Hello, I am exploring an iPadOS product idea for Apple Pencil users and would like to understand the current public API boundary. The user need is a temporary, user-controlled Apple Pencil annotation layer while the user is working in another app or workspace. For example, a student may be reading in Books, Safari, a PDF app, or another educational app and want to write quick Pencil notes directly over the visible material without taking a screenshot or exporting the content first. I understand that PencilKit works inside an app's own UI, and I also understand that iPadOS sandboxing prevents third-party apps from inspecting or modifying other apps. I am not trying to bypass that model. What I am trying to determine is: Is there any current public API, extension point, or entitlement that allows a user-initiated Apple Pencil overlay session across the current iPadOS workspace? If not, is Feedback Assistant the right place to request a new PencilKit / iPadOS entitlement for this use case? Are there existing Apple-recommended patterns for this workflow beyond Quick Note, Screenshot Markup, Split View, Stage Manager, or importing content into the developer's own app? The privacy model I have in mind would be strict: The overlay is user initiated only. A visible system indicator is shown while active. The developer app receives Pencil stroke data only by default. The app cannot inspect the underlying app's view hierarchy, documents, text, or private data. Screen pixels are not captured unless the user grants separate explicit permission. The user can close or clear the overlay at any time. The closest mental model is a system-mediated Pencil annotation layer, not a background screen recorder or a way to control another app. If this is not possible today with public APIs, I would appreciate confirmation so I can file a clear enhancement request through Feedback Assistant. I also filed this as Feedback Assistant report FB23067750. Thank you.

We are working with two types of wallet passes. Provisioning works successfully for one pass type via wallet extensions, but the same process is not functioning for the other. For the second pass type, we are able to generate the required data for pull provisioning and send it to Apple. Additionally, in-app push provisioning for this pass type completes without issue. We would appreciate guidance on how to further debug and resolve this provisioning problem.

We have updated the PNO metadata to include the associatedApplicationIdentifiers for our wallet extensions and the issuer app. While we are able to successfully provision the card to Apple Wallet via pull provisioning, we are unable to retrieve the payment passes that have already been provisioned. How can we address this issue? let passLibrary = PKPassLibrary() let paymentPassLibrary = self.passLibrary.passes(of: .secureElement) paymentPassLibrary is an empty array even though we have passes provisioned.

Hello, I am developing a Safari extension that uses service workers and all works well. When the extension is updated, a new content script is injected into the current open tabs however the service worker connection with the new content script does not get established. I confirmed both the old content script and new one is on the page, but the new one just doesn't execute which means it will not connect to the service worker. In Chrome a newly injected content script does work and in FireFox it is handled by FireFox automatically. How can this be done in Safari? Any help would be appreciated.

I'm implementing PHBackgroundResourceUploadExtension to back up photos and videos to our cloud storage service. During testing, I observed that iCloud-optimized photos (where the full-resolution original is stored in iCloud, not on device) do not upload. The upload job appears to silently skip these assets. Questions: Is this behavior intentional/documented? I couldn't find explicit mention of this limitation. If the device only has the optimized/thumbnail version locally, does the system: - Automatically download the full-resolution asset from iCloud before uploading? - Skip the asset entirely? - Return an error via PHAssetResourceUploadJobChangeRequest? For a complete backup solution, should we: - Pre-fetch full-resolution assets using PHAssetResourceManager.requestData(for:options:) before creating upload jobs? - Use a hybrid approach (this extension for local assets + separate logic for iCloud-only assets)? Environment: iOS 26, Xcode 18

