Can an e-commerce iOS app running in the Xcode Simulator disrupt NETransparentProxyProvider and NEFilterDataProvider, causing DNS failures on macOS

Question

Created 2w

Replies 3

Boosts 0

Participants 2

Description: We are investigating an issue where running a specific e-commerce iOS app inside the Xcode Simulator intermittently disrupts the Mac’s network connectivity.

When the app is launched in the Simulator, our NETransparentProxyProvider and NEFilterDataProvider extensions occasionally stop receiving traffic correctly, and shortly afterward the entire macOS DNS resolution fails. Once this happens, all apps on the Mac lose internet access until mac is restarted. Disabling extensions also fixing the issue.

This issue only appears when the app runs in the Xcode Simulator.

I would like to confirm:

Is it possible for traffic patterns or network behavior inside the Simulator to interfere with system-level Network Extension providers on macOS?
Are there known limitations or conflicts between the Simulator’s virtual networking interfaces and Network Extensions?
Any recommended debugging steps or best practices to isolate this behavior?

Any guidance, known issues, or suggestions would be appreciated.

Answered by DTS Engineer in 867791022

In general, the simulator uses the host’s TCP/IP implementation. So, for example, if you use URLSession to run a request in the simulator, that’ll use the simulator’s CFNetwork which uses the simulator’s Network framework which uses BSD Sockets which ends up in the host kernel. From there, the simulator looks like any other (big) BSD Sockets client.

As to why it’s causing the host’s networking stack to fail, I’ve got no good theories. However, I suspect it’s somehow tied to your NE providers, because if this were failing in general there’d be a lot more grumbling. But that doesn’t mean that your NE providers are at fault. It could just as easily be a latent system bug that happens to be triggered by your NE providers.

How reproducible is this?

If you can reproduce it reasonably reliably, one option would be to replace your NE providers with simple ‘pass through’ versions. If the problem persists, then that’d form a good basis of a bug report. Alternatively, if that eliminates the problem then you have something to actually debug.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Boost

Answer 1

DTS Engineer OP

Apple

1w

Recommended

In general, the simulator uses the host’s TCP/IP implementation. So, for example, if you use URLSession to run a request in the simulator, that’ll use the simulator’s CFNetwork which uses the simulator’s Network framework which uses BSD Sockets which ends up in the host kernel. From there, the simulator looks like any other (big) BSD Sockets client.

As to why it’s causing the host’s networking stack to fail, I’ve got no good theories. However, I suspect it’s somehow tied to your NE providers, because if this were failing in general there’d be a lot more grumbling. But that doesn’t mean that your NE providers are at fault. It could just as easily be a latent system bug that happens to be triggered by your NE providers.

How reproducible is this?

If you can reproduce it reasonably reliably, one option would be to replace your NE providers with simple ‘pass through’ versions. If the problem persists, then that’d form a good basis of a bug report. Alternatively, if that eliminates the problem then you have something to actually debug.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

1

Answer 2

faisalIkwal OP

1w

Thanks much @DTS Engineer

The issue is intermittent and typically occurs when running the E-commerce iOS app, which generates a high volume of traffic. The strange part is that even after closing the simulator, the internet issue does not get resolved.

Do you think we can add exception rules in NE—such as based on IP, domain, process, or port—to help mitigate this? If so, could you please suggest what specific exceptions we should consider adding?

0

Answer 3

DTS Engineer OP

Apple

1w

could you please suggest what specific exceptions we should consider adding?

I kinda already did. My recommendation is that you create test versions of your providers:

For the transparent proxy and filter providers, just return false from the handle-new-flow method.
For the DNS proxy provider, implement a minimal pass through.

Then deploy various combinations of these to see which ones reproduce the problem. If, for example, you can reproduce the problem with just this dummy transparent proxy provider enabled, then you know that’s nothing to do with your code — it’s hard to mess up a return false (-: — and it’s time for a bug report.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0