framework, NSNetService, and Multipeer Connectivity. Note You must declare the Bonjour service types you use in your Info.plist. See FAQ-14 How do I map my Multipeer Connectivity service type to an entry in the Bonjour services property? for details. Bonjour-based services where you don’t see any details of the network do not require local network access. These include: AirPlay — no Printing via UIKit — no Back to the FAQ

Hello Everyone, I have developed an iOS/iPadOS app in which I am checking if the device is connected to a particular WiFi network. I am able to check that using the CNCopyCurrentNetworkInfo dictionary and the value of the key "kCNNetworkInfoKeySSID". So, while doing that I was wondering what will happen if there is another WiFi network with same SSID. Is there another way to identify a WiFi network uniquely?