Hi, I'm trying to test out an extension I'm building in Xcode and every time I try to test it, Safari crashes immediately. On later versions of Mac OS, e.g. Sequoia, there's no problem. I'm building this extension as part of a Mac Catalyst app that is a hybrid iPad/Mac OS app. On Safari 26.3 (20623.2.7.18.1) I can just add the source tree as a temporary extension and it works fine. But the .appex file for the same thing is causing the older Safari 17.6 (17618.3.11.11.7, 17618) to throw a fit. Trying to get through this with LLMs has focused on whether the extension target is for iOS and Mac OS or just Mac OS alone, and futzing with UIDeviceFamily the Build Settings. But basically it just doesn't work no matter what I do, and Safari shouldn't crash. Here's the .appex's Info.plist after compilation: % defaults read /Users/[username]/Library/Developer/Xcode/DerivedData/PlainSite-[gibberish]/Build/Products/Debug-maccatalyst/PlainSite.app/Contents/PlugIns/PlainSiteRecycler.appex/Contents/Info.plist { BuildMachineOSBuild = 21H1320; CFBundleIdentifier = "com.thinkcomputer.[product].[extension]"; CFBundleShortVersionString = "1.0"; CFBundleSupportedPlatforms = ( MacOSX ); CFBundleVersion = 2; DTCompiler = "com.apple.compilers.llvm.clang.1_0"; DTPlatformBuild = 14C18; DTPlatformName = macosx; DTPlatformVersion = "13.1"; DTSDKBuild = 22C55; DTSDKName = "macosx13.1"; DTXcode = 1420; DTXcodeBuild = 14C18; LSMinimumSystemVersion = "12.0"; NSExtension = { NSExtensionAttributes = { SafariWebExtensionPath = src; }; NSExtensionPointIdentifier = "com.apple.Safari.web-extension"; NSExtensionPrincipalClass = "PlainSiteRecycler.SafariWebExtensionHandler"; }; UIDeviceFamily = ( 2, 6 ); } Crash log: Hardware Model: MacBookPro12,1 Process: Safari [44241] Path: /Applications/Safari.app/Contents/MacOS/Safari Identifier: com.apple.Safari Version: 17.6 (17618.3.11.11.7) Code Type: X86-64 (Native) Role: Background Parent Process: launchd [1] Coalition: com.apple.Safari [1098] Date/Time: 2026-06-12 13:29:10.8546 -0700 Launch Time: 2026-06-12 13:27:27.7047 -0700 OS Version: macOS 12.7.6 (21H1320) Release Type: User Report Version: 104 Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Subtype: KERN_PROTECTION_FAILURE at 0x00007ff7b77d1ff8 Exception Codes: 0x0000000000000002, 0x00007ff7b77d1ff8 VM Region Info: 0x7ff7b77d1ff8 is in 0x7ff7b3fd2000-0x7ff7b77d2000; bytes after start: 58720248 bytes before end: 7 REGION TYPE START - END [ VSIZE] PRT/MAX SHRMOD REGION DETAIL MALLOC_SMALL 7fa313000000-7fa313800000 [ 8192K] rw-/rwx SM=PRV GAP OF 0x54a07d2000 BYTES ---> STACK GUARD 7ff7b3fd2000-7ff7b77d2000 [ 56.0M] ---/rwx SM=NUL ... for thread 0 Stack 7ff7b77d2000-7ff7b7fd2000 [ 8192K] rw-/rwx SM=PRV thread 0 Exception Note: EXC_CORPSE_NOTIFY Termination Reason: SIGNAL 11 Segmentation fault: 11 Terminating Process: exc handler [44241] Highlighted by Thread: 0 Backtrace not available No thread state (register information) available Binary Images: 0x0 - 0xffffffffffffffff ??? (*) <00000000-0000-0000-0000-000000000000> ??? Error Formulating Crash Report: dyld_process_info_create failed with 5 Failed to create CSSymbolicatorRef - corpse still valid ¯_(ツ)/¯ thread_get_state(PAGEIN) returned 0x10000003: (ipc/send) invalid destination port thread_get_state(EXCEPTION) returned 0x10000003: (ipc/send) invalid destination port thread_get_state(FLAVOR) returned 0x10000003: (ipc/send) invalid destination port EOF Full Report {"app_name":"Safari","timestamp":"2026-06-12 13:29:12.00 -0700","app_version":"17.6","slice_uuid":"af2262af-647d-3262-adc8-e52c3ef7579e","build_version":"17618.3.11.11.7","platform":0,"bundleID":"com.apple.Safari","share_with_app_devs":0,"is_first_party":0,"bug_type":"309","os_version":"macOS 12.7.6 (21H1320)","incident_id":"8F871759-8566-49DE-A6F9-EE73128BB836","name":"Safari"} { "uptime" : 100000, "procLaunch" : "2026-06-12 13:27:27.7047 -0700", "procRole" : "Background", "version" : 2, "userID" : 503, "deployVersion" : 210, "modelCode" : "MacBookPro12,1", "procStartAbsTime" : 102649791496150, "coalitionID" : 1098, "osVersion" : { "train" : "macOS 12.7.6", "build" : "21H1320", "releaseType" : "User" }, "captureTime" : "2026-06-12 13:29:10.8546 -0700", "incident" : "8F871759-8566-49DE-A6F9-EE73128BB836", "bug_type" : "309", "pid" : 44241, "procExitAbsTime" : 102752878214260, "cpuType" : "X86-64", "procName" : "Safari", "procPath" : "/Applications/Safari.app/Contents/MacOS/Safari", "bundleInfo" : {"CFBundleShortVersionString":"17.6","CFBundleVersion":"17618.3.11.11.7","CFBundleIdentifier":"com.apple.Safari"}, "buildInfo" : {"ProjectName":"Safari","SourceVersion":"7618003011011007","ProductBuildVersion":"618G22","BuildVersion":"12"}, "storeInfo" : {"deviceIdentifierForVendor":"28124F28-A4EB-556C-A50C-D710162ABDA6","thirdParty":true}, "parentProc" : "launchd", "parentPid" : 1, "coalitionName" : "com.apple.Safari", "crashReporterKey" : "134BE33B-9612-8725-73E0-95998174507F", "wakeTime" : 67008, "sleepWakeUUID" : "F942DC6A-04DF-4EE2-AA9F-DB3EDCB24AC3", "sip" : "enabled", "isCorpse" : 1, "exception" : {"codes":"0x0000000000000002, 0x00007ff7b77d1ff8","rawCodes":[2,140701912080376],"type":"EXC_BAD_ACCESS","signal":"SIGSEGV","subtype":"KERN_PROTECTION_FAILURE at 0x00007ff7b77d1ff8"}, "termination" : {"flags":0,"code":11,"namespace":"SIGNAL","indicator":"Segmentation fault: 11","byProc":"exc handler","byPid":44241}, "usedImages" : [ { "size" : 0, "source" : "A", "base" : 0, "uuid" : "00000000-0000-0000-0000-000000000000" } ], "sharedCache" : { "base" : 140703277129728, "size" : 19331678208, "uuid" : "246818c3-4b9f-3462-bcaf-fdf71975e5fe" }, "legacyInfo" : { "threadHighlighted" : 0 }, "trialInfo" : { "rollouts" : [ { "rolloutId" : "61301e3a61217b3110231469", "factorPackIds" : { "SIRI_FIND_MY_CONFIGURATION_FILES" : "652886aa2c02f032beae8316" }, "deploymentId" : 240000028 }, { "rolloutId" : "5ffde50ce2aacd000d47a95f", "factorPackIds" : { }, "deploymentId" : 240000550 } ], "experiments" : [ ] }, "reportNotes" : [ "dyld_process_info_create failed with 5", "Failed to create CSSymbolicatorRef - corpse still valid ¯\(ツ)_/¯", "thread_get_state(PAGEIN) returned 0x10000003: (ipc/send) invalid destination port", "thread_get_state(EXCEPTION) returned 0x10000003: (ipc/send) invalid destination port", "thread_get_state(FLAVOR) returned 0x10000003: (ipc/send) invalid destination port" ] } Any help would be greatly appreciated!

I'm implementing a PHBackgroundResourceUploadExtension to back up photos and videos from the user's library to our cloud storage service. Our existing upload infrastructure uses chunked uploads for large files (splitting videos into smaller byte ranges and uploading each chunk separately). This approach: Allows resumable uploads if interrupted Stays within server-side request size limits Provides granular progress tracking Looking at the PHAssetResourceUploadJobChangeRequest.createJob(destination:resource:) API, I don't see a way to specify byte ranges or create multiple jobs for chunks of the same resource. Questions: Does the system handle large files (1GB+) automatically under the hood, or is there a recommended maximum file size for a single upload job? Is there a supported pattern for chunked/resumable uploads, or should the destination URL endpoint handle the entire file in one request? If our server requires chunked uploads (e.g., BITS protocol with CreateSession → Fragment → CloseSession), is this extension the right mechanism, or should we use a different approach for large videos? Any guidance on best practices for large asset uploads would be greatly appreciated. Environment: iOS 26, Xcode 18

I'm developing a PHBackgroundResourceUploadExtension and finding it difficult to debug because the system controls when the extension launches. Current experience: The extension starts at unpredictable times (anywhere from 1 minute to several hours after photos are added) By the time I attach the debugger, the upload may have already completed or failed Breakpoints in init() or early lifecycle methods are often missed Questions: Is there a way to force-launch the extension during development (similar to how we can manually trigger Background App Refresh in Xcode)? Are there any launch arguments or environment variables that put the extension in a debug/eager mode? I tried taking photos/videos, but this doesn't trigged app extension in all cases. Any tips for improving the debug cycle would be greatly appreciated. Environment: iOS 26, Xcode 18

I saw that the Broadcast extension is deprecated in iOS 28, as well as the ReplayKit with nothing mentioned on what is going to be used going forward. I found out that the Screen Capture Kit is mentioned as replacement but is available for macOS only, even though some methods now are marked with iOS 28+ (https://developer.apple.com/documentation/screencapturekit). Will the ScreenCaptureKit be used for screen sharing going forward and replace the Broadcast Extension?

I'm trying to implement a MediaDeviceExtension, but it is not being launched. I followed the documentation, but I see "missing required entitlement" in log, even though I've added the entitlement. My Setup com.apple.developer.media-device-extension on both the app and the extension: <key>com.apple.developer.media-device-extension</key> <array> <string>media-device-protocol.myradio</string> </array> The same id is in the extension’s UTExportedTypeDeclarations → UTTypeIdentifier (conforming to public.media-sharing-protocol) and in the Swift protocolType property. The app’s Info.plist has MDESupportedProtocols with the same id. EXExtensionPointIdentifier = com.apple.media-device-extension in EXAppExtensionAttributes. The capability is enabled on both App IDs in Certificates, Identifiers & Profiles. Problem Opening an AVRoutePickerView does not call startDeviceDiscovery(), and no device appears in the picker. Device log: -FigCustomEndpointManager- manager_shouldAllowDiscoveryForProtocol: Protocol media-device-protocol.myradio has never been activated - allowing discovery for first-time use -FigCustomEndpointManager- manager_SetDiscoveryMode: Failed to launch system casting instance for protocol media-device-protocol.myradio -MXAppExtensionMonitor- -[MXAppExtensionInstance launchExtensionRequiring:]: Extension with identifier: <_EXExtensionIdentity: 0x…> is missing required entitlement, dropping! -MXSystemMediaCasting- -[MXSystemCastingExtensionInstance launch]: Failed to launch <SystemMediaCastingExtension<MyRadio:media-device-protocol.myradio>: …, <EXExtensionProcess: (null) PID: 0>, 0> Question What entitlement is MXAppExtensionMonitor checking for when launching a SystemMediaCastingExtension? It is not named in the log. If an entitlement beyond com.apple.developer.media-device-extension is required, how is it obtained? FB23043277

We are implementing a Network Extension that uses NETransparentProxyProvider. For browser TCP flows we terminate in the extension and re‑originate traffic with NWConnection. Per documentation, we set NWParameters.preferNoProxies = true on that NWConnection so it should not use the system HTTP/HTTPS proxy configuration, including PAC‑selected explicit proxies. Observation: With System Settings → Network → Proxies → Automatic proxy configuration pointing at a PAC file that returns something like PROXY 127.0.0.1:8888 for relevant traffic, we still see our NWConnection traffic show up at the local explicit proxy as a normal CONNECT host:443 tunnel. That suggests PAC / explicit proxy selection is still being applied to sockets we believed were opted out via preferNoProxies. This is affecting interoperability: the browser may evaluate PAC with a hostname (e.g. a site configured as DIRECT), while a separate NWConnection may be evaluated in a context where the logical host is an IPv4 literal, so the same PAC script can return PROXY for what the user thinks is the “same” destination. We had expected preferNoProxies to remove the second leg from PAC/proxy entirely. Expected: NWConnection with preferNoProxies == true should connect without opening an explicit CONNECT session to the PAC‑configured proxy (unless there is documented behavior that NE‑originated traffic is intentionally exempt from this flag). Actual: Traffic from the NWConnection path still reaches the explicit proxy (we can log CONNECT … on a minimal local proxy). Environment: macOS Tahoe 26.5 (25F71), Network Extension / App Proxy provider, PAC served over local http, Safari as client. Questions: Is preferNoProxies guaranteed to bypass PAC‑selected explicit proxies for NWConnection from Network Extension processes, or are there known exceptions (e.g. certain interfaces, MDM, networkserviceproxy, etc.)? If this is by design, what is the supported way for an NE to open an outbound TCP connection that must not inherit system PAC/proxy?

I'm trying to diagnose some issues with my AutoFill credential provider not loading on macOS. As far as I can tell I have all the entitlements and provisioning profiles correct, and ASSettingsHelper.requestToTurnOnCredentialProviderExtension() returns true with the Credential Provider showing up enabled in System Settings. However all other attempts to call into AuthenticationServices fail, and ASCredentialIdentityStore.shared.getState() always returns false for state.isEnabled Looking at the logs I don't see anything that stands out but I am not sure I've got the correct filter on the logs. I see discovery taking place 2026-05-29 08:43:09.389967-0700 0xd7d00 Default 0x83c0b1 26490 0 CredentialProviderExtensionHelper: (PlugInKit) [com.apple.PlugInKit:discovery] [d 88616305-672E-4143-81A6-832522BCD790] <PKHost:0x7e6c24900> Beginning discovery for flags: 0, point: com.apple.authentication-services-credential-provider-ui 2026-05-29 08:43:09.390070-0700 0xd7d00 Info 0x83c0b1 26490 0 CredentialProviderExtensionHelper: (PlugInKit) [com.apple.PlugInKit:discovery] [d 88616305-672E-4143-81A6-832522BCD790] <PKHost:0x7e6c24900> Query: { "LS:ExtensionPlatforms" = ( 1, 6, 2 ); NSExtensionPointName = "com.apple.authentication-services-credential-provider-ui"; NSUserElection = 1; } 2026-05-29 08:43:09.392893-0700 0xd79ee Debug 0x83c0b1 487 0 pkd: (PlugInKit) [com.apple.PlugInKit:sandbox] issued file extension for [/Applications/test.app/Contents/PlugIns/testIDCredentialProvider.appex] 2026-05-29 08:43:09.392936-0700 0xd79ee Debug 0x83c0b1 487 0 pkd: (PlugInKit) [com.apple.PlugInKit:ls] [u C85BFC1E-25E1-4917-A1D8-0123013482EE] [com.myapp.test.App.testid-credential-provider(7.35)] info [CFBundleIdentifier] => [com.myapp.test.App.testid-credential-provider] 2026-05-29 08:43:09.392947-0700 0xd79ee Debug 0x83c0b1 487 0 pkd: (PlugInKit) [com.apple.PlugInKit:sandbox] issued mach extension for [com.myapp.test.App.testid-credential-provider] And I see it being discovered correctly: 2026-05-29 08:43:09.394535-0700 0xd7d00 Default 0x83c0b2 26490 0 CredentialProviderExtensionHelper: (ExtensionFoundation) [com.apple.extensionkit:NSExtension] discovered extensions: attributes { "LS:ExtensionPlatforms" = ( 1, 6, 2 ); NSExtensionPointName = "com.apple.authentication-services-credential-provider-ui"; NSUserElection = 1; }, extensionSet {( <EXConcreteExtension: 0x7e71b41c0> {id = com.myapp.test.App.testid-credential-provider} )} I don't see any errors related to security or provisioning that I can tell. Any tricks I can use to see why I can't use my Credential Provider?

I just updated my testing device OS to iOS 26.5 and was trying to validate if our sdk is working fine or not and we found Call blocking is not at working for this update. I already seen some of the post regarding call blocking will not work if call to the expected block number is initiated from testing device. So just to clarify that is not the case in our findings.

I have been building an app where I have the user select what apps they would like to track and then I display a device activity report of only those apps. The device activity report shows data perfectly for the selected apps if the users apple account is "Adult". If the users apple account is "Parent/Guardian" or "Organizer" randomly the device activity report will show 0 minutes (no screen time data). Among randomly happening I have found a trigger for the bug to be opening any FamilyActivityPicker (even not the one used for filtering the device activity report extension) then going back to the device activity report extension on the profile page anywhere from 3-50 times. Once the bug happens repeating that process 1-2 times fixes it or removing screen time restrictions permission then adding it back.

I have a barcode scanning app with keyboard extension app. The keyboard has a button Barcode from which we can navigate to app for scanning the barcode. The keyboard can be used in app that can input text. Now after clicking the button and navigating to barcode scanning app, after successful completion of scanning isn't there a way to auto navigate to host application . At present, we are showing a pop up asking user to click on back button on top left corner.

I have a barcode scanning app with keyboard extesnion. The keyboard has an option to open the app for barcode scanning app(Barcode Button as in the screenshot). After the scanning is done it will take the result back to host application. If you see the attached screenshot , we are asking the end user to navigate back to host application by clicking on the button at top left corner. Isn't it possible to auto navigate after the scanning is done by getting the host bundle ID.

Our application currently supports Live Activities. We’re working on adding a new Widget and are weighing some architectural decisions regarding whether we should add it to the same extension target that our Live Activity lives in or create a new extension that would expose it and other widgets we plan to create in the future. In the Add Support for Live Activities documentation, it suggests adding Live Activity code to the existing widget extension to facilitate code reuse. Beyond code sharing, we’re trying to determine if there are downsides to isolating new Widget(s) into their own extension. Specifically, we are concerned about process isolation and how a failure/crash in one might impact the other. Assuming they did live in the same extension, we’re hoping to better understand some of the finer details as presented by the following questions: If a Widget (e.g., via the TimelineProvider) causes the extension process to crash, what is the guaranteed behavior for a currently running Live Activity? Is the relaunch and restoration of a Live Activity after an extension crash guaranteed, or is it best-effort? Is there a distinction in crash isolation between a TimelineProvider failure and a View rendering crash? Are there any known scenarios where a Widget crash could cause a Live Activity to be permanently dropped? Does keeping them in the same extension affect the memory budget, or does each 'instance' receive its own allocation? In short: we're looking to ensure that an issue with a Widget doesn't inadvertently affect a Live Activity (or vice-versa) when they live in the same WidgetsBundle within the same extension and are seeking guidance on whether it makes sense to keep them together or continue down the path of separate extensions in the interest of process safety. Any pointers to other documentation or known behavior would be greatly appreciated!

I inherit from a protocol that implements in its extension those functions, that should not be required by the adopting class and instead I get those errors. Could someone explain why those errors appear and how to fix it.

I’m building a macOS app with a MailKit extension. The containing app needs to show whether the Mail extension is enabled and actually being invoked. Currently the extension writes a “last seen” timestamp to app group defaults when Mail invokes it. The containing app reads that timestamp and shows a waiting/active state. During App Review, this behaviour was challenged: enabling the MailKit extension in Mail Settings does not immediately change the state reported in the containing app. The extension is only invoked when Mail receives or reloads messages, so the main app cannot confirm it is active at the moment the user enables it. The review challenge is that App Review may enable the extension, open Mail, select existing messages, and still see the containing app stuck in a waiting state. From what I can tell, selecting old messages does not reliably cause Mail to invoke the extension. I looked for a direct API like: let isEnabled = try await MEExtensionManager.shared().isEnabled But I do not see any public MailKit API that reports whether the extension is enabled in Mail Settings. MEExtensionManager seems limited to reload-style APIs such as reloadVisibleMessages. Questions: Is there a supported way to check whether a MailKit extension is enabled? Is “first extension invocation” the expected confirmation signal? Can reloadVisibleMessages be relied on during review, or can Mail skip/throttle old messages? Is the right App Review instruction: enable the extension, quit/reopen Mail if needed, then send a new test email? If possible, I want the app to report that the extension has been enabled as soon as the user turns it on in Mail Settings, even if Mail has not invoked the extension yet, but I do not see a public API that exposes that enabled state.

We’re building an iOS app that uses an ILMessageFilterExtension to classify unwanted property-related SMS messages. Our goal is for filtered/junk messages to trigger an automatic scan/classification flow so the main app can show the user useful stats like “X messages blocked since your last check-in,” and ideally categorize them by type such as likely wholesaler, investor, realtor, scam, or unclear. The bottleneck we’re running into is understanding the correct architecture and limits of the Message Filter Extension. We know the extension can inspect sender/message content and return allow/junk, and we understand that network requests are limited to Apple’s deferred query flow. What we’re trying to clarify is whether there is an Apple-compliant way for the extension to persist lightweight scan results or aggregate counts that the containing app can later read, without violating privacy or extension restrictions. We do not need to export a full copy of message bodies into the app; what we want is a compliant way to keep counters/summary metadata such as blocked count, blocked since last app open, and maybe category counts. Questions we’re trying to answer: Is it acceptable for an ILMessageFilterExtension to persist aggregate scan stats for later display in the main app? If so, what is the recommended storage pattern for lightweight counters/metadata? Can extension-side classification results be surfaced to the app only as summary data, not raw message content? If using deferred network classification, what is the best way to reflect those results back into user-facing counts like “messages blocked since last check-in”? Our desired user experience is: unwanted message hits the filter filter classifies it locally or via deferred server lookup message is junked if appropriate aggregate counters are updated when the user opens the app, they see something like: 12 messages blocked since your last check-in 8 likely wholesalers 3 scams 1 unclear We’re mainly looking for guidance on the correct Apple-supported architecture here, especially around what data can be retained/shared between the extension and the containing app